It's not a "so-called vulnerability". As the article describes, this could be used in concert with another vulnerability to achieve RCE. Combining vulnerabilities is often how RCE is attained.
These actions undo the thoughtful work of information security professionals to protect users. It's astonishing to me that people can't see what's wrong here.
But the web server / CORS bypass is completely fucked up, nefarious, and unforgivable.
Accordingly, I edited my post.
If you have an open local server running this will detect it.
I still don't fully understand _why_ they had to do this hack if they own the localhost server. They could just set CORS to be '*' and lax their CSP. Then they would be able to get data with JS.
For example this website can see any localserver on your network with open CORS since it appears they laxed their CSP.
All of this to avoid an extra click. I know UX is important, but it is not more so than security.
It allows the attacker to potentially unmask your identity if you are logged into Zoom. When you join the call, you will show up in the participants list.
This is definitely something that you would not want to happen on various parts of the web. It kills your ability to browse privately.
In my experience (the energy sector), most of the people I interact with on Zoom would definitely fall for joining some random meeting that popped up. They are incredibly good at their field of expertise, but certainly doofuses when it comes to knowing how to click on things in zoom.
They already have you on video at that point. The summary above is very fair, there's no point trying to throw more PR at this problem. Ignoring other issues and focusing on the main point: They need to increase security by a huge amount by implementing a simple dialog with "Yes" not selected as default. They also need to communicate why they did this to their users and be honest.
This is a truly heinous design and should be lambasted as such