A serious zero-day vulnerability in the Zoom video conferencing app for Mac was publicly disclosed today by security researcher Jonathan Leitschuh.

In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed.

isight
The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability.

In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app.

Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app.

While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting.

Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page.

Helpfully, the bottom of Leitschuh's Medium post includes a series of Terminal commands that will uninstall the web server completely.

Update: In a statement given to ZDNet, Zoom defended its use of a local web server on Macs as a "workaround" to changes that were introduced in Safari 12. The company said that it felt running a local server in the background was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."

Update 2: Zoom is no longer taking a defensive stance and has now released a patch.

Tags: security, Zoom

Top Rated Comments

Unggoy Murderer Avatar
24 months ago

"legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."
So they basically circumvented browser security mechanisms to solve a user experience "issue". That is absolutely not a legitimate excuse.
Score: 14 Votes (Like | Disagree)
Return Zero Avatar
24 months ago
When your key product differentiator is both internally and externally acknowledged as a workaround with major security risks, you have completely failed as a software company.
Score: 11 Votes (Like | Disagree)
MallardDuck Avatar
24 months ago
Let see:

Install hidden, insecure background server process
Fail to remove it on uninstall
Fail to disclose that you did so
Fail to patch it when notified
Defend your actions to work around security features to 'save users' one single click
Destroy your brand and confidence in your solution shortly after going public

Priceless.
Score: 8 Votes (Like | Disagree)
windywalks Avatar
24 months ago
OK, so Zoom is going on my "never use again" pile.
Their excuse is just pathetic and the fact that they had 3 months to fix it and chose not to is just unacceptable.
Score: 7 Votes (Like | Disagree)
orbital~debris Avatar
24 months ago
enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."
More like enabling hackers to have “seamless, open-to-anyone webcam access” is their “key product differentiator”!
Score: 3 Votes (Like | Disagree)
rmt55 Avatar
24 months ago
I'm sorry... "simply uninstalling the app won't help" ??? In that case, how does one uninstall the localhost web server background process?
Score: 3 Votes (Like | Disagree)

Top Stories

apple watch ecg

Apple Watch Likely to Gain Blood Pressure, Blood Glucose, and Blood Alcohol Monitoring

Monday May 3, 2021 4:03 am PDT by
The Apple Watch may gain the ability to measure blood pressure, blood glucose, and blood alcohol levels, according to newly-revealed information about one of Apple's chosen business partners. Apple has been revealed to be the largest customer of the British electronics start-up Rockley Photonics, The Telegraph reports. Rockley Photonics has developed non-invasive optical sensors for...
airtags teardown tile mat galaxy smarttag

iFixit Shares AirTag Teardown Revealing 'Impressively Compact' Design Compared to Tile Mate and Galaxy SmartTag

Sunday May 2, 2021 4:54 am PDT by
iFixit has shared the first of its two-part series in tearing down Apple's AirTag item tracker, revealing that Apple had to make impressive design decisions to achieve its small design, including rethinking the speaker layout. For comparison, iFixit compared Apple's AirTag to the Tile Mate and the Samsung Galaxy SmartTag. Compared to the competition, AirTag is the smallest in size, with the...
facebook instargram updated att prompt 1

Facebook and Instagram Ask Users to Enable App Tracking in Order to Keep Services 'Free of Charge'

Sunday May 2, 2021 1:22 pm PDT by
As a way to convince users to enable tracking across other apps and websites, Facebook is deploying the tactic of telling users that they must enable tracking as part of the App Tracking Transparency framework in iOS 14.5 if they want to help keep Facebook and Instagram "free of charge." App Tracking Transparency or ATT is the newest privacy feature to come to iPhone and iPad devices as part ...
Flat 2021 MacBook Pro Mockup Feature 1

Mini-LED Display Production Improving for Redesigned MacBook Pro Models Later This Year

Monday May 3, 2021 8:33 am PDT by
Apple supplier TSMT, a key vendor involved in the production of mini-LED displays in the newly announced 12.9-inch iPad Pro, has been able to address technical challenges for the production of mini-LED displays to be used in the upcoming 14 and 16-inch redesigned MacBook Pro models. As reported by DigiTimes, TSMT had initially been facing production constraints with the circuit board and...
Foldable iPhone 2023 Feature Yellow

Kuo: Apple to Launch 8-Inch Foldable iPhone in 2023

Sunday May 2, 2021 8:43 pm PDT by
Apple is working to launch a foldable iPhone with an 8-inch QHD+ flexible OLED display in 2023, Apple analyst Ming-Chi Kuo said today in a note to investors that was seen by MacRumors. Based on our latest industry survey, we forecast that Apple will likely launch a foldable iPhone with an 8-inch QHD+ flexible OLED display in 2023, with SDC as the exclusive display supplier and Samsung Foundry...
iOS 14 on iPhone feature emergency

Apple Releases iOS and iPadOS 14.5.1 With Fixes for App Tracking Transparency Bug, WebKit Security Issues

Monday May 3, 2021 10:04 am PDT by
Apple today released iOS and iPadOS 14.5.1, minor security updates that come just a week after the release of the iOS 14.5 update. There is also a companion watchOS 7.4.1 update for Apple Watch and an iOS 12.5.3 update for older iPhone and iPad devices that don't support Apple's latest operating system versions. According to Apple's release notes, the update fixes a bug with App Tracking...
General Music and AirPod 3 Feature

Rumor: Apple to Announce Third-Generation AirPods and HiFi Apple Music Tier in 'Coming Weeks'

Saturday May 1, 2021 3:57 am PDT by
Citing sources within the music industry, Hits Double Daily reports that Apple is preparing to launch a new HiFi Apple Music tier in the "coming weeks," which will come alongside the release of the rumored third-generation AirPods. According to the report, the new tier, which will offer high-fidelity music streaming, will cost the same $9.99 monthly subscription as the current individual...
Top Stories 58 Feature 1

Top Stories: iOS 14.5 Released, AirTag Launch, New iMac and iPad Pro Pre-Orders

Saturday May 1, 2021 6:00 am PDT by
After nearly three months of beta testing, Apple this week finally released iOS 14.5, the company's biggest update since the iOS 14 launch last September. One of the main new features included in the update is support for AirTags, Apple's item trackers that also finally became available this week some two years after their existence first leaked. Apple this week also began taking orders for...
tile sticker e1570533758981

Tile CEO: 'We Welcome Competition From Apple, But We Think It Needs to Be Fair'

Tuesday May 4, 2021 9:51 am PDT by
Just after Apple announced its AirTags, Tile CEO CJ Prober relayed his concerns about competing with Apple in the tracking space, and said that Tile would ask Congress to investigate Apple's business practices specific to Find My and item trackers. Prober this week did an interview with Bloomberg, where he further expanded on Tile's complaints about Apple and why he feels that Tile is...
apple music album cover art

iOS 14.6 Beta 1 Code Hints at Upcoming HiFi Apple Music Support

Saturday May 1, 2021 10:41 am PDT by
Apple is laying the groundwork for adding HiFi support to Apple Music which would offer Apple Music subscribers and owners of compatible devices, such as certain models of AirPods, access to high-fidelity audio streaming, according to code within the iOS 14.6 beta discovered by MacRumors. Earlier today, a report claimed that Apple will announce a new $9.99 per month Apple Music tier that...