Researcher says Zoom web server is vulnerable to remote code execution

If the Zoom web server is still lurking on your Mac, best delete it now.
Written by Chris Duckett, Contributor

A screen shot of Zoom's transcript feature.

For Zoom, the hits just keep on coming. The latest is the arrival of a long-mooted remote code execution (RCE) exploit that is said to be harboured in the controversial local web server which had been installed on Macs to avoid an extra click for users.

The researcher who began the debacle for Zoom, Jonathan Leitschuh, said on Twitter on Friday that an RCE now existed for it.

"That @zoom_us daemon (hidden web server) is now known to have a Remote Code Execution Vulnerability!" he wrote.

"Mac Admins: make sure Zoom is up to date or that daemon is removed!

"Specifically, you are vulnerable if you've uninstalled the Zoom application from your computer without killing the ZoomOpener process and then deleting `~/.zoomus` directory."

The exploit is set to be handled the CVE-2019-13567 label.

One twitter user showed off the exploit in action.

On Thursday, Apple rolled out a silent update that killed off Zoom using its malware removal infrastructure.

At the start of the furor, Zoom defended the use of the web server, saying to ZDNet in a statement that it was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator".

The following day, Zoom said it would walk back its local web server support in a patch prepared for Tuesday night.

Zoom told ZDNet previously its change in course was in response to customer feedback, not security concerns.

"There was never a remote code execution vulnerability identified," the company said two days ago.

"Zoom decided to remove the web server based on feedback from the security community and our users."

Leitschuh said at the start of the week the use of the local server was a fundamental security vulnerability, and sites should not communicate with applications in such a fashion.

"Let me start off by saying having an installed app that is running a web server on my local machine with a totally undocumented API feels incredibly sketchy to me," he wrote.

"Secondly, the fact that any website that I visit can interact with this web server running on my machine is a huge red flag for me as a Security Researcher."

Related Coverage

Apple update kills off Zoom web server

Zoom CEO says company misjudged the situation that has rolled into its third day.

Zoom reverses course to kill off Mac local web server

Less than a day after backing its approach to get around Safari restrictions on Mac, Zoom's local web server is no more.

Zoom defends use of local web server on Macs after security report

Local web server will also reportedly reinstall Zoom if a user removes the application and joins a meeting.

Zoom's IPO opens at an eye-popping $65 per share

The cloud enterprise video communication company drummed up major market excitement as a Silicon Valley unicorn that has actually turned a profit.

Zoom reports strong Q1, ups outlook, adds to swelling customer base

Zoom's IPO was hot and the company's first quarter results weren't far behind.

Editorial standards