By Jason Snell

July 10, 2019 11:35 AM PT

Zoom saved you a click–by giving you a security hole

Note: This story has not been updated for several years.

So a security reacher noticed that business videoconferencing app Zoom was doing a bunch of bad stuff that left Mac users potentially vulnerable to privacy and security breaches.

My guess is that Zoom’s original sin comes out of its corporate culture, which is focused on competing in a pretty cutthroat industry with demanding clients (IT managers) and not particularly technically literate customers (the individual business users). There’s probably a great fear of losing business to other businesses who can boast about running video meetings with ever less friction to the user.

And then Apple comes along and introduces a security feature to Safari that requires a confirmation click when any link in a web browser attempts to open an external app. Zoom, which likes to pass around web links as a way of driving users into conference calls, didn’t look at this security measure as something to help keep their customers secure—it viewed it as an addition of friction by the platform owner.

Zoom’s response was to build a secret local web server, which allowed Zoom to rewrite its hyperlinks to connect to a web server instead of an app—so the web server could bypass Safari’s security and launch the app without a second click.

I use Zoom because it’s a superior product to Skype for the large-panel podcasting that I do¹, but this issue gives me pause—and not because of the specific details of this event. No, it’s for what this says about Zoom’s priorities as a company. When the platform owner decides that web links shouldn’t open other apps without an approval click—a pretty sensible security measure—the corporate response shouldn’t be to bypass that click by invisibly installing a hidden server that’s a potential security hole.

Perhaps Zoom got a call from someone at Apple yesterday, indicating that the click-to-confirm Safari feature is intended to be used and that bypassing it is not cool. Zoom’s app is not in the App Store, so Apple’s control over the company is a somewhat limited… but Apple does have built-in malware protection it could bring to bear. And in the future, Apple will have the power to kill specific versions of specific apps by default on macOS. Third-party software developers circumvent the Mac’s platform security features at great risk to their own businesses.

In any event, Zoom has rolled out an update that removes the local web server, adds a de-install feature, and allows users to permanently set a setting that turns video off by default. (Zoom had months to address these issues after being alerted to them by a security researcher, and didn’t. I have a hard time believing they will make the right choices in the future without a pretty major cultural shift.)

You can read the details about the updates on a rather amazing Zoom blog post which has been updated four times as of this writing. The initial response, at the bottom, is an arrogant shoulder shrug that attempts to portray the security researcher as a silly busybody. Scroll up from there to see the increasing realization inside Zoom that their successive responses just keep failing to measure up.

[Update: Did someone mention “built-in malware protection”? TechCrunch reports that Apple has killed Zoom’s invisible web server across all versions, so even users who haven’t update to the latest version will no longer have that server running in the background.]

If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.