Fascinating look at the underpinnings of the big Zoom vulnerability announced last week, including an excellent discussion of how a lack of understanding may have led to this huge fiasco. Author Chris Foster:
What this says to me is that Zoom may have needed to get this feature out and did not understand CORS. They couldn’t make the AJAX requests without the browser disallowing the attempt. Instead, they built this image hack to work around CORS. By doing this, they opened Zoom up to a big vulnerability because not only can the Zoom website trigger operations in the native client and access the response, but every other website on the internet can too.