Jonathan Leitschuh discovered the vulnerability:
This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.
On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.
Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a
localhostweb server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.
This is shockingly easy to exploit and, thankfully, fairly easy to protect against as a user.
However, I’d recommend removing Zoom entirely if you do not rely upon it. The company’s blasé attitude towards Leitschuh’s report of this bug would make me reluctant to trust them with my camera and microphone in the future.