Zoom releases patch after report reveals flaw left Mac webcams exposed

Zoom releases patch after report reveals flaw left Mac webcams exposed

Millions of people use Zoom's corporate video conferencing apps. When users visited these websites again, an attacker could have easily accessed the victim's webcam at any time via the web server; and being a standalone software, the web server remains in the Macs that had Zoom installed, and stays there even when the app is removed completely by the user. Regarding the new update, Zoom has partnered with Apple, which could be deployed automatically without any without the need for any additional user interaction.

The flaw only affects computers running Apple's MacOS, because Windows computers manage connections in a different way, the report says.

The undocumented server remained installed on users' devices even after Zoom was uninstalled, allowing the app to be re-installed again without their knowledge.

More than 750,000 businesses around the world use Zoom's teleconferencing software.

Zoom initially defended its decision to install the web server, stating it allowed users to join Zoom meetings with one click. Zoom clearly had not considered malicious uses - or, worse, had disregarded them - when they chose to remove this choice from the user, and appear to consider Zoom use, and presumably their revenue growth, more important than surveillance of users.

That's possible in part because the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldn't, the post said.

"We appreciate the hard work of the security researcher in identifying security concerns on our platform", wrote the company. This does not appear to be the case, as the first meeting with the researcher about how the vulnerability would be patched occurred only 18 days before the end of the 90-day public disclosure deadline. In a move that Daring Fireball's John Gruber justifiably describes as "criminal", it seems that Zoom leaves risky pieces of itself behind, in the form of a local web server, even after a user would have every reason to believe they've uninstalled it. It's underhanded and breaches trust boundaries. It shouldn't affect functionality other than requiring your permission to launch the app.



Other news