Videoconferencing darling Zoom stirred up a pot of controversy earlier this week after it first disclosed and then defended an apparent security weakness in its OS X video conferencing client. According to the security researcher who discovered and reported the flaw back in March of this year, the Mac version of Zoom installs a webserver on the computer on which it is used that will enable users to quickly make and answer Zoom calls. Unfortunately, the main reason they implemented this method was because the built-in security restrictions of the Mac operating system were getting in the way of this quick-connect feature, a “benefit” which Windows users did not enjoy. On top of this, even after the Zoom software was removed from the Mac, this local webserver remained in place, allowing for quick reinstallation in case the user needed to make or receive a Zoom call, the latter of which could be exploited to gain unauthorized access to the Mac’s built-in camera.
Subverting security for convenience is always good practice, right?
Initially, Zoom defended their Mac client methodology and insisted that the changes they made to the Mac client’s settings should be sufficient protect against any exploits of their software. The security researcher remained unconvinced that it was sufficient protection for Mac Zoom users and released his findings to the public alongside a proof of concept demonstration of a malicious Zoom invite attack. After about 24 hours of internet uproar over the vulnerability, Zoom reversed their position on the subject and has just released a patch that removes this feature, as well as adding a new menu choice to do a full uninstall of the software to remove the hidden webserver.
If you are using the Mac version of Zoom, you will want to update your software immediately if it hasn’t already prompted you to update. Windows users, for once, don’t need to do anything. Enjoy your small respite from the usual flood of security flaws.
