Serious Zoom security flaw could let websites hijack Mac cameras https://t.co/PmVsQupViY pic.twitter.com/YYMoKteyuu

— The Verge (@verge) July 9, 2019

“the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldn’t. In fact, if you uninstall Zoom that web server persists and can reinstall Zoom without your intervention.” https://t.co/sjKQJlsZpA

— Chris Wysopal (@WeldPond) July 9, 2019

Sometimes “easy” and “free” can be really expensive – it could come at the cost of giving up your confidential information. https://t.co/7XlMOLQgWP #cybersecurity #privacy pic.twitter.com/TH7vTzFrqQ

— Wickr (@myWickr) July 9, 2019

If you're a Zoom user and have a Mac, be careful! ⚠️ https://t.co/nVymLhAfCg pic.twitter.com/cDJ0gI3FLC

— Afrihost (@Afrihost) July 9, 2019

Serious Zoom security flaw could let websites hijack Mac cameras - The Verge https://t.co/z4okmtKn48

— RR Apple (@RRalstonAgile) July 9, 2019

You still think it's silly to put tape on top of a webcam?

"Serious Zoom security flaw could let websites hijack Mac cameras"https://t.co/EaHUz5JVoh #privacy #zoom pic.twitter.com/ajNFaC4hHw

— F-Secure FREEDOME VPN (@FreedomeVPN) July 9, 2019

To all my friends and colleagues using @zoom_us on a Mac (I know that’s a lot of you), be sure to read this security notice and update your settings. https://t.co/z5KDaYji6b H/T @rabble

— Eugene Eric Kim (@eekim) July 9, 2019

Don’t think of this as a vulnerability in Zoom. Think of it as a commercial implementation of chat roulette : Serious Zoom security flaw could let websites hijack Mac cameras https://t.co/tgiSccnoGE

— Rich Mogull (@rmogull) July 9, 2019

Serious Zoom security flaw could let websites hijack Mac cameras cc ⁦@Mr_ALNCo⁩ #TMSouthWales #edtech #elearning https://t.co/K1pArvTXBY

— ✨ Mark Anderson ✨ (@ICTEvangelist) July 9, 2019

What the fuck https://t.co/Cz6RI5gpQl

— Erin Gallagher (@3r1nG) July 9, 2019

If you have a Mac and have *ever* installed @zoom_us videoconferenci g apps on it, make sure you read through and remove it. They allow anyone to just connect to your webcam. And are calling it a feature. Holy fuck. https://t.co/smLsBzgKJr

— Anže Vodovnik (@Avodovnik) July 9, 2019

Overnight (for me, anyway), Zoom published a blog post response. Notable that Zoom says "We are not alone among video conferencing providers in implementing this solution." WRT the web server on your Mac thing.https://t.co/m53OVTXw1l

— Dieter Bohn (@backlon) July 9, 2019

You really need to stop using Zoom (and uninstall it) right now. They literally don’t know what they’re doing. Completely PR-talk response without any real solution to severe security vulnerability (including taking video and audio of you and crashing your computer). https://t.co/2Riy3pmSOq

— Thomas Fuchs ? (@thomasfuchs) July 9, 2019

This week, a researcher published an article raising a number of concerns about our video experience. We've published our response on our blog here: https://t.co/56yDgoZf1U

— Zoom (@zoom_us) July 9, 2019

Wait, so @zoom_us created a local web server with a new attack surface on Macs to get around a security feature introduced in Safari that prevented apps with custom URL schemes from being auto-launched behind the user’s back?! https://t.co/4WJdr8CzGW

— Rosyna Keller (@rosyna) July 9, 2019

If you have ever installed Zoom on your Mac (even if you later uninstalled it) there is a localhost web server running on your machine to make reinstallation easier. But there are some problems with how it is done.

You might want to read this.

https://t.co/Z4FSB5zWI1

— Ray[REDACTED] (@RayRedacted) July 8, 2019

Seriously if you have ever used Zoom on your Mac, even _if you uninstalled_ it, anyone can connect to your camera without you being prompted.

Zoom didn't patch this even with 90-day heads-up time given by the security researcher.

See the article for mitigation. https://t.co/6enThMYqVM

— Thomas Fuchs ? (@thomasfuchs) July 9, 2019

Surprised Apple hasn’t flipped an XProtect kill-switch to disable Zoom’s daemons remotely. I don’t think that would be an overreach, faced with a story like this? ?

