back to article Wondering how to whack Zoom's dodgy hidden web server on your Mac? No worries, Apple's done it for you

Apple has pushed a silent update to Macs, disabling the hidden web server installed by the popular Zoom web-conferencing software. A security researcher this week went public with his finding that the mechanism used to bypass a Safari prompt before entering a Zoom conference was a hidden local web server. Jonathan Leitschuh …

  1. Blockchain commentard Silver badge

    So is the poor user experience due to Apple's API/security model or Zoom's inability to program? And is there a hidden webserver on Windows installs?

    1. Captain Scarlet Silver badge
      Windows

      Its to prevent Zoom users receiving a prompt for the website would like to use the microphone and camera.

      According to the previous news post there is no such web server on Windows and I think a commentor confirmed Linux users don't have the web server either.

      1. DuncanLarge Bronze badge

        > Its to prevent Zoom users receiving a prompt for the website would like to use the microphone and camera.

        :-O Those prompts are there for a f*cking reason.

        1. Captain Scarlet Silver badge

          Yes, trying to educate normal users to actually read the damn messages is hard sometimes (I have had a few times the "I have nothing to hide" response like its the police being given those priviledges and not some huge blood sucking corporate company).

          1. Halfmad Silver badge

            Are we sure users were even asked if they thought it was a "poor experience" or is this simply Zoom doing this so they have an advantage over the competition then claiming it's all for the good of the user?

  2. thosrtanner
    WTF?

    > Further, Zoom promised an update in a couple of days intending that users who select "Always turn off my video" on first use will have that preference saved automatically.

    Is it just me who feels that "Always" implies "Always" and not saving the preference rather conflicts with the description?

    I'd say I cannot believe people like this would be allowed near a computer, but clearly they have been. If you're actively coding round standard security practices, you are no better than malware writers.

    1. DougS Silver badge

      Which is probably why Apple treated it as malware

      And removed it from all Macs. Then users who installed it but rarely use it won't have a web server written by a company that doesn't understand security running on their computer, and users who want to keep using Zoom can simply reinstall the newer fixed version.

      1. thosrtanner

        Re: Which is probably why Apple treated it as malware

        they only removed the web server. Not the whole software suite. I agree with other posters. Stuff from that company is not getting onto any computer of mine for a good long while and possibly longer

  3. Anonymous Coward
    Anonymous Coward

    Hah

    I've set up a virtual webcam with customised fake video, configured to always get picked before my actual webcam [1]. Anyone incautious enough to try cam-snooping on my machine is going to get a surprise!

    .

    .

    [1] Disclaimer - I haven't really. Maybe I should. Any ideas for content? [2] :-)

    [2] *UNSUITABLE IDEA IN VERY POOR TASTE DELETED*

    1. Claverhouse Bronze badge

      Re: Hah

      A recording of Mr. Farage laughing ?

      A bearded BBC 1970s era Open University serial discussion of the ideal composition of building bricks ?

      An American wine club infomercial ?

  4. Mike Moyle Silver badge

    "Apple appears to have concluded that it is better to protect users by silently disabling this component than to respect the wishes of those who like to think they are in control of what gets installed and removed. Few would disagree."

    <sarcasm> CURSE YOU, HEAVY-HANDED APPLE CONTROL FREAKERY!!! </sarcasm>

  5. karlkarl Bronze badge

    I understand that in the browser some local javascript to "localhost:<someport>" can make a POST to zoom's installed local (API) web server and execute some code locally; still not sure how that code (C, Swift, Objective-C, etc) can instruct the safari browser to enable the webcam. Is this possible with AppleTalk? Sounds hacky.

    Or is this web server / client connecting to the zoom conference server directly, effectively not really even using the browser once started... In that case, this is just another case of everyone over-utilising a web browser as just a shite GUI library.

    The whole thing sounds terrible. You wouldn't get this kind of mess in less popular software ;)

    1. Brewster's Angle Grinder Silver badge

      <guess>I don't know the specifics. But my guess is this javascript using the media capture API. If a web site uses it, the browser prompts. But the localhost is probably exempt. So if you serve your page from a locally installed web server - there's no "annoying" prompt.</guess>

  6. Anonymous Coward
    Anonymous Coward

    User experience

    "Apple has pushed a silent update to Macs, disabling the hidden web server installed by the popular Zoom web-conferencing software."

    Now that's a good unprompted user experience. Maybe Zoom could learn a thing or two from Apple.

  7. Anonymous Coward
    Anonymous Coward

    Companies like this need to go out of business.

    Security must not a an afterthought and these clowns clearly have no idea about security.

    1. gnasher729 Silver badge

      It is quite possible that a company has engineers that are competent and care about security and are overruled by management who has received complaints from customers. (Customers will complain because they _wanted_ a connection and didn’t think there should be another prompt, oblivious of the fact that this prompt protects against hackers).

  8. Claptrap314 Bronze badge

    Almost a good thing

    Except I'm on a corporate box and refuse to provide my credit card number to Apple which means that Apple updates NEVER get to my machine...

    1. Halfmad Silver badge

      Re: Almost a good thing

      This **** is on the same level of retardation as "I don't do math".

      Just move to Linux if you honestly never want updates etc and stop wasting money on poor value for money hardware.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019