The company behind a video-conferencing app revealed to suffer a worrying security flaw has backtracked on its initial decision not to put out a full fix, and now says a patch will be released tonight.
Security researcher Jonathan Leitschuh revealed this week that Zoom, an app most notable for its click-to-join feature, contains a ‘serious zero-day vulnerability’ that could let hackers take over the camera on your Mac.
And, uninstalling the app won’t fix the problem alone.
On Tuesday, Zoom said today’s update will remove the local web server to secure the system and do away with the use of these servers moving forward. It will also make it easier for users to uninstall the program altogether.
Scroll down for video
A security researcher has warned Mac users of a security flaw in the Zoom video-conferencing app leaving people at risk of being hijacked. Zoom is most notable for its click-to-join feature, where clicking on a browser link takes you directly to a video meeting in Zoom’s app
HOW TO UNINSTALL ZOOM COMPLETELY
Zoom issued a patch on Tuesday that will fix the bug and allow users to manually uninstall Zoom.
‘We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server,’ the company said.
‘Once the patch is deployed, a new menu option will appear that says, “Uninstall Zoom.”
‘By clicking that button, Zoom will be completely removed from the user’s device along with the user’s saved settings.’
In a blog post, Mr Leitschuh discovered that Zoom’s design makes it possible for websites to add you to a call by activating your webcam without permission.
This vulnerability comes from the Zoom feature which allows you to send anyone a meeting link and when they open that link in their browser their Zoom client open automatically on their local machine.
The researcher says he contacted Zoom on March 26, giving the company a public disclosure deadline of 90 days.
He demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed.
That’s possible in part because the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldn’t, the post said.
According to the
If you uninstall Zoom, that web server persists and can reinstall Zoom without your guidance.
The publication confirmed that the vulnerability works — clicking a link if you have previously installed the Zoom app will automatically join users to a conference call with your camera on.
‘If you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you without requiring any user interaction on your behalf besides visiting a webpage,’ he wrote.
‘This re-install ‘feature’ continues to work to this day.”
The flaw is said to be partly due to a web server the Zoom app installs on Macs that ‘accepts requests regular browsers wouldn’t.’
Zoom independently confirmed the vulnerability.
The company addressed the issue on Tuesday afternoon in a statement on its website, where it explained the patch that will fix the problem.
According to Zoom, updating will ‘remove the local web server entirely.’
The researcher says he contacted Zoom on March 26, giving the company a public disclosure deadline of 90 days. He demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed
It will also halt the use of a local web server on Mac devices.
‘Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client,’ Zoom says.
‘Once the update is complete, the local web server will be completely removed on that device.’
The patch will also add a button that allows users to manually uninstall Zoom.
Expert Jonathan Leitschuh said there is a ‘serious zero-day vulnerability’ for the Zoom video conferencing app on Macs. In a blog post, Mr Leitschuh discovered that Zoom achieves insecurely, allowing websites to join you to a call by activating your webcam without permission
Eoin Keary, CEO and co-founder of edgescan, told MailOnline: ‘A vulnerability in any software is unsurprising and can be fixed with a patch prior to disclosure if the vendor addresses the issue in a timely manner.
‘This does not appear to be the case, as the first meeting with the researcher about how the vulnerability would be patched occurred only 18 days before the end of the 90-day public disclosure deadline.
‘What’s unfortunate, invasive and a violation of trust is when the software seems “ uninstalled” but really isn’t.
‘This is a breach of transparency and exposes individuals who believe they don’t have the software installed to attacks.
‘Persisting a webserver on a user’s machine whilst giving the impression it’s uninstalled is akin to a malicious threat actor.
‘Its underhanded and breaches trust boundaries. A very poor decision by the folks at Zoom.’