Sometimes, it only takes the security experts, the media, and users to collectively say “hell no” to make a company reconsider a controversial feature.
After a security researcher had discovered a flaw in videoconferencing service Zoom’s Mac client, stemming from the fact that the client installs a web server on the user’s computer, Zoom initially held its ground, saying the vulnerabilities found are “low risk” and calling the web server a “legitimate solution.”
But just one day later, Zoom reversed course, issuing a patch that fully removes the local web server entirely, thus solving the security flaws as well.
The update also allows users to manually uninstall Zoom, and the company said it would soon launch an additional patch that would solve the issue of video being on by default, adding a new “always turn off my video” option.
“Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process. But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service,” Zoom said in an update to its original blog post.
Zoom’s controversial usage of a local web server — allegedly to bypass a Safari issue — allowed the company to improve the user experience, but it also opened up potential for misuse, including starting a call on someone’s computer, with video on, without their permission. After being alerted to the hack, the company issued a fix, but that fix was easily defeated. The best possible fix was to remove the web server portion of the app altogether, and now the company has done that — although not without a lot of arm-twisting.
We highly encourage Zoom users to update their software to the latest version (4.4.53932.0709), which is available here.