Zoom Security Vulnerability on Mac (July 2019)

We were made aware of a security issue with the Zoom web and video conferencing platform which many users on campus utilize.  The issue impacts Mac users and the details of the vulnerability are outlined in this ZDNet article:

“A Zoom install on a Mac will run a server on port 19421, which can be used to put a Zoom user into a call, as well update the application. …rather than making AJAX requests, the server uses the dimensions of an image from Zoom to handle error and status codes. He said this unique approach was done to bypass cross-origin resource sharing restrictions (CORS) since browsers do not use CORS for local servers.”

Since the discovery and announcement of the vulnerability, Zoom has released an update that discontinues the use of a local web server on Mac devices.  We highly recommend all users of Zoom to update their softwares as soon as possible to take advantage of the new patch.  This can be easily performed by launching the Zoom application and selected “Update Now” when prompted.

For new customers who have not downloaded Zoom yet, Zoom has confirmed that the download link located at their download site contains the update which removes the local web server.

Furthermore, we also encourage all users to check their video settings and confirm that they have selected “Turn off my video when joining a meeting”.  Having your camera off by default is generally more secure, however, you still have the capability to turn it on should you wish to do so.

Should you have any questions regarding the news, please send an email to security@usc.edu.