If you have the Loom Desktop for Mac installed (this does not apply to Windows), please check that you have at least version 0.17.3 installed. You can either download the app directly, or you can check if you have the latest version of our app by clicking on the 3-dot menu in the upper-right corner of our app and then selecting Check for Updates.
On July 9th, 2019 our team was made aware of three separate security vulnerabilities in our desktop application. We have since fixed all three. Here is the log of action:
Now that you’ve updated your Loom desktop app, we’d like to take a bit of time to explain what happened.
On July 8th, 2019, it was discovered that Zoom had a zero day vulnerability that allowed users to leverage a web server they hosted locally on each user’s machine. If an attacker knew how to connect to this web server, they could use this web server to activate the user’s camera and execute code. The latter attack is called a Remote Code Execution vulnerability, or RCE, for short. You can read more about this vulnerability and its story here.
During this same time, many security researchers started to find other apps using this same pattern of hosting a web server on a user’s machine. For most apps, it appears the use case is for the user’s web browser to talk to the application. I personally worked on a project that explored this possibility and decided against it.
That being said, we still leverage a web server. We simply didn’t implement it with the intention of other applications being able to talk to it other than our own. In fact, we implemented measures to make sure the web server couldn’t be communicated with unless it was from a trusted application by:
Despite these measures, Thomas reported 3 security flaws:
We have since fixed all issues.
You might be wondering why Loom uses a web server at all if it’s not meant to be connected to from outside our application. The reason is because our recording layer is separate from our UI layer. Our recording layer is written in native code and needs to communicate with our UI layer, which is written in different code via Electron. The recording layer was written in native code in order to leverage better APIs for better performance, and the UI layer was written in Electron in order to leverage Electron’s cross-platform capabilities and decrease iteration cycles for our engineers. There is no industry-standard way for these 2 layers to talk to each other, so we leverage a web server for this.
We do not take this situation lightly and have fixed all issues in a way that doesn’t simply fix these specific problems but also fixes a host of the same types of problems from coming up in the future. Our users record sensitive information into our platform, and we do not take that for granted. Loom will continue to improve its security practices, and we’re grateful for security researchers like Thomas. We have compensated him for his efforts.
Loom is the most effective way to get your message across, no matter where you work.Get Loom for Free