After initially brushing off security concerns raised by a software engineer who went public with his findings, Zoom Video Communications is stepping up its response. It plans to make a patch available within hours to let Mac users access Zoom’s video-calling technology without also downloading a local web server.
The server was lurking in the background on Mac devices, and stayed there even when the user had uninstalled Zoom. Security researcher Jonathan Leitschuh warned that the server was exploitable by attackers who could re-install the Zoom app and connect users to a Zoom call—and even view the users’ video if their webcams had been set to automatically turn on when joining a call.
Zoom at first defended the use of the limited-function web server, calling it “a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting.” The server eliminated the need for the extra click, allowing Zoom to uphold its promise of “one-click-to-join” meetings. “We are not alone among video conferencing providers in implementing this solution,” the company noted on its blog.
But hours later, the company reversed course and announced plans for a patch that will remove the local web server once the software has been updated, and allow users to manually uninstall both Zoom and the web server. The San Jose, California-based company said the patch would be available by midnight Pacific time.
Once the update is released, Mac users will be prompted in the Zoom app to update their client. When the update is complete, the local web server will be completely removed on that device, according to the company. What isn’t yet clear is how the fix will affect Zoom’s signature “frictionless” video experience.
On July 12, Zoom will release another update that will allow first-time users who select the “always turn off my video” box to automatically have their preferences saved for all future meetings. The company emphasized that if a user has selected the video option off in the setting, neither the host nor any other participant could override that preference.
The question now is: What happens to people who do not launch the app in order to receive the update? Many of the 4 million Zoom users may still be running a local web server even after these fixes.