Facepalm: Following intense pressure from the media, security community, and its users, video conferencing provider Zoom has issued an emergency patch to address a zero-day vulnerability that it previously considered “low-risk.”
As you may recall, we reported on Tuesday that a security researcher had discovered that video conferencing app Zoom for macOS could be used to highjack a computer’s webcam somewhat easily. The vulnerability is facilitated by a local web server that Zoom installs on the device to make it possible to join meetings with one click.
However, a malicious website can exploit the web server by sending it a request for a video feed. Zoom was informed of the exploit but said that it did not plan to remove the feature because it was a “legitimate solution” that other service providers have used as well.
Only hours after media accounts began going live, Zoom surprisingly reversed its stance and pushed out an immediate patch to fix the security issue followed by an official statement.
“We appreciate the hard work of the security researcher in identifying security concerns on our platform. Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process. But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service.”
The update comes in two parts. The first part, which is available now from the company’s download page, “completely” removes the local web server from the Mac once the client app is updated. It also allows users to manually uninstall Zoom using a menu option in the client software. This uninstall feature removes both the app and the web server.
The second part of the update will roll out this weekend on July 12. It will address the issue of video being on by default. For new users, the “Always turn off my video” checkbox in the client settings will be checked by default. It was previously unchecked. Existing users will need to go into the preferences and change this manually, and the software will now save these settings — something it did not previously do.
Ultimately, the voice of users and security professionals led to Zoom deciding that the risks outweighed convenience factor provided by the local web server.