Zoom finally fixes security bug which let users look into other's homes


As you may recall, we reported on Tuesday that a security researcher had discovered that video conferencing app Zoom for macOS could be used to highjack a computer's webcam somewhat easily.

Apple issued a silent update for Mac to fix Zoom scrambling that had let intruders hijack Mac webcams.

Apple has pushed a silent update to Mac users to remove the web server sneakily installed by popular video conference app Zoom, TechCrunch reports.

Of particular issue, Leitschuh found that even if a Mac user had uninstalled the Zoom client, a localhost web server would remain on the user's machine that re-installed the client without any interaction from the user beyond visiting a Web page.

More news: UK economy recovers in May, easing immediate recession fears
More news: Joe Biden apologises for remarks about segregationist senators
More news: India vs New Zealand - Highlights & Stats

On Tuesday, Zoom defended the use of the server, saying to ZDNet in a statement that it was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator". It also re-installs Zoom's software if it's been removed. "We appreciate our users' patience as we continue to work through addressing their concerns", Zoom spokesperson Priscilla Barolo told CNET, confirming the TechCrunch report. In a move that Daring Fireball's John Gruber justifiably describes as "criminal", it seems that Zoom leaves unsafe pieces of itself behind, in the form of a local web server, even after a user would have every reason to believe they've uninstalled it.

"This does not appear to be the case, as the first meeting with the researcher about how the vulnerability would be patched occurred only 18 days before the end of the 90-day public disclosure deadline", said Keary.

But now, TechCrunch reports that Apple made a decision to step in regardless, launching a silent update for Macs that removes Zoom's web server functionality altogether.

However, a malicious website can exploit the web server by sending it a request for a video feed. It also ensures the webcam is turned off by default to address the issue. It shouldn't affect functionality other than requiring your permission to launch the app.