Zoom to patch flaw that enabled access to Mac webcams
Following the disclosure — and wide media coverage — of a zero-day flaw in video conferencing service Zoom's Mac client that enables easy access to a user's camera feed, the company on Tuesday reversed course and said it plans to issue a fix for the vulnerability.
Announced in a post to Zoom's official blog, the emergency security patch will remove a local web server the company is using to bypass a Safari 12 protection mechanism, as well as allow users to completely uninstall the app.
The move is a course reversal for Zoom, which as recently as Tuesday said both actions would be difficult to implement. Zoom previously defended its use of a local host server to bypass built-in Safari security protocols in favor of a streamlined user experience.
Apple's latest Safari 12 requires users to by interact with a dialogue box when a website or link attempts to launch an outside app. Zoom, which prides itself on a streamlined UX and one-click-to-join video meetings, developed a workaround in the creation of a local host server that constantly runs as a background process.
As detailed by security researcher Jonathan Leitschuh, nefarious websites can take advantage of the local web server to trigger a video call with a simple launch action or an iframe exploit, automatically activating a Mac's webcam and connecting to a meeting without user consent. All Zoom Mac clients are vulnerable through Safari, Chrome and Firefox unless a "Turn off my video when joining a meeting" option is ticked in the software's settings menu.
In addition to granting potentially unwanted webcam access, the local server remains on a host machine even when Zoom is uninstalled and can re-install the client app without user interaction.
Zoom initially said it would not remove the server feature, but it appears the company had a change of heart after its CEO, Eric Yuan, discussed security concerns in a "Party Chat" with Leitschuh and various members of the Zoom community on Monday. That meeting, conducted through Zoom, was open to all comers and could be accessed through a proof of concept link provided in the security researcher's original report.
Along with removing the local host server, Zoom's Tuesday patch will also include a menu bar option to completely uninstall the Mac client. Earlier on Tuesday, the company said it did not have an "easy way to help a user delete both the Zoom client and also the Zoom local web server app on Mac that launches our client," saying the process had to be completed manually through Terminal.
The patch is expected to arrive later tonight.