Crazy Zoom Exploit

Bad Idea

So yesterday, the Zoom Exploit hit the news feeds and web sites, and it was something that I have to say, I'm not surprised about. Zoom was never one of the video conferencing solutions I was a fan of... like most utilities - pick one of the standards, and then be done. Google Hangouts is fine for small groups, and GoToMeeting is fine for large groups, and these are cross-platform, and work just fine. I use FaceTime more than anything else, but that's because it's an Apple ecosystem, and I don't need to have to tell folks to install additional software.

But this secret web server - that's crazy.

As soon as I read this I deleted the app. Immediately.

The second thing I did was to message a good friend that I know uses Zoom - a lot and wanted him to know that he was exposing himself to this issue. I included the entire article, because I wanted him to read about it as well, but I know he took steps at the time as well.

So this morning, I'm double-checking on the details, because this secret web server is just crazy, and I want to make sure that I've got it all cleared out. So let's see if it's running, kill it, if it is, and then double-check that it's dead.

  $ lsof -i :19421
  COMMAND    PID  USER   FD   TYPE ...
  ZoomOpene 2385 drbob    3u  IPv4 ...
  $ kill -9 2385
  $ lsof -i :19421

OK... it's gone. Now let's remove the ~/.zoomus directory and put in a file to keep the directory from being created again...

  $ rm -rf ~/.zoomus
  $ touch ~/.zoomus

And finally, go into System Preferences and select Users & Groups, and then select your user, and go to the Login Items tab, and see if ZoomOpener is in the list. If it is - remove it with the - button at the bottom of the list.

Now it's out. For good.

The "explanation" from Zoom - that this is "a good way to present the user experience" is just nuts. I can't imagine how anyone in this era of computers and invasion of privacy would try to even justify that. Just call it a mistake, and move on.

[7/10] UPDATE: Overnight Apple released a non-UI patch that took care of this problem for all users. I can remember when this feature of forced updates without user-intervention was delivered in Mac OS - and I thought it was good. This proves that it was there for just such a case. Bad software.