By John Gruber
WorkOS: APIs to ship SSO, SCIM, FGA, and User Management in minutes. Check out their launch week.
Jonathan Leitschuh:
This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.
On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.
Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.
Any architecture that requires a localhost web server is questionable at best. (That means every Mac with Zoom installed is running a web server.) But the fact that Zoom implemented it in a way such that the web server was still there, still running, even when you deleted the Zoom app, is morally criminal, and should be legally criminal. No one who understands how this worked could possibly have thought this was ethical. Install the app, try the app, delete the app — you expect all traces of the app to be gone. Not only did Zoom leave something behind, it left behind a web server with serious security vulnerabilities. I’m not prone to histrionics but this is genuinely outrageous — not even to mention the fact that Leitschuh reported this to Zoom months ago and Zoom effectively shrugged its corporate shoulders.
If you ever installed Zoom, I’d go through the steps to eradicate it and never install it again.
★ Wednesday, 10 July 2019