Wednesday, 24 July 2019
Latest news
Main » Zoom backtracks on 'legitimate solution' that left Mac webcams vulnerable to highjacking

Zoom backtracks on 'legitimate solution' that left Mac webcams vulnerable to highjacking

11 July 2019

Zoom said that it had "no indication" that any of the millions of people who use its software had ever fallen victim to the software flaw, and said that it would be "readily apparent" if anyone had access to the camera because the video application is created to be the top window on a user's computer screen.

TechCrunch reports Apple's silent update protects all Zoon user from the recently discovered web server vulnerability without affecting the operation of the app itself.

Mr Leitschuh told Medium: "This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission".

Despite the mishandling of the incident, Zoom's share price has continued to rise throughout the week, sitting at $92.72 a share at the time of writing, up 2% on the day. In a move that Daring Fireball's John Gruber justifiably describes as "criminal", it seems that Zoom leaves risky pieces of itself behind, in the form of a local web server, even after a user would have every reason to believe they've uninstalled it. In fact, Farley pointed the finger at Apple as the reason for the background web server, saying that it was built as a "workaround" after Apple made a security change in Safari 12 to improve user privacy, in order to avoid making users click an extra dialog box before joining a meeting.

The update also allows users to manually uninstall Zoom. The update ensures the webserver is removed-even if users have uninstalled Zoom or haven't installed Tuesday's update.

"It took Zoom 10 days to confirm the vulnerability", wrote Leitschuh.

Originally published at 4:40 p.m. PT Updated at 7:20 p.m. with Zoom comment and confirmation.

Zoom developers explained that the local server needs to store information about settings.

However, a malicious website can exploit the web server by sending it a request for a video feed.

The good news is that Zoom has published a blog post detailing its response to this vulnerability, including a patch for its software available here.

'What's unfortunate, invasive and a violation of trust is when the software seems " uninstalled" but really isn't.

"A very poor decision by the folks at Zoom", he added.

Zoom backtracks on 'legitimate solution' that left Mac webcams vulnerable to highjacking