30 votes

The Mac client for Zoom (video-conferencing app) allows any site to enable your camera and connect you to a call, and leaves a web server running on your machine even if you uninstall it

4 comments

  1. ammut Link
    This is a huge deal. Zoom has been taking strides to become the #1 conference platform. This will set them back quite a bit.

    This is a huge deal. Zoom has been taking strides to become the #1 conference platform. This will set them back quite a bit.

    9 votes
  2. [2]
    Deimos Link
    A couple of official responses from Zoom: Blog post: Response to Video-On Concern "Public statement" (PDF): https://assets.zoom.us/docs/pdf/Zoom+Response+Video-On+Vulnerability.pdf

    A couple of official responses from Zoom:

    5 votes
    1. spit-evil-olive-tips (edited ) Link Parent
      From their blog post: Bullshit. Fixed it for them:

      From their blog post:

      This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution.

      Bullshit.

      Fixed it for them:

      This is our attempt at circumventing a new security feature in Safari 12 that requires a user to confirm their intentions before a website could start up arbitrary code as that user on that machine. We believe that we're more important than this security feature, so we figured out a way to get around it. Our competitors also open up gigantic security holes in your system without telling you, so if this makes you feel like switching away from us to another video-conferencing provider, lol don't bother

      23 votes
  3. Deimos Link
    Zoom's response blog post has a number of updates at the top now, including saying that they released an update about an hour and a half ago that totally removes the local webserver.

    Zoom's response blog post has a number of updates at the top now, including saying that they released an update about an hour and a half ago that totally removes the local webserver.

    1 vote