The company did not consider the problem serious, but changed its mind.
Video Call Service Zoom released an emergency patch to close a vulnerability that allows remotely enable webcams on macOS. The update will remove the local servers from the users’ computers that caused the problem. This is stated in the updated statement on the Zoom website.
At first, Zoom defended its position and did not intend to make changes to the program, but changed its mind when a publication about vulnerability from researcher Jonathan Leitsuh broke up in the media.
The July 9 patch will do the following:
1. Completely remove local web servers after the upgrade. We stop using servers on macOS devices, and after the patch is published, it will be offered to install to all users via a notification.
2. Allow users to remove Zoom manually. We add a new feature in the Zoom menu that allows you to manually and completely uninstall the client, including the web server. After applying the patch, all users will have the option “Delete Zoom”.
from the Zoom post
The Leitsuh material said that Zoom, along with the application, installs on macOS a local web server that interacts with the sites. Thus, the service bypasses the limitations of browsers and triggers calls by clicking on a special link, but it also allows attackers to connect users to calls without asking.
The company insisted that the server was safe, and users could always notice if they were connected to the call. Zoom explained using the server to save clicks, but it also allowed you to reinstall the application after uninstalling without additional confirmation.
As Leitshuh noted , after his publication, Zoom CEO Eric Yuan joined the discussion of the problem. He personally checked the exploitation of the vulnerability and apologized for the company’s reaction.
On Twitter , we noticed that Zoom was not the only one who used a web server on macOS. Among other popular services, Spotify, Keybase, iTunes, KBFS Numi and not only use a similar scheme.
They are far from alone, a quick `lsof -i | grep LISTEN` shows that I have: Spotify, Keybase, KBFS, iTunes, Numi, https://t.co/MVSAJgN9yY… All running locally listening web servers.— Matthew Gregg (@braintube) July 9, 2019