By now you’ve probably seen mention of this security hole, but it’s worth checking out the blog post from Jonathan Leitschuh, the researcher who uncovered it. It’s a fairly technical piece, but here’s the crux:
The local client Zoom web server is running as a background process, so to exploit this, a user doesn’t even need to be “running” (in the traditional sense) the Zoom app to be vulnerable.
All a website would need to do is embed the above in their website and any Zoom user will be instantly connected with their video running. This is still true today!
Yeah, this is pretty bad. It’s a classic example of Malcolm’s Maxim. There’s always a balance between convenience and security, but this has dipped over the line to the former, which has compromised the latter.
Any time your answer to removing obstacles for users involves installing a silent webserver with an undocumented API that persists even if users uninstall the app in question, well, maybe rethink that.
In the meantime, if you’re looking to mitigate the possibility for this loophole being exploited, the above post has a couple of solutions, ranging from the simple to the more technical. Zoom, for its part, has defended its behavior saying that it’s “a legitimate solution to a poor user experience problem.”
Updated at 9:08am Eastern to add info about fixing the hole and Zoom’s response.