Why Mac Users Should Uninstall the Zoom App Right Now

A rookie mistake in Zoom's Mac installer led to a massive security hole, letting hackers do pretty much anything to your computer. 

Zoom has a history of security and trust screwups, from installing secret web servers on your computer to lying about its number of daily active users. Now, Mac security researcher Patrick Wardle has discovered a flaw in the installer that leaves you open to exploitation. Given its track record, it seems likely that Zoom might have similar problems in the future, so how should you protect yourself?

"Perhaps the marketplace will punish Zoom for the security breach, but this illuminates a much bigger issue in the cyberthreat arena. Most' regular users' (read: consumers) use antivirus software. What they don't realize, however, is that those legacy technologies are not keeping pace with the rapid evolution of threats and exploits that cybercriminals use," Chase Norlin, a cybersecurity expert and CEO at Transmosis, told Lifewire via email. 

Zoom Out

Zoom has become the default way to video conference over the last few years, mostly because it’s so easy to set up and join a call. But its epic rise has been littered with privacy, trust, and security breaches. The latest works like this. 

When you install Zoom on your Mac, you have to enter an admin password to give the installer elevated privileges to add files to deep parts of the system. Wardle discovered that Zoom holds onto these privileges even after installation, in order to install future patches without asking for your password again.

That would only be a breach of trust, or at least of expectations. But the installer also failed to properly check and identify subsequent Zoom patches. This means that malware could masquerade as a Zoom update, and get full access to install itself.

Wardle told the Verge that he first reported this vulnerability in December last year. Zoom’s fix introduced another bug that allowed a similar exploit, and that took eight months to fix. That’s a big worry for folks who need to use the software. How do we know that the current version of Zoom doesn’t contain yet more malware and exploits?

Many of us cannot simply stop using Zoom. You may need it for meetings while you work from home, and it’s simply too widespread to ignore completely. Fortunately, there are a few ways to protect yourself. 

Protect Yourself

In the care of Zoom specifically, the best way to avoid security holes is to not install the desktop software. One of Zoom's best features is that anyone can join a call just by clicking a link and connecting via their web browser. 

"Just uninstall all meeting apps from your computer. Use the browser version of the meeting client. They work well now. Apps run stuff in the background, and I won't even get into the stupid stuff they waste CPU time on when you're never even using them 99.9% of the time," said security and computer monitoring export SwitftOnSecurity on Twitter. 

If you want to use your Mac or PC for Zoom, then that's the way to go. While a browser-based app can have its own security problems, they won't allow rogue root-level installations. You may not get all the features, but if you're just doing video calls, it's fine. 

If you have an iPhone or iPad, then you can work with that. The iPhone is probably too small, but a regular or plus-sized 12.9-inch iPad is ideal, with the bonus of probably having a better camera than the one built into your MacBook, iMac, or Studio Display. 

Thanks to the way the App Store works, and the fact that all apps can run only inside their own' sandbox,' which isolates them from the rest of the system, they are safer than desktop apps, especially desktop apps that require an installer to spread parts of themselves deep into your system. 

While Mac users have generally never had to worry about viruses, you lose much of the built-in protection as soon as you type in your password. It pays to be very, very suspicious of any software that requires a password for installation, even if it's a legit app. Unless you trust the developer or their reputation, look elsewhere.