In fact, in addition to the obvious privacy impact of this flaw, a secondary aspect is that any webpage could hangup a user's Mac simply by "repeatedly joining a user to an invalid call".
Leitschuh wrote that Zoom had didn't heed his warnings for months and only implemented a partial fix on the last minute, whereas the company told ZDNet on Monday the technique was an "official resolution to a poor user experience" in because of adjustments in Safari 12 (namely, a privacy protection feature that forced users to verify they actually wished to launch Zoom). "We expect the web server issue to be resolved today", Zoom spokeswoman Priscilla McCarthy told TechCrunch. The server continues to run even when a Mac user uninstalls Zoom.
This local web server not only keeps running in the background, but actually re-installs the Zoom client, in the background, as soon as the user's Mac gets a request for a video call - a request that can easily be buried in a malicious web page.
Mr Leitschuh wrote: "Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner". Now, according to a report by TechCrunch, Apple has pushed out an update silently to the macOS which removes the Zoom web server. That's not a security concern.
By Wednesday, that differentiator was reduced, as the company announced in a highly-updated blog post that it would walk back back its local web server support in a patch prepared for Tuesday night. "A very poor decision by the folks at Zoom". Zoom was informed of the exploit but said that it did not plan to remove the feature because it was a "legitimate solution" that other service providers have used as well.
Meeting joins happen all the time.
In a blog post Tuesday, Zoom said it planned to disable the web server feature, which was originally created to make it easier for users to join meetings without extra clicks.