[Ssr2-review] Zoom

Jennifer Bryce jennifer.bryce at icann.org
Mon Jul 22 07:37:57 UTC 2019

Dear SSR2 Review Team,

Please see the below note regarding Zoom, on behalf of ICANN IT.


We acknowledge and understand your concern with using Zoom as a native app from your device, following recent public disclosures by a security researcher.

Contrary to confusing messaging on different public fora, Zoom does not have a “hidden application” with access to camera and microphone. The facts are as follows:

  *   A localhost web server was installed to allow for easy launching of the Zoom application, functioning as an API between Zoom and a browser
  *   This server never had any access to your camera or microphone in and of itself. It only had the ability to launch Zoom.
  *   Further, for any unauthorized access to your camera to take place, your settings would need to be misconfigured in the way the researcher detailed in the first part of his disclosure.
  *   Microphone access was never an issue in this regard.

Since the public disclosure, Zoom has also taken steps to mitigate the vulnerabilities. On 9 July an application update was released to entirely remove the web server, as well as a new option to manually uninstall the Zoom application (including the web server and saved user settings). On 10 July, Apple issued an update to ensure the Zoom web server was removed from Macs, even if the user had not yet run the Zoom application update. Zoom worked with Apple to test this update, which requires no user interaction. Finally, on 14 July, Zoom released another application update to further address the settings misconfiguration which could have allowed for cameras to be on by default as you join a meeting. For more information on how Zoom has responded to the public disclosure, please visit here<https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/> and here<https://blog.zoom.us/wordpress/2019/07/10/security-update-and-our-ongoing-efforts/>.

ICANN stands by its decision to offer Zoom for Remote Participation/Collaboration. If you are still hesitant to use a native Zoom app from your device, we recommend you uninstall the application and join Zoom meetings via browser. This is an option for any Zoom meeting.

Please see this link<https://www.icann.org/news/blog/known-zoom-vulnerabilities> for past ICANN blog post regarding Zoom. Let us know if you have any further questions or concerns with which we can assist.

Jennifer Bryce
MSSI Associate Project Manager
Internet Corporation for Assigned Names and Numbers (ICANN)

Email: jennifer.bryce at icann.org
Skype: jennifer.bryce.icann
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20190722/cf4d65a8/attachment.html>

More information about the Ssr2-review mailing list