If you’ve installed Mac Web Client, a malicious web site you visit can enable your camera without your permission. The author further alleges that ZOOM was informed of the bug and has been slow to correct it.
It wouldn’t surprise me if there is some hype in the article, but it is my impression that this points to a legitimate flaw. I have not seen confirmation of this news elsewhere, though. Sorry to share the bad news.
Please note: I am not a member of any newsletter team. My opinions are my own and do not necessarily reflect those of the TMF advisers. I want to share my research with you since we’re all part of the larger TMF Community.
There are several articles that came out this morning reporting on this (Bloomberg, BBC, Business Insider) so it is likely true.
It’s down a bit pre-market but if it drops significantly I may be tempted to make an entry. This only affects their software on Macs but I’ll be curious to see their response and how quickly this is fixed. Security is a big deal in today’s age and folks get especially spooked about privacy issues but I don’t see this having a big impact long term.
It’s definitely true. My organization has Zoom and all the Mac users were sent an urgent message last night to download the latest version of Zoom. I updated it this morning - pretty painless effort but then again it definitely was a hack.
I don’t care that much about the discovered vulnerability. This happens with all software all the time. But the way a company handles security researcher that approach them with discovered vulnerabilities is key. Serious companies pay a bounty to find security related bugs and vulnerabilities.
For Zoom who wants to grow on paying corporate customers, not being able to handle such cases is really showing bad judgement, lack of understanding of the impact of public disclosures and general lazy attitude towards one of their core assets: user trust.
To the initial contact with the vulnerability, Zoom’s reaction was (at least accordingly to the researcher): "Informed that Zoom Security Engineer was Out of Office. "
Hello? “The” Security engineer. One? And if he is out of office, there is no one who can handle such a case? Look at the timeline: https://medium.com/bugbountywriteup/zoom-zero-day-4-million-…
So. Holes happen. That’s reality. But a company not being able to handle a real threat (and even if that is mainly a PR issue), does rise a red flag with me. Especially if they have one and only one product and it is that very product that is affected, not something on the sideline.
So. Holes happen. That’s reality. But a company not being able to handle a real threat (and even if that is mainly a PR issue), does rise a red flag with me.
It’s much worse than that. What we see is a product architected with no concern or understanding of security, or at least you have to hope so since the choice is between clueless or evil. See what John Gruber, a highly respected Apple commentator has to say.
Any architecture that requires a localhost web server is questionable at best. (That means every Mac with Zoom installed is running a web server.) But the fact that Zoom implemented it in a way such that the web server was still there, still running, even when you deleted the Zoom app, is morally criminal, and should be legally criminal. No one who understands how this worked could possibly have thought this was ethical. Install the app, try the app, delete the app — you expect all traces of the app to be gone. Not only did Zoom leave something behind, it left behind a web server with serious security vulnerabilities. I’m not prone to histrionics but this is genuinely outrageous — not even to mention the fact that Leitschuh reported this to Zoom months ago and Zoom effectively shrugged its corporate shoulders.
If you ever installed Zoom, I’d go through the steps to eradicate it and never install it again.
I’m sure this will all blow over, but it doesn’t reflect well on Zoom’s management. It puts them in the moral vicinity of Zuckerberg.
Apple is silently removing Zoom’s web server software from Macs After all of the drama over Zoom’s use of a hidden web server on Macs, Apple itself has decided to step in, TechCrunch reports. It is issuing a silent update — meaning your Mac will get it without any interaction on your part — to remove the web server, which was designed to save Safari users an extra click, from any Mac that has Zoom’s software installed.
Although Zoom itself issued an emergency patch yesterday to remove that web server, apparently Apple is concerned that enough users won’t update or are unaware of the controversy in the first place that it’s issuing its own patch…
Zoom’s chief information security officer, Richard Farley, explained that the company didn’t really believe that there was anything wrong with its software, but it wanted to reassure everybody who disagreed…
Just got a notice from our IT about the Zoom security flaw for macs (we are now exclusively Zoom, it’s interesting that it took them a few days to let us all know about it).
The latest version of the Zoom application removes the vulnerability.
There is also now an update available for the Apple malware removal took that also eliminates the vulnerability- which automatically will be downloaded/installed with the next update but can also be triggered manually using these instructions: https://support.apple.com/en-us/HT201541
It is issuing a silent update — meaning your Mac will get it without any interaction on your part — to remove the web server, which was designed to save Safari users an extra click, from any Mac that has Zoom’s software installed.
Ahem… Did Apple just admit to having a backdoor to every Mac? And this doesn’t concern anyone?
Clearly, the answer sounds like yes at first. Users get no indication of the update, and “requires no user action” makes it sound like it’s mandatory. But there is a setting to control this, allowing Mac users to disable the automatic installation of such updates.
More details at the link.
My concern is not so much the security hole, but how Zoom’s management could possibly think this was okay. Right now it’s the main reason I won’t put any money in ZM.