A significant security issue with a popular Mac video conferencing company Zoom has surfaced. The security issue was made public by a researcher named Jonathan Leitschuh after a 90-day grace period to give Zoom time to fix the problem. The vulnerability could impact a variety of browsers running on Mac computers, including Safari, Chrome, and Firefox.
The flaw would allow malicious websites to initiate a video call on any Mac that has (and in some cases previously had) the Zoom app installed. Depending on the version of Zoom in use, the nefarious website could trigger the video call with a simple launch action or an iframe exploit. In the proof of concept exploit, Leitschuh demonstrated that clicking a link opens the Zoom client with video-enabled unless a user explicitly turned off video streaming when joining a new meeting. Audio is disabled by default.
Another disturbing fact about Zoom surfaced along with the security exploit; Zoom creates and continuously runs a local web server as a background process on the host machine. Zoom implemented that strategy as a "workaround" to changes that Apple made in Safari 12. Zoom says that the local webserver was an adjustment made in efforts to maintain the app's streamlined user experience.
In every Zoom installation, the local server runs on port 19421, allowing Zoom calls to be initiated and updates delivered. Reports indicate that Zoom rarely performs an auto-update process despite the always running server and open port. Making the security issues even worse is that uninstalling the zoom app doesn't disable the server; it remains active and can reinstall the client app without user interaction. Leitschuh says that the act of visiting a webpage can trigger re-installation. Zoom has called its use of local web servers a "legitimate" solution to a "poor user experience."
So far the fix that Zoom has applied is described as barebones and includes signing HTTP GET requests. Zoom wanted an extension on the 90-day period to fix the issue, but the researcher disclosed the vulnerability saying that the core issue, the local server, remained in the patch Zoom issued. Zoom has since removed the ability for a host to join a call with video-enabled automatically.