Zoom has slow-walked a fix for a bug that allows randos to take over your Mac's camera

Originally published at: https://boingboing.net/2019/07/09/wontfix.html


Multi-colored, multi-purpose. Duct tape, for all your security needs.


That’s terrible. I’ve used it in the past, but not for a few years. And yet…I have that webserver running on my machine.


I am a regular Zoom user and I’m aghast at this behavior, which, per Leitschuh’s description, was a shitshow from start to finish. From the company’s failure to even respond to Leitschuh’s original messages to lack of seriousness they’ve displayed when it comes to mitigating the defect, to the incredibly poor choice to install a secret webserver on its customers’ computers, to the even worse form in creating an uninstaller that leaves that webserver in place and running in the background after their software is removed, this entire episode inspires great distrust for the company.

And yet, in the good ol’ US of A, one of the major benefits that any large corporation can fall back on, is that it will be a cold day in hell before they are held liable for anything.

Fix now downloadable.

I believe that in order to fully protect users, I truly believe that this localhost web server solution needs to be removed. Alternative methodologies like registering custom URI handlers (for example, a zoom:// URI handler) with the browsers is a more secure solution. When these URI handlers are triggered, the browser explicitly prompts the user for confirmation about opening the app. According to the Zoom team, the only reason this localhost server continues to exist is that Apple’s Safari doesn’t support URI handlers.

On top of everything else, this is a lie. Safari absolutely does support custom URI handlers. It just prompts you for permission whenever one of those handlers tries to launch an application. So Zoom is not only lying, they’re doing this to circumvent an actual OS security feature.

1 Like

90 days of foot dragging then a day 1 fix when named and shamed, when they finally realize from widespread public outcry that this massive flaw could trash the company’s smug success. They should have done this months ago :-/

1 Like

No argument from me.

Apple did not take kindly to this news, it would seem.

This update was pushed through the XProtect service used to kill off malware. In conjunction, it sounds like Zoom has also pushed an update for their client that kills off the web server as well and makes use of a custom URI handler (the thing they’d previously said Safari didn’t support… weird.) to launch the app from a website – a standard behavior that they should have conformed to in the first place, but worked around because Safari asks for explicit user confirmation before blithely launching an arbitrary third-party application.

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.