For Zoom, the hits just keep on coming. The latest is the arrival of a long-mooted remote code execution (RCE) exploit that is said to be harboured in the controversial local web server which had been installed on Macs to avoid an extra click for users.
The researcher who began the debacle for Zoom, Jonathan Leitschuh, said on Twitter on Friday that an RCE now existed for it.
"That @zoom_us daemon (hidden web server) is now known to have a Remote Code Execution Vulnerability!" he wrote.
"Mac Admins: make sure Zoom is up to date or that daemon is removed!
"Specifically, you are vulnerable if you've uninstalled the Zoom application from your computer without killing the ZoomOpener process and then deleting `~/.zoomus` directory."
The exploit is set to be handled the CVE-2019-13567 label.
At the start of the furor, Zoom defended the use of the web server, saying to ZDNet in a statement that it was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator".
The following day, Zoom said it would walk back its local web server support in a patch prepared for Tuesday night.
Zoom told ZDNet previously its change in course was in response to customer feedback, not security concerns.
"There was never a remote code execution vulnerability identified," the company said two days ago.
"Zoom decided to remove the web server based on feedback from the security community and our users."
Leitschuh said at the start of the week the use of the local server was a fundamental security vulnerability, and sites should not communicate with applications in such a fashion.
"Let me start off by saying having an installed app that is running a web server on my local machine with a totally undocumented API feels incredibly sketchy to me," he wrote.
"Secondly, the fact that any website that I visit can interact with this web server running on my machine is a huge red flag for me as a Security Researcher."