My issue with Zoom is that they sometimes manage to be "more convenient" than the competition by sacrificing security. One of my undergraduate classmates found a significant security hole in Zoom that allowed someone malicious to secretly enter you into a video call when you load their website. It has since been fixed, as has been the issue that prevented you from uninstalling Zoom.
https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5> This vulnerability leverages the amazingly simple Zoom feature where you can just send anyone a meeting link (for example
https://zoom.us/j/492468757) and when they open that link in their browser their Zoom client is magically opened on their local machine. I was curious about how this amazing bit of functionality was implemented and how it had been implemented securely. Come to find out, it really hadn’t been implemented securely. Nor can I figure out a good way to do this that doesn’t require an additional bit of user interaction to be secure.
> Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.
Again, both of these issues were fixed a week after the article went live, but the article went live 3 months after informing Zoom about the issues.
-- Pi Fisher
(617)615-NERD