On July 8, numerous mainstream news outlets, including www.theverge.com, reported on a security vulnerability affecting Mac users who have the Zoom app installed. Yesterday’s story, reported here by Dieter Bohn, explains that Jonathan Leitschuh, a security researcher, initially discovered the vulnerability earlier this year. Leitschuh has demonstrated that any website can initiate a video-enabled call on a Mac, provided that the Zoom app is installed. The principal reason for that is the Zoom app installs a limited-functionality web server on Macs that facilitates accepting video-call requests; the web-server functionality was apparently implemented as a workaround to circumvent additional security measures introduced in a recent update to the Safari web browser. Moreover, if a user were to uninstall Zoom, that web server would remain, and it could even reinstall Zoom without the user having to act.
Upon discovering the vulnerability in late March, Bohn reports that Leitschuh responsibly disclosed the discovery to Zoom and offered the company 90 days’ time to resolve the problem. (During the intervening weeks, he also had conversations with the Chromium and Mozilla Firefox security teams.) According to Leitschuh, Zoom had failed to resolve the issue satisfactorily, leading to the public disclosure on July 8.
Zoom responded to the public outcry on the same evening with a lengthy blog post. The company summarized the problem as follows: “This week, a researcher published an article raising concerns about our video experience. His concern is that if an attacker is able to trick a target Zoom user into clicking a web link to the attacker’s Zoom meeting ID URL, the target user could unknowingly join the attacker’s Zoom meeting. If the user has not configured their Zoom client to disable video upon joining meetings, the attacker may be able to view the user’s video feed.”
Zoom’s originally planned resolution to this issue was to apply and save users’ video preference from their first Zoom meeting to all future Zoom meetings. As such, users and system administrators could configure their client video settings to turn OFF video when joining a meeting. Initially, the company was reluctant to discontinue utilizing the web server in question because, it said, Zoom wanted to facilitate Mac users having a one-click-to-join user experience. In effect, the company was saying it was on users, upon joining their first meeting from a given device, to indicate they would like their video to be turned OFF until directed otherwise.
On the afternoon of July 9, however, Zoom made an abrupt about face. CEO Eric Yuan confirmed that Zoom would release a patch to disable the web-server functionality and, in so doing, restore protections for Mac users. According to an article from www.wired.com, reported here by Lily Hay Newman, Yuan revealed the company’s change of heart in a Zoom meeting that Leitschuh had created in his efforts to prove the security vulnerability.