Apple pushes silent macOS update to remove hidden Zoom web server

Sheri Evans
July 12, 2019

The update removes the web server from any Mac computer that features the Zoom software.

"Additionally, if you've ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage", the researcher warned.

In a move that Daring Fireball's John Gruber justifiably describes as "criminal", it seems that Zoom leaves risky pieces of itself behind, in the form of a local web server, even after a user would have every reason to believe they've uninstalled it. Zoom also said that it will tweak the app such that it will save the user's and administrator's preferences for whether the video will be turned on, or not, when they first join a call.

A vulnerability was discovered in the Zoom video conferencing app that could have allowed a hacker to gain access to the webcam on Apple's Mac range of computers. The server resumes to run even when a Mac user uninstalls Zoom. The update, first reported by TechCrunch, was confirmed to Information Security Media Group by Apple.

Users were not thrilled by the proposed tweak, causing Zoom to release a complete patch for the vulnerability, according to Wired. If someone had uninstalled Zoom and clicks a meeting link, the local web server reinstalls Zoom.

Trump Will Take Executive Action on Census Citizenship Question, Defying Supreme Court
The American Civil Liberties Union's Dale Ho says the Trump administration's ongoing efforts are "unlawful". Multiple legal battles over the question are still playing out in lower courts.

President Trump claims administration is helping environment
The plan, which has drawn congressional skepticism, was scaled down due to questions about need and potential costs. That's particularly concerning for a military veteran, she said, given that they know what's at stake in combat.

United States of America vs. Mexico Live Stream, TV Channel: Watch Gold Cup Final
It's the eighth Gold Cup title for Mexico , and the fifth time they've won the tournament with a final win over the USWNT. Instead, Mexico showed that the U.S. still have work to do on achieving Berhalter's final vision.

Zoom initially defended its decision to install the web server, stating it allowed users to join Zoom meetings with one click. "But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service".

Leitschuh wrote that Zoom had failed to heed his warnings for months and only implemented a partial fix at the last minute, while the company told ZDnet on Monday the technique was a "legitimate solution to a poor user experience" in due to changes in Safari 12 (namely, a privacy protection feature that forced users to verify they actually wanted to launch Zoom). But it eventually walked back and released an emergency patch to remove the local web server completely.

Leitschuh's code worked because Zoom made a controversial design decision.

According to reports about the Zoom functionality issue, simply uninstalling Zoom from your Mac might not have been enough to correct the problem. "This was the most full-proof way to get this done so we appreciated Apple's collaboration in this matter", it says.

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER