Researcher stated that the Zoom flaw may leave the Mac cams defenseless

Kelley Robertson
July 12, 2019

Zoom installs a web server on every computer which it is installed on to manage connecting video conference participants together, and hackers can use a flaw in this software to connect to victims' cameras if they have not turned off video conferencing by default.

As first spotted by TechCrunch, Apple has quietly released a Mac update that removes this hidden web server, preventing it from re-installing the client after the user has uninstalled it. MacOS users aren't required to take any action in relation to this update - everything is automatic.

Security researcher Jonathan Leitschuh revealed this week that Zoom makes it possible for websites to add you to a call by activating your webcam without permission.

Apple has fired an update to Mac users that ensures Zoom's controversial web server on Mac computers is no more.

"We're happy to have worked with Apple on testing this update". According to Zoom, updating your client will now not just fix the issue, but eradicate the local web server.

A Zoom spokesperson told Forbes, however, that it had begun analyzing the problem within 10 minutes of learning about it, and that the ability to have one-click access to join videoconferencing calls was meant to address poor user experiences for those running Apple's Safari 12 web browser. If someone had uninstalled Zoom and clicks a meeting link, the local web server reinstalls Zoom. This generally involves someone sending a unique link to someone over the web, which they can click to join a meeting. "We appreciate our users' patience as we continue to work through addressing their concerns", Zoom spokesperson Priscilla Barolo told CNET, confirming the TechCrunch report.

"Let me start off by saying having an installed app that is running a web server on my local machine with a totally undocumented API feels incredibly sketchy to me", he wrote. It seems that Zoom thinks that asking a user if they want to join a meeting is a "poor user experience".

The flaw is said to be partly due to a web server the Zoom app installs on Macs that 'accepts requests regular browsers wouldn't'.

In an interview with the Verge, Zoom chief information security officer Richard Farley explained that the company was basing the move off of "feedback" from those "following this and contributing to the discussion".

Facing mounting pressure, Zoom's founder and CEO, Eric S. Yuan, responded in a Wednesday blog post that "in engaging this researcher over the past 90 days, we misjudged the situation and did not respond quickly enough - and that's on us".

Other reports by

Discuss This Article