Continue Reading Below
The company released a patch Tuesday addressing the issue after security researcher Jonathan Leitschuh wrote about the vulnerability on his blog.
Zoom initially said it had “no indication” a user had ever unintentionally joined a call through the exploit Leitschuh found. The company pointed to settings that allow a user to turn off their camera.
But Leitschuh identified a line of code he said an attacker could embed on a website that would cause a Zoom user to instantly connect to a call with video on. Also, a feature of the app allowed itself to be reinstalled “without any user interaction” after being uninstalled, he said.
“We appreciate the hard work of the security researcher in identifying security concerns on our platform,” Zoom wrote in its updated response to the issue. “Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process. But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service.”
The company then released a patch which it said would eliminate the problem on Macs, and allow users to manually uninstall Zoom.
Leitschuh said he hoped the update would patch “the most glaring parts of this vulnerability."
“The Zoom CEO has also assured us that they will be updating their application to further protect users’ privacy,” he said.
Another update, planned for July 12, will allow first-time Zoom users to choose to always turn their video off, according to the company.
Anyone who wants to update their Zoom app can download the patch from Zoom’s website.