— Steve Troughton-Smith (@stroughtonsmith) July 9, 2019

A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. (Why is it that all the video conferencing software is so creepy? Skype started the tradition.) https://t.co/4oJ3CF4tTt

— Frank Rieger (@frank_rieger) July 9, 2019

This is a tone deaf response to a security concern. Never, ever, say you expanded attack surface to "fix" a UI issue.https://t.co/HXYJMHyTha pic.twitter.com/gBJhNFBF0Q

— Jake Williams (@MalwareJake) July 9, 2019

In the meantime, $ZM stock is currently down <1% and still trading 5% higher than its July 3rd close. https://t.co/DyZpmHgRPV

— J-Strizzle (@jstrauss) July 9, 2019

Disasters like Zoom are why the Mac gets progressively more locked-down, and why commandline tools and daemons can’t be exempt from signing & security. By default, we should trust no software, and neither should the hardware it runs on https://t.co/OmYhPvFanR

— Steve Troughton-Smith (@stroughtonsmith) July 9, 2019

Allowing users to set their video to on by default by joining is product choice I don't agree with, but understand. Allowing administrators to make that choice for users is a product choice is wrong IMO.https://t.co/m53OVTXw1l pic.twitter.com/2R9vTVnJFw

— Dieter Bohn (@backlon) July 9, 2019

This is my #ZeroDay #PublicDisclosure of a security vulnerability impacting 4+ Million of @zoom_us's users who have the Zoom Client installed on Mac.

Zoom had 90-days + two weeks to resolve this #vulnerability and failed to do so.https://t.co/hvsoS79bos

— Jonathan Leitschuh (@JLLeitschuh) July 8, 2019

Bold prediction: so far, we have uncovered roughly 40% of the mess video conferencing is security-wise https://t.co/8zRrZ6AjVL

— Natalie Silvanovich (@natashenka) July 9, 2019

Don’t *ever* let your marketing department publish a technical response. https://t.co/Ruo8a3e7OX

— Joe Ferguson (@JoePFerguson) July 9, 2019

wrt the "simple Zoom feature where you can just send anyone a meeting link...I was curious about how this amazing bit of functionality was implemented and how it had been implemented securely. Come to find out, it really hadn’t been implemented securely."https://t.co/TO3MkygJXJ

— adriennefriend (@adriennefriend) July 9, 2019

The flipside to responsible disclosure: failure to patch a critical vulnerability in 90 days makes a software vendor irresponsible and it's a good thing for their irresponsibility to become public knowledge sooner than later https://t.co/9i2ZU5XZp1

— Tony "ABOLISH ICE" Arcieri (@bascule) July 8, 2019

Here is Zoom's official response. It's yet another case of "User's want the convenience so it's not a problem". This is a poor response. This kind of stuff is enabled because user's aren't informed about they're being opted into. https://t.co/FZ2F6A0yv0

— Marco Rogers (@polotek) July 9, 2019

I don’t see how this is relevant and I don’t understand why Zoom mentions this in their statement. https://t.co/Svf1d9YSNh pic.twitter.com/H8XiAruwwO

— @mikko (@mikko) July 9, 2019

This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf

— Matt Haughey (@mathowie) July 9, 2019

Flaw in Zoom's Mac client allows websites to turn on user cameras without permission https://t.co/SPm1TYJail pic.twitter.com/MNj3X2lDvZ

— Dave Michels (@DaveMichels) July 9, 2019

We have updated our security related blog post to include details on a scheduled software patch which will be made available tonight (July 9) at or before 12:00 AM PT. For more information on the upcoming changes, pls read: https://t.co/56yDgoZf1U

— Zoom (@zoom_us) July 9, 2019

Zoom just updated their blog post again to say they're removing their local web server entirely.https://t.co/3ApfAmA1Gs https://t.co/liNhpgqjiX

— Jason Snell (@jsnell) July 9, 2019

Zoom had a cascading failure of product decisions, security bypasses, and then a terrible hand-waving blog post—which has been updated several times, and they’re finally doing the right thing. https://t.co/PROJzhOYux

— Glenn Fleishman (@GlennF) July 9, 2019

Zoom has reversed course. It will update its Mac app to remove the local webserver.

It's the right move -- and I will be very curious to see what other companies running webservers on Macs to support their apps will do.https://t.co/m53OVUf6ST

— Dieter Bohn (@backlon) July 9, 2019

We wanted to share a couple updates from team Zoom - an upcoming update this week to our local web server and clarifying user controls over video. Please stay tuned at our blog here: https://t.co/56yDgoZf1U

— Zoom (@zoom_us) July 9, 2019

The @zoom_us videoconferencing team has pulled an about-face. It'll now remove the web server it installed on Macs to bypass browser security. Zoom's uninstall process also will now remove the web server, not leave it behind. https://t.co/QxGJfXkD2j

— Stephen Shankland (@stshank) July 9, 2019

https://t.co/WDhviA9Ys6

>We are not alone among video conferencing providers in implementing this solution.

