Wednesday, July 10th 2019
The UX of Zoom’s Local Web Server Security Hole
Video conferencing provider Zoom has pushed out an emergency patch to address the zero-day vulnerability for Mac users that could potentially expose a live webcam feed to an attacker, launching you into a Zoom video chat you’d never intended to launch. The move is a surprise reversal of Zoom’s previous stance, in which the company treated the vulnerability as “low risk” and defended its use of a local web server that incidentally exposed Zoom users to potential attacks.
Zoom says it used the local web server to make its service faster and easier to use — in other words, saving you a few mouse clicks. But the server also creates the rare but present possibility that a malicious website could activate your webcam by using an iframe, getting around Safari’s built-in protections.
Second, when Zoom is installed on a Mac device by the user, a limited-functionality web server that can only respond to requests from the local machine is also installed on the device to help launch Zoom meetings. This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution.
My hope is that someone at Zoom got a call from someone at Apple today, indicating that the click-to-confirm Safari feature is intended to be used and that bypassing it is not cool.
Part of Zoom's response below. Basically: an update to Safari (probably for security?) added an extra click to joining a meeting. So Zoom added a whole damn, undisclosed, running webserver to your computer to Save You A Click. And it isn't sorry.
It's weird to me that Zoom is using UX as a scapegoat for a “feature” that turned into a large security vulnerability. Especially when Apple has been pretty clear about how the UX for this interaction should work through Safari's click-to-confirm.
I would further argue that good UX includes clarification of intent and system status especially when it even remotely concerns anything with video or audio functionality.
Apple has now taken things one step further and pushed out a silent macOS update that removes the web server, reports TechCrunch. The update is deployed automatically, so users don't have to manually apply it in order for it to take effect.
Zoom told TechCrunch it was "happy to have worked with Apple on testing this update" …
Updated on Saturday, Feb. 15th 2020