The error utilizes Zoom's click-to-get feature. Utilization can force users to join a conference with their webcams enabled, without their permission, if they click a special link in the browser.
The vulnerability occurs because Zoom installs a local web server running in the background of Macs. But this web server has poor security, and any site that a user visit can interact with and make changes to the users' machines. Disturbing, even if a user uninstalls Zoom, the web server remains active and can be used to reinstall the Zoom client when a user visits a web site.
Security researcher Jonathan Leitschuh, who discovered and reported the vulnerability, warned that this could be used for two types of attack: Users can entice meetings with their cameras turned on, to collect information about phishing attacks, or users' machines can be target for DOS attacks by sending repeated junk queries to the local server.
Traditionally, desktop and web applications have been sand-discarded to prevent this type of cross-communication. When Zoom became aware of the vulnerability, it resolved a quick fix that saved the user's settings for whether the video is enabled when they join a call, so users can at least turn off their cameras. However, the repair did not address the underlying problem with the insecure local web server.
The company defended its decision in a blog post and said that without the use of the web server, users would have to click to confirm that they wanted to start the Zoom client before joining a meeting. "The local web server allows users to avoid this extra click before joining each meeting. We believe this is a legitimate solution to a bad user experience issue so users get faster, one-click-to-join cast meetings. " It also noted that it has no indication that the exploitation has never been used, and even if it should be used, users would see that they had accidentally joined a meeting and could leave immediately.
Whether or not it is wise not to click an extra button is worth the major vulnerability created by the insecure web server is not a topic. Zoom is eager to discuss. In a statement to Gizmodo the company said that "One-click-to-join meetings" was "key product differences" and no plans have been announced to address the uncertain web server problem.