Time to check the other video conferencing apps

— ClearIce (@ClearIceSec) July 9, 2019

security researcher: your app has a serious flaw that makes >4 million users vulnerable to malicious scripts accessing their camera

zoom: it be like that sometimes

https://t.co/N6a5LzE9YE

— big wife energy ? (@AlisonBuki) July 9, 2019

What an amazingly misleading response from @zoom_us to the situation. https://t.co/cZsXloT5lr

I'm not touching their software again. Their initial architectural decisions were terrible, their response to the report was terrible, their response after the fact is terrible.

— Perry E. Metzger (@perrymetzger) July 9, 2019

The Zoom stuff feels a bit overblown. Here's the vendor response. https://t.co/JJCoUHxhOC

— Kevin Beaumont ? (@GossiTheDog) July 9, 2019

Hello Matt, it looks like the researcher created a meeting without any access controls. We published our official response to this on our blog here: https://t.co/56yDgoZf1U

— Zoom (@zoom_us) July 9, 2019

By far the most ~disastrous response I've seen to a security issue

"We are not alone ... in implementing this"

"Zoom decided not to change the application ..."

Also an unusual NDA that doesn't allow disclosure even after it's patched (if ever)https://t.co/1OEi7QlzoZ

— Abhishek Das (@abhshkdz) July 9, 2019

Serious Zoom security flaw could let websites hijack Mac cameras https://t.co/EOboiatG3W via @Verge

— Rey Bango (@reybango) July 9, 2019

A Zoom Flaw Gives Hackers Easy Access to Your Webcam https://t.co/BDW1z6Nw71

— Christine Pompa (@christine_pompa) July 9, 2019

So not good.

If you have used the zoom app on a mac, it installed a persistent web server on your machine. Even if you delete their application, this web server persists and stays running. Not a normal app, it's in a hidden directory (.zoomus). 1/2https://t.co/vZcf0Z6gup

— ((( ted_dunning ))) (@ted_dunning) July 9, 2019

A Zoom Flaw Gives Hackers Easy Access to Your Webcam https://t.co/psIsW4Iv9q #Security #SecurityCyberattacksandHacks pic.twitter.com/49ykV6MP7B

— Igor Os (@igor_os777) July 9, 2019

This saga shows a tech company that doesn't care one bit about security https://t.co/Pc7VVxH2Xp

— Stephen Judkins (@stephenjudkins) July 9, 2019

Oh lordy, this is a bad one.

How many Mac users do you know even realize MacOS *has* a command line, much less how to access it?

I'd generously put it at one in four. https://t.co/MY0iQRU96M

— The Nash is coming from inside the house (@Nash076) July 10, 2019

Remove Zoom From Your Mac Right Now @MLE_Online @glowascii https://t.co/JHwvQFdsS3 via @lifehacker

— Dean Segovis (@HackAWeek) July 9, 2019

? Vulnerability in the Mac Zoom client allows malicious websites to turn your camera on without your permission, uninstalling Zoom doesn't help with the problem either, but you can take the appropriate security steps necessary outlined here ?: https://t.co/DSq9CVGbk3 #ZeroDay

— DEBORAH ZHANG ????‍? she/her (@itsdeborahzhang) July 9, 2019

Remove Zoom From Your Mac Right Now #digcit https://t.co/qZ0ZXpbaEs

— Kyle Calderwood (@kcalderw) July 9, 2019

Serious Zoom security flaw could let websites hijack Mac cameras#CyberSecurity #hacking #Pentesting #vulnerability #cyberattacks #IoTSecurity #hackers #malware #ransomware #Apple #Mac https://t.co/su5a0YdWkR via @Verge

— Reinard Mortlock (@MortlockReinard) July 9, 2019

For #Mac users there is serious security issue if you have ever installed #Zoom conferencing software. Even if you have uninstalled it later or try to uninstall it now. Zoom installs a web server which stays there. Insanely stupid and dangerous design.https://t.co/5CSP3SQBHC

— Harri Hursti (@HarriHursti) July 9, 2019

Serious Zoom security flaw could let websites hijack Mac cameras#CyberSecurity #hacking #Pentesting #vulnerability #cyberattacks #IoTSecurity #hackers #malware #ransomware #Apple #Mac https://t.co/su5a0YdWkR via @Verge

— Reinard Mortlock (@MortlockReinard) July 10, 2019

Scary Zoom camera vulnerability reported on Macs @TheVerge! At least one Zoom-based summer class (mine) begins 7/15/19, others possibly ongoing: https://t.co/dnf6ICwtnt @katiekraemer512 @Yaasmeenaaa @ESUniversity @StroudCourier @EastStroudsburg @drdwells @PoconoCameron @zoom_us

— Bill Broun (@Broun) July 9, 2019

A Zero Day vulnerability allows any website to open up a video-enabled call on a Mac with the Zoom app installed. Here's how to patch it. https://t.co/CcyRPEYjGq via @InfoSecHotSpot pic.twitter.com/NXVwdlKHYq

