Zoom reverses course to kill off Mac local web server

Less than a day after backing its approach to get around Safari restrictions on Mac, Zoom's local web server is no more.

zoom-screen-sharing.jpg

Zoom has decided to kill off its controversial local web server on Mac devices that allows users of the video conferencing software to avoid an extra click to get into a meeting.

On Tuesday, Zoom defended the use of the server, saying to ZDNet in a statement that it was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator".

By Wednesday, that differentiator was reduced, as the company announced in a highly-updated blog post that it was walking back its local web server support in a patch prepared for Tuesday night.

"Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client," Zoom said.

"Once the update is complete, the local web server will be completely removed on that device."

The company told ZDNet on Wednesday, the change of course was in response to customer feedback, not security concerns.

"There was never a remote code execution vulnerability identified. Zoom decided to remove the web server based on feedback from the security community and our users," it said.

"Even for those who did not upgrade, Zoom will not use the local web server to join meetings automatically anymore as we have disabled it on our backend."

The patch would also allow users to "manually and completely" uninstall the Zoom client from their Macs. With the local web server in place, if a user uninstalled Zoom but the server was still running in the background, Zoom would be reinstalled when a meeting link was clicked.

Zoom is also planning to release an update on July 12 that will save a new user's preference for whether to enable video by default or not.

These changes were detailed in a 1:15pm Pacific Time update, however five hours earlier, the company said it did not have a way to nicely uninstall the software.

"We do not currently have an easy way to help a user delete both the Zoom client and also the Zoom local web server app on Mac that launches our client. The user needs to manually locate and delete those two apps for now," it said.

"This was an honest oversight."

Zoom was responding to findings by security researcher Jonathan Leitschuh, who detailed his issues in a blog post.

"Let me start off by saying having an installed app that is running a web server on my local machine with a totally undocumented API feels incredibly sketchy to me," Leitschuh wrote.

"Secondly, the fact that any website that I visit can interact with this web server running on my machine is a huge red flag for me as a Security Researcher."

The security researcher said the use of the local server was a fundamental security vulnerability, and sites should not communicate with applications in such a fashion.

"Having every Zoom user have a web server that accepts HTTP GET requests that trigger code outside of the browser sandbox is painting a huge target on the back of Zoom," he wrote.

Thanks to the report, Leitschuh said Zoom also removed the ability for a call host to automatically have participants join with video enabled.

"Zoom did end up patching this vulnerability, but all they did was prevent the attacker from turning on the user's video camera. They did not disable the ability for an attacker to forcibly join to a call anyone visiting a malicious site," the security researcher wrote.

After his experience with Zoom, Leitschuh recommended that researchers do not report vulnerabilities to the vendor, and instead use the Zero Day Initiative.

Updated at 2.30pm AEST, 10 July 2019: added comments from Zoom.

Related Coverage