After initially saying that it wouldn’t issue a full fix for a vulnerability disclosed on Monday, the video conferencing service Zoom has changed course. The company now tells WIRED that it will push a patch on Tuesday night to alter Zoom’s functionality and eliminate the bug. You should update Zoom as soon as the patch is live.
The Zoom controversy stems from the service’s slippery video streaming settings that launch instantly on Macs when users join a call. Late Monday evening, the company published an extensive statement defending the practice and addressing other bugs found by security researcher Jonathan Leitschuh. But it declined to fully address the concern that an attacker could distribute a malicious Zoom call URL, trick users into clicking it, and then open a channel to their lives when their webcam automatically activated. Zoom originally said that it would adjust the settings by which a user chooses to launch video by default with every call.
Yuan shared the news in one of the Zoom meetings Leitschuh had created as a malicious proof of concept.
That proposed tweak did little to mollify critics, who pointed to Zoom’s casual use of a local web server on Mac computers. That feature allowed Mac users to join meetings seamlessly, but potentially created the risk of remote code executive attacks, and circumvented a Safari feature that exists precisely to expand privacy protections.
“I’m seriously considering blocking the port used for that web server,” Mac researcher Thomas Reed told WIRED on Tuesday before Zoom announced the change. David Wells, a researcher who has evaluated Zoom security before, called Leitschuh’s findings “downright creepy.”
On Tuesday afternoon, company CEO Eric Yuan told Leitschuh and other researchers that Zoom would remove the local web server functionality it was using to bypass protections in Safari and facilitate instant meeting joins. Yuan shared the news in one of the Zoom meetings Leitschuh had created as a malicious proof of concept.
“He came in and chatted with us and apologized and made a full about face,” Leitschuh says.
Zoom has since confirmed that Tuesday night’s patch will totally remove the local web server functionality. The company says that it is “stopping use” of this feature going forward. Zoom users will receive a prompt in the Zoom desktop app to download the update. Additionally, the patch will add a menu option to enable full, manual uninstall of Zoom. This seems to be targeted at an additional concern about the local web server, which was that it persisted on users’ devices even after they uninstalled Zoom. This meant that it could act as a sort of conduit, allowing the application to automatically reinstall itself if a user deleted the Zoom app and then later clicked a Zoom call URL.
Zoom is also moving ahead with the tweak it announced on Monday night that will give users more control over their default setting for auto-join video. That update will go out on July 12.
“On the one hand it took over 100 days for them to actually take this seriously and it required public outcry,” Leitschuh says. “On the other hand it’s a really good thing to see that a company can apologize for their mistakes and be willing to work with the community and researchers. It’s now on all of us to hold them accountable.”
In recounting its months-long interaction with Leitschuh, Zoom said in its Monday statement, “Our Security and Engineering teams engaged the researcher and were in frequent contact over the subsequent period. This engagement included disagreement about the severity of the meeting join concern. Ultimately, Zoom decided not to change the application functionality.”
The company seems to have pivoted in just a few hours, though, perhaps because of unexpected uproar from users, even those outside the technical community.