Zoom will patch videoconferencing app in security about-face

The company will stop using a local web server on Mac devices.

Abrar Al-Heeti Technology Reporter
Abrar Al-Heeti is a technology reporter for CNET, with an interest in phones, streaming, internet trends, entertainment, pop culture and digital accessibility. She's also worked for CNET's video, culture and news teams. She graduated with bachelor's and master's degrees in journalism from the University of Illinois at Urbana-Champaign. Though Illinois is home, she now loves San Francisco -- steep inclines and all.
Expertise Abrar has spent her career at CNET analyzing tech trends while also writing news, reviews and commentaries across mobile, streaming and online culture. Credentials
  • Named a Tech Media Trailblazer by the Consumer Technology Association in 2019, a winner of SPJ NorCal's Excellence in Journalism Awards in 2022 and has three times been a finalist in the LA Press Club's National Arts & Entertainment Journalism Awards.
Abrar Al-Heeti
2 min read

Zoom will remove the local web server on Mac devices as part of a patch.

Sarah Tew/CNET

Zoom is rolling out a patch Tuesday after a security flaw allowed websites to join users to video calls without permission. As part of the patch, the company will completely remove the local web server on Mac devices.

The security flaw, which security researcher Jonathan Leitschuh flagged in a Medium post on Monday, also activated Mac webcams without permission. Zoom will stop using a local web server on Macs once the Zoom client is updated.

The company will also add an option to its menu bar that lets users manually uninstall the Zoom client, including the locally installed web server -- website hosting software that browsers ordinarily traverse the internet to use. After the patch is deployed, users will see a menu option saying Uninstall Zoom, which'll completely remove Zoom from the device and a person's saved settings, the company said. 

In an earlier update Tuesday morning, Zoom said it didn't "currently have an easy way to help a user delete both the Zoom client and also the Zoom local web server app on Mac that launches our client." Instead, the company said, users needed to manually locate and delete those apps until it rolls out a new Uninstaller App for Mac to help them delete the apps. 

The change of heart came after a response Monday that said Zoom installed the web server to make it easier to launch its videoconferencing service. Others do the same, it said in the justification it's now abandoned.

Leitschuh tweeted about the update Tuesday, saying, "The conversation with the @zoom_us CEO in the 'Party Chat' was incredibly productive. It felt like an about face on their previous position on this #vulnerability. It's really encouraging to see a CEO willing to jump into a call with a bunch of strangers to take responsibility."

Zoom will also have a release on Friday that addresses having video on by default. The release will let first-time users who click on the "Always turn off my video" box have their video preference saved automatically. Returning users can also update their preferences using Zoom client settings so videos are off by default.