San Jose, Calif. (KTVU) - Video conferencing app Zoom issued a quick fix to a live vulnerability Tuesday in its Mac client after it was revealed by a security researcher.
The zero-day vulnerability (a vulnerability that hasn't yet been patched through a software update) was revealed by security researcher Jonathan Leitschuh in a Medium post Monday. It would have let any malicious website to force a video call without the user's permission, and affected an estimated four million Mac users, Leitschuh said.
"If you've ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage," said Leitschuh. "This re-install ‘feature' continues to work to this day." His write-up describes his experience in responsibly disclosing the vulnerability to Zoom, and its failure to comply with the 90-day public disclosure deadline.
He included a proof of concept of the vulnerability, a URL which would activate a zoom video call. He also included instructions for disabling Zoom's ability to turn the webcam on, and terminal commands for shutting down Zoom's web server and removing the web server application files.
Zoom has been proactive in its response to the disclosure – quickly issuing a patch that removes the use of a local web server on Mac devices. The update also adds an option to completely uninstall the Zoom client, including the local web server. Furthermore, Zoom said in a blog post that an upcoming release will allow users to select "Always turn off my video" in their video preferences, which would turn video off by default for future calls.
The San Jose-based company is one of the rising stars from the tech IPO season this year, and currently has a market cap of almost $25 billion.