Today, security researcher Jonathan Leitschuh has publicly disclosed a serious zero-day vulnerability for the Zoom video conferencing app on Macs. He has demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed. That’s possible in part because the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldn’t. In fact, if you uninstall Zoom, that web server persists and can reinstall Zoom without your intervention.
Using Leitschuh’s demo, we have confirmed that the vulnerability works — clicking a link if you have previously installed the Zoom app (and haven’t checked a certain checkbox in settings) will auto-join you to a conference call with your camera on. Others on Twitter are reporting the same: