Quote from Zoom’s initial response to Leitschuh’s disclosure:
Second, when Zoom is installed on a Mac device by the user, a limited-functionality web server that can only respond to requests from the local machine is also installed on the device to help launch Zoom meetings. This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings.
It’s remarkable how inconsiderate and ignorant some companies act, and how they all to often invoke the magical buzzword-du-jour, “user experience,” as an excuse for circumventing meaningful security mechanisms, etc. — and, of course, do so without even making users aware of this.
One wonders if this comment from Zoom’s follow-up blog post, then, is quite audacious or just foolish:
What I can tell you is that we take user security incredibly seriously and we are wholeheartedly committed to doing right by our users.