Zoom's zero day leaves behind a mess

Zoom, the video conferencing app that went public for billions of dollars back in April, has a serious vulnerability that allows users to be forced into video calls without their permission. But, it's also the weirdest side-door into an app I've ever seen. A researcher discovered the flaw, which begins with the Zoom app installing a web server on your macOS computers, and was able to cripple your machine by overwhelming it with bogus traffic to that undocumented server. That part is fixed, but Zoom is not fixing the other problem: adding you to calls without your consent. The video call issue exploits that local server, which is a hack designed to make it easier to join a call by sending you to a local URL. would join you to a call with your webcam enabled, no interaction required. That's something of a nightmare—and it even works if you just embed an iframe with a specially crafted URL into any website!  –Zoom's back door ↗