Video conferencing giant Zoom has published a patch for its Mac client removing a rogue web server from users’ computers that allowed any website to join a video call without permission.
News of the vulnerability first emerged Monday after software engineer and security researcher Jonathan Leitschuh published a Medium post detailing the vulnerability.
“If you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost webserver on your machine that will happily reinstall the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.”
Leitschuh included patches for the vulnerability, including how to disable the ability for Zoom to turn on your webcam when joining a meeting, a terminal command for disabling video by default and instructions on how to shut down the web server and remove web server application files.
Users can now update their client or download the new version from its website.
In his timeline, Leitschuh said that the vulnerability was originally disclosed to Zoom on March 26, with a proposed “quick fix,” but that Zoom took 10 days to confirm the vulnerability, and that despite talking to the company he only saw on June 24 that Zoom had implemented the quick fix.
“Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner. An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack,” he wrote.
Leitschuh added that he is publicizing the vulnerability because “this is essentially a zero day,” referring to a previously undisclosed vulnerability now out in the wild.
“Unfortunately, Zoom has not fixed this vulnerability in the allotted 90-day disclosure window I gave them, as is the industry standard. As such, the 4+ million users of Zoom on Mac are now vulnerable to an invasion of their privacy by using this service.”
A Zoom spokesperson told TechCrunch: “Zoom is working with a security researcher who raised concerns about video-on-by-default as a security vulnerability: Zoom by default turns on the video of a user when they join a meeting. This could, in theory, create the potential for a hacker to trick a target into joining a video meeting on camera. Of note, we have no indication that this has ever happened.”
In a longer statement, the company said that currently, “All first-time Zoom users, upon joining their first meeting from a given device, are asked whether they would like their video to be turned OFF. For subsequent meetings, users can configure their client video settings to turn OFF video when joining a meeting. Additionally, system administrators can pre-configure video settings for supported devices at the time of install or change the configuration at anytime.”
It added: “As part of our July 2019 release, Zoom will apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting. This change will apply to all client platforms.”
Updated with new information about the patch, and with an updated headline.