It's been really interesting to see how quickly the original Zoom response of "there's nothing wrong with this, everybody does it" ended up being reversed.
I wonder if there's a known exploit for the Zoom server specifically, or if Apple discovered one while looking into it. It seems strange for them to go to these lengths in this case when it sounds like other software has been using a similar technique too. Maybe it's just the reinstallation aspect that makes Zoom's case exceptional?
It was the combination of the vulnerability in the Zoom client combined with this behaviour in the web server:
"Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day."
In the news segment of this week's episode of Risky Business[0], one of the hosts mentions (starting around 3:40) he has some information that there was an RCE disclosed to Zoom back "some months ago". He further says that @Jlleitschuh (the person reporting the web server issue earlier this week) got 90% of the way to finding it. So...yeah, speculation only, but maybe Apple became aware of this and dropped the hammer.
They also discuss a case, where a user uninstalls Zoom, but does not remove the web server, remaining forever vulnerable, because the fix from Zoom will not reach them. That explains the Apple involvement.
After that PR spin in response to threat disclosure in the original article, I am very skeptical of Zoom's PR machine.
> Zoom spokesperson Priscilla McCarthy told TechCrunch: “We’re happy to have worked with Apple on testing this update. We expect the web server issue to be resolved today. We appreciate our users’ patience as we continue to work through addressing their concerns.”
Yeah, I'm quite curious now if Zoom's reversal and decision to remove the server was because Apple informed them they were going to forcibly remove it like this.
It looked like they decided to remove the server themselves (or at least, as a response to pressure), but maybe they didn't actually have a choice at all.
Yeah, exactly. Software you've uninstalled gives away permission to use your camera to a remote web page? That's malware, and would get most apps banned permanently.
I got all my colleagues to uninstall Zoom and related artefacts. I'm sure I wasn't the only one. They probably have stats that show this. Too late for me. We will just never use it again unless all other improving options suddenly fail (which is highly unlikely). This isn't because I hate Zoom or and annoyed at their response, it's because it's too late. I've uninstalled it and most likely won't have a reason to reinstall it ever. Reverse inertia.
Other software used similar techniques for starting calls, but I believe that Zoom is unique in that calls can turn the camera on without any user interaction.
Zoom also didn't reverse their decision until there was a huge amount of public backlash.
I wonder if there's a known exploit for the Zoom server specifically, or if Apple discovered one while looking into it. It seems strange for them to go to these lengths in this case when it sounds like other software has been using a similar technique too. Maybe it's just the reinstallation aspect that makes Zoom's case exceptional?