Over four million users across 750,000 companies use Zoom for video conferencing around the world.
And, uninstalling the app won't fix the problem alone.
This local web server not only keeps running in the background, but actually re-installs the Zoom client, in the background, as soon as the user's Mac gets a request for a video call - a request that can easily be buried in a malicious web page. It will also make it easier for users to uninstall the program altogether. Security best practices generally recommend public disclosure of major threats or vulnerabilities within a 90-day period, and the blog post suggested the company had not acted in a timely manner to protect its customers.
The idea that anyone can remotely activated your laptop's webcam will alarm many, and Zoom has responded and rushed out a patch for the app on Macs.
According to the Verge, uninstalling the Zoom app from your Mac isn't enough to fix the problem, either.
The publication confirmed that the vulnerability works - clicking a link if you have previously installed the Zoom app will automatically join users to a conference call with your camera on.
If a user has ever installed the Zoom client and then uninstalled it, the Mac still has a localhost web server that will re-install the Zoom client, without requiring any user interaction besides visiting a webpage. In fact, Farley pointed the finger at Apple as the reason for the background web server, saying that it was built as a "workaround" after Apple made a security change in Safari 12 to improve user privacy, in order to avoid making users click an extra dialog box before joining a meeting.
"It took Zoom 10 days to confirm the vulnerability", wrote Leitschuh.
Zoom developers explained that the local server needs to store information about settings.
Leitschuh said the use of the local server was a fundamental security vulnerability, and sites should not communicate with applications in such a fashion.
'Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client, ' Zoom says.
"What's unfortunate, invasive and a violation of trust is when the software seems ' uninstalled' but really isn't", he added.