— Sean Harris (@InfoSecHotSpot) July 10, 2019

[Update] The July 9 patch to the Zoom app on Mac devices detailed earlier on our blog is now live. Details on the various fixes contained within it are explained, as well as how to update the Zoom software. See blog post here: https://t.co/56yDgoZf1U

— Zoom (@zoom_us) July 9, 2019

Vulnerability in the Mac Zoom client allows malicious websites to enable camera https://t.co/7oxZklI008 Zoom’s response to this is really bad https://t.co/9NbVD9mjFV

— The Best Linux Blog In the Unixverse (@nixcraft) July 10, 2019

Kudos to Zoom for listening to the feedback on the ill-advised nature of running an incognito web server just to ease launch links. It took a bit, but better late than never ? https://t.co/zqz5jJMsgH

— DHH (@dhh) July 10, 2019

Sorry @zoom_us, this announcement is a day late and a dollar short. https://t.co/kiUQEB2uwL I deleted everything yesterday, will not be returning. Take security seriously or lose your customers and your company. ht @andy_sellars

— Carl Malamud (@carlmalamud) July 10, 2019

From Zoom: "But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service."https://t.co/Z4lNK1eiAe

— Brian Lesser (@bdlesser) July 10, 2019

This is amongst the worst non-apology apologies I've ever seen, @zoom_us.

You installed a web server to get around a feature that Apple added to prevent the very thing that a researcher has determined your web server allows.

That's insanely stupid.https://t.co/Ck0CGvcpz8 pic.twitter.com/AqYexcymf8

— Rob Griffiths (@rgriff) July 9, 2019

Now why would Safari add that useless extra click? ?https://t.co/LuwCY2ybfk pic.twitter.com/YqfwrNJM5F

— Johann Hofmann (@johannh) July 9, 2019

Update! Zoom have released a patch that disables the auto-join feature and removes the secret web server. Great going for only 24 hours of internet-wide roasting: https://t.co/FpswrRFgMJ

— Laurie Voss (@seldo) July 10, 2019

Zoom's response(s), in which it seems to take them till the third update to realise that their hair is on fire: https://t.co/QnvtrK0YiH Read, if you've ever installed Zoom on your Mac, even if you later uninstalled it. #zoomageddon https://t.co/Alob9348pq

— Samuel Wade (@samuel_wade) July 10, 2019

the zoom bug is just a really classic example of a company choosing convenience over security/privacy https://t.co/u9kcdAEu82

— Lily Hay Newman (@lilyhnewman) July 9, 2019

More than that #BadHairDay to worry about, whoops... ? https://t.co/mpm2WMBkHk #zoom #privacy

— Dorian Johannink (@dorianjohannink) July 10, 2019

Oops... Time to bring back the #webcam sticker!? Our mates at @centralityai might be able to hook you up #Zoom users ? > https://t.co/oegW8yCAzB #Hacked #tech @aaronmcdnz pic.twitter.com/YRsey1hKVi

— Sylo (@sylo) July 10, 2019

If you EVER installed Zoom, even if you removed the app, ANYBODY could forcibly start a call, enabling your webcam and listening in.
Another case for #selfhosting - yes, if you remove #nextcloud Talk from your server, it won't zombie back. Stay in control!https://t.co/8fMPLbYGOk

— Nextcloud ?☁️? (@Nextclouders) July 10, 2019

A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission : https://t.co/C5RJYKENJt (fixed*)

Zoom fixes major Mac webcam security flaw with emergency patch : https://t.co/TOVWEtbYl1

— Binni Shah (@binitamshah) July 10, 2019

#Zoom Zero Day: 4+ Million #Webcams & maybe an RCE? Just get them to visit your website!.#Birmingham #SmallBusiness #BrumHour #Malware #RansomWare #Phishing #CryptoMining #Virus #Trojan #Security #IdentityTheft #Privacy #smallbizbritain2019https://t.co/jEyPtJtILp

— John Quinlan (@speeednet) July 10, 2019

But it's not a hard one to figure out, and with all the attention this latest thing has received, others WILL find the RCE. Only way to protect yourself is to MANUALLY remove the localhost listener as per the auto-join bug post. https://t.co/tl5RIAB3KM

— Patrick Gray (@riskybusiness) July 10, 2019

Twitter: why did @JLLeitschuh's public disclosure of the Zoom vulnerability have nearly zero impact on its stock price?

Are shareholders completely out the loop -- how did this not impact its valuation? (wtf capitalism) https://t.co/mcOa2WoN0z pic.twitter.com/XaCfqjTX7G

— Andy Coravos (@AndreaCoravos) July 9, 2019