Jonathan Leitschuh, security researcher openly disclosed serious zero-day susceptibility for the Zoom video conferencing app on Macs. He has demonstrated that on a Mac any website can open up a video-enabled call with the installed Zoom app. That’s possible in part as the Zoom app, in fact, installs a web server on Macs that accepts requests usual browsers wouldn’t. Even if you uninstall Zoom then the web server persists and without your interference can reinstall Zoom.
Leitschuh details that how responsibly he disclosed the susceptibility to Zoom back in late March, giving the 90 days to the company to solve the issue. As per the account of Leitschuh, Zoom doesn’t seem to have done sufficient to resolve the problem. The susceptibility was also disclosed to both the Mozilla and Chromium but as it’s not a problem with their browsers, there’s not much those developers can perform.
Turning on your camera is bad enough, but for Mac users the existence of the web server on their computers can open up more important problems. Or instance, in a previous version of Zoom it was possible to pass a rejection of service attack on Macs by continually pinging the web server. Leitschuh writes, ‘By only sending repeated GET requests for a bad number, Zoom app would continuously ask for ‘focus’ from the OS.
According to the Company, it will pinch the app in one small method. Beginning in July, Zoom will save administrators and users preferences when they first join a call whether the video will be turned on, or not. Generally, it sounds in a way that Zoom does not plan to radically change how its app behaves on Macs for avoiding getting sucked into an unwanted call but will instead rely on users for closing their cameras by default.
