A recently unearthed security flaw in Zoom video conferencing app allowed any website to access any ongoing video call on a Mac. This was made possible by a web server that Zoom installs on Macs.
Initially, the company defended the security flaw as a “legitimate solution to poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.” Later, the company backtracked and finally patched the flaw.
Zoom had detailed how it would work on fixing the flaw in the blog post. The company says that it will remove the local webserver entirely after the Zoom client has been updated. Security researchers had raised concerns on how a third party can automatically activate webcams with the help of a Zoom link. Since Zoom installs a local web server on a Mac, it essentially bypasses security measures offered by the browser.
[Update] The July 9 patch to the Zoom app on Mac devices detailed earlier on our blog is now live. Details on the various fixes contained within it are explained, as well as how to update the Zoom software. See blog post here: https://t.co/56yDgoZf1U
— Zoom (@zoom_us) July 9, 2019
The company still maintains that the flaw was, in fact, a feature that made its services easier to use. However, security researchers unearthed that the server would allow malicious websites to activate your webcam by using iframe and bypassing Safari browser built-in protection.
The security flaw is fixed and all is well right? No, some people have been critical of the fix. They say that Zoom still manages to bypass Apple Security and is capable of launching a Zoom call without confirmation from the user.
The whole Zoom episode seems to have opened Pandora’s box. Zoom’s Chief information security officer, Richard Farley said: “We are not alone among video conferencing providers in implementing this solution.” It would be interesting to see if a similar security flaw exists on other video-conferencing apps.
Update Zoom app on your Mac to the latest patched version. Also, please note that uninstalling Zoom app will not remove the web server. The best thing to do is update to the latest version and thus fix the security flaw.