Issue 39: Vulnerable local Zoom webservers on 4+ mln Macs

This week, we take a look at Zoom’s insecure API snafu that affects millions of Mac users, improvements to the OpenAPI support in Visual Studio Code (VS Code), the PolarProxy tool for TLS traffic decoding, the latest API breach fines, and a new survey on cloud security.

Vulnerabilities: Zoom

Zoom is a popular video conferencing app. Unfortunately, in their pursuit of ease of use, they deployed local web servers with vulnerable APIs to the computers of more than 4 million of Mac users!

Zoom wanted to have a one-click-join experience for their conference call links. The native Safari browser on Macs does not support application-specific links such as zoom://. As a work-around to this limitation, Zoom is quietly deploying their own web server locally on Macs. This allows them to start the meetings by making localhost calls from their pages.

Modern browsers have Cross-Origin Resource Sharing (CORS) protection that normally prevents such use. However, Zoom circumvented the protection by masking the API calls as image load calls!

As the result, attackers can embed an img element onto a web page and force your Mac to start a Zoom session with your camera on. Another way they could to do that is to include an iframe element with the Zoom link. Either way, no action other than landing onto this crafted web page is required from the user.

The API is not fully documented so there may also be other methods for further remote attacks. For example, the local web server also re-installs Zoom even if you uninstall the app unless you also separately kill the local web server.

See the full report by Jonathan Leitschuh, it is a fascinating read.

Tools: The OpenAPI extension for Visual Studio Code

VS Code is a popular Integrated Developer Environment (IDE). The OpenAPI extension for it was released about a month ago, originally only supporting API contracts in JSON format.

This week, the extension has been updated to include support for YAML format as well. Now, all functionalities — new API templates, navigation, linting, snippets, Go To Definition, IntelliSense — are available for both formats.

Tools: PolarProxy

Netresec has released their free PolarProxy tool for malware researchers and incident responders.

It is a transparent SSL/TLS proxy that decrypts traffic and saves it as a Wireshark PCAP file for further research.

Fines for API Vulnerabilities

We have covered the API vulnerability in the Jack’d dating app in our earlier newsletter. This week, the vendor Online Buddies got fined $240K for having that vulnerability in their API and failing to protect their users data.


Cybersecurity Insiders has published their 2019 Cloud Security Report. Some relevant highlights from the report include:

  • Data loss and leakage are the top cloud security concerns(64%).
  • The biggest vulnerabilities in the minds of security professionals are (each with 42%):
    • Unauthorized access through misuse of employee credentials and improper access controls
    • Insecure APIs

API Security Briefings from Amazon Echo

You can now add this newsletter to your news briefings on Amazon Echo and Alexa devices:

  1. Open your Amazon Alexa app.
  2. Go to Skills & Games.
  3. Search for API Security.
  4. Enable the skill.

Now, whenever you ask Alexa to read you the news, you will also hear the latest from our newsletter.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy