Some more shadiness from this company. The Zoom.us-website is explicitly allowing the browser with its content security policy-headers to load scripts from these domains:
I saw somewhere on Twitter, possibly as a reply to Scott Helme, that they possibly added these URLs to their CSP because they were getting errors in their CSP logs from machines that had adware/malware loaded. Can't find the tweet though, so maybe it wasn't him (but I'm reasonably sure it was a discussion of CSP, ReportURI, and the fact the CSP changes depending on logged in/out of zoom's site).
To clarify, this zoomAutenticationTool† is part of the preflight "script" that gets run inside the Zoom installer. It is a signed binary that happily runs anything, including unsigned scripts. This generic-looking tool can be used to bypass code signing requirements. (It does prompt the user for administrator privileges.)
†: I didn't misspell the name of the executable. It's missing an h.
What is with Zoom misspelling everything? Their shady installer pops up "System request administrator privileges", and the code it runs misspells "retina" as "reitna".
It does make me feel a bit better though - sometimes I go overboard with security and spend hours making certificate validation work everywhere etc - the people actually making money skip all that and just ignore it. They typically get away with bad practices until they really get massive, as long as the software works well otherwise.
Sometimes when coding I think there is technically an obscure race condition security flaw and, from time to time, leave a TODO instead of spending those grueling hours. This weirdly makes me sleep better at night.
IMHO those you mention who make money are, in this case, qualified further to a category of products that in essence are not complicated. Video conferencing is not complicated until you have scaling problems. Similarly, Facebook was not complicated until it got millions of users at which point most of their interesting code had to do with scaling.
My point is that Zoom is replaceable and in fact, IMO should be replaced. Their tactics of using these dodgy techniques is because they want to have an edge over competition along the lines of "it just works".
I would contrast this to pure research services that add value that would otherwise not be there. Examples of this would be at the time that they were startups: Google (search algorithms) or Spotify (music categorisation algorithms). I'm not saying that today either of Google or Spotify are paragons of morality. At the hardware level I would include Tesla (battery tech) and Intel (processors).
My point is that the shady practises are at this point Zoom's product offering. If their video scaling algorithms are superior (and not just lifted from some open source libraries) then that should be their product offering. Not "it just works" via security exploits.
When I was first asked to install Zoom I hadn't heard of it, so I googled "Zoom malware" (to see if it's malware, as I assumed someone would have written that up if it was.) I didn't find a clear "zoom is malware" blog post at the time. So I said that's good enough for me and installed it.
Later when I heard that Zoom installs and leaves a web server open on your machine, even if you uninstall it, I felt duped, since I did my due dilligence by Googling if it's malware. If it leaves a webserver running after uninstall, it's obviously malware, same as if it launched a Windows search for "passwords.txt". There's no real room for interpretation here.
But I didn't find that at the time.
Whereas if I did that Google search today I would find that it:
If I were considering installing it today, I would install it only in a virtual machine after Googling what kind of protections to use when trying malware in a VM. (Since it can be expected to play shenanigans with your network and with the host's USB devices etc.) Just basic stuff, as Zoom isn't very sophisticated.
After I read all this I was angry. Not because all of this makes it obviously malware but because it's sloppy malware, and I specifically Googled whether it was sloppy, obvious malware and didn't get a clear "yes, Zoom is malware."
By the way sending data to Facebook doesn't make my list of links, as that is par for the course and anyone might do that. I have a pretty high tolerance for crap and to be honest Zoom is the only mainstream software that failed it so far.
Though I guess technically I still use Zoom every day (until I buy a new computer), you know, since I did install it that one time, before I uninstalled it...
Ha, for sure. E.g. SnapChat didn't actually delete the pictures in the first versions. Apparently, they didn't know how. So they renamed them with a different extension so the photo app didn't find them. But tether your phone, and voila! they were all still there on the phone.
> They typically get away with bad practices until they really get massive
They get away with it because they aren't liable for any damage caused by exploitation of vulnerabilities caused by their bad practices. If they had to indemnify the victims of their negligence, I guarantee they'd care a lot more about doing things right.
Legitimate question: what is bad about this? I've read all the comments and still don't see a convincing explanation.
Code signing just says you can trust that the software you clicked on came from the actual developer.
It doesn't say anything at all about what the software does. Of course signed software can do whatever it wants. It's not like there's supposed to be some chain of trust that it's only allowed to run further signed code. It's free to run a Python script or shell command or whatever it wants. And installers certainly run scripts.
And as other comments here state, to do anything that requires root privileges, it pops up to ask for your admin password, so it's not getting around that.
I see references to this being a "malware pattern" but no explanation of why or what that means specifically. Zoom is commercial software (not malware) and I don't see how this is a vulnerability (something malware could take advantage of) so I'm not getting it.
Can someone explain what the problem is here? Or is there no problem?
would technically have the same "problem". That's a heck of a lot of apps.
On iOS Apple do insist on a full chain of security, which is why only Apple's own browser app can JIT code. It's an extremely perverse and serious limitation that has no real security justification: consider that Android manages just fine without it.
As far as I can tell, Zoom is currently the target of a witchhunt. People are digging for dirt and blowing stuff well out of proportion.
i was about to write the same comment. id bet the percentage of HN readers running 100% signed code is damn close to 0.
the zoom witchhunt is really something. zoom may or may not be a witch (im no China apologist, i yell at all my friends for using tiktok), but if we get the answer right it will be based on luck and emotion, not logic and reason.
Hey! I posted this. Just want to be clear it still pops up and asks the user to authenticate as seen in the original post. Tried to clarify this in the thread I don’t want people to get confused and think this is worse than it is. Still really weird and follows malware patterns. Most likely not a gatekeeper bypass or anything because delivery would be difficult but seemed like a sketchy decision to basically write their own sudo tool into the pre install scripts.
I'm not super familiar with Apple's policies but is this really such a grave sin on OS X? The purpose of the signature, as I understand it, is mostly to assure the user of the provenance of the code and, in a pinch, let Apple disable it. It's not intended as some bulletproof runtime security mechanism and it's easy to think of lots of apps that would be signed but could legitimately execute some form of unsigned code.
Oh I hate that! For apps I want that do that, I first search if there's alternative installation methods available and use those, even if it's more work. Barring that, I will usually take a look at the script for anything it tries to download or any permissions its trying to set. But if I'm in a hurry...sometimes I just run it...
I'm not sure about binaries in general - having secure boot as an anchor at least makes the exercise less futile - but there an interesting point brought up here:
Not sure if it would work on Linux - and you'd might want to prevent running unsigned binaries. Not sure if that's a thing on OpenSolaris. Still, being able to verify a binary might help with handling random downloads, I suppose.
They can't. Not now at least. For better or worse, people all over are using Zoom to stay in contact. If Apple banned it, it would be extremely difficult for them to not take a PR hit right now.
How would you bypass Gatekeeper with that? Something needs to run it. If you can, why can't you just do the same with osascript instead of running zoomAuthenticator?
The tweet has already been deleted. You don't get substantive content from a tweet, you don't get detail, they're hard to follow when threaded, and usually they aren't well thought out or researched. Please don't submit (or upvote) tweets. It would actually be better if you created a blog post with a screenshot of it and posted that.
Since all the lockdowns and social distancing rules have come into play for COVID-19, Zoom has seen a huge increase in consumer usage. That in turn has lead to increased scrutiny as more people use it.
Besides that, this certainly isn't the first time Zoom's shady practices have been exposed, where many other conferencing products haven't had such a track record.
[+] [-] dang|6 years ago|reply
[+] [-] Puts|6 years ago|reply
https://*.50million.club
https://apiurl.org
https://secure.myshopcouponmac.com
https://serve2.cheqzone.com
https://ad.lkqd.net
Doing a fast google for these domains shows they are mostly known for being associated with malware...
[+] [-] cricalix|6 years ago|reply
Pretty bad solution if that was indeed the case.
[+] [-] TechBro8615|6 years ago|reply
To see for yourself, simply `curl -I https://zoom.us`
[+] [-] badrabbit|6 years ago|reply
[+] [-] Shorel|6 years ago|reply
https://news.ycombinator.com/item?id=22748141
[+] [-] gbea42d4|6 years ago|reply
[+] [-] kccqzy|6 years ago|reply
†: I didn't misspell the name of the executable. It's missing an h.
[+] [-] aorth|6 years ago|reply
See: https://twitter.com/cabel/status/1244788931427622912
[+] [-] j4yav|6 years ago|reply
[+] [-] zeepzeep|6 years ago|reply
Ty for making me laugh.
[+] [-] skykooler|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] dvfjsdhgfv|6 years ago|reply
I've seen a lot of posts defending Zoom wrt other offences. But at this point it should be clear what their practices are.
[+] [-] erulabs|6 years ago|reply
Sometimes when coding I think there is technically an obscure race condition security flaw and, from time to time, leave a TODO instead of spending those grueling hours. This weirdly makes me sleep better at night.
At any rate, "sunlight is the best disinfectant"!
[+] [-] mikorym|6 years ago|reply
My point is that Zoom is replaceable and in fact, IMO should be replaced. Their tactics of using these dodgy techniques is because they want to have an edge over competition along the lines of "it just works".
I would contrast this to pure research services that add value that would otherwise not be there. Examples of this would be at the time that they were startups: Google (search algorithms) or Spotify (music categorisation algorithms). I'm not saying that today either of Google or Spotify are paragons of morality. At the hardware level I would include Tesla (battery tech) and Intel (processors).
My point is that the shady practises are at this point Zoom's product offering. If their video scaling algorithms are superior (and not just lifted from some open source libraries) then that should be their product offering. Not "it just works" via security exploits.
Edit: Typos.
[+] [-] logicallee|6 years ago|reply
Later when I heard that Zoom installs and leaves a web server open on your machine, even if you uninstall it, I felt duped, since I did my due dilligence by Googling if it's malware. If it leaves a webserver running after uninstall, it's obviously malware, same as if it launched a Windows search for "passwords.txt". There's no real room for interpretation here.
But I didn't find that at the time.
Whereas if I did that Google search today I would find that it:
monitors activity on your computer - https://news.ycombinator.com/item?id=22657384
is not encrypting end to end despite claims - https://news.ycombinator.com/item?id=22735746
allows any web site to access your camera at any time without requesting any kind of permission or making the user aware - https://news.ycombinator.com/item?id=20387298
reinstalls itself silently after uninstall (if you click a zoom link, after uninstall) - https://news.ycombinator.com/item?id=20390755
If I were considering installing it today, I would install it only in a virtual machine after Googling what kind of protections to use when trying malware in a VM. (Since it can be expected to play shenanigans with your network and with the host's USB devices etc.) Just basic stuff, as Zoom isn't very sophisticated.
After I read all this I was angry. Not because all of this makes it obviously malware but because it's sloppy malware, and I specifically Googled whether it was sloppy, obvious malware and didn't get a clear "yes, Zoom is malware."
By the way sending data to Facebook doesn't make my list of links, as that is par for the course and anyone might do that. I have a pretty high tolerance for crap and to be honest Zoom is the only mainstream software that failed it so far.
Though I guess technically I still use Zoom every day (until I buy a new computer), you know, since I did install it that one time, before I uninstalled it...
[+] [-] JoeAltmaier|6 years ago|reply
Didn't stop them from becoming very successful.
[+] [-] matheusmoreira|6 years ago|reply
They get away with it because they aren't liable for any damage caused by exploitation of vulnerabilities caused by their bad practices. If they had to indemnify the victims of their negligence, I guarantee they'd care a lot more about doing things right.
[+] [-] crazygringo|6 years ago|reply
Code signing just says you can trust that the software you clicked on came from the actual developer.
It doesn't say anything at all about what the software does. Of course signed software can do whatever it wants. It's not like there's supposed to be some chain of trust that it's only allowed to run further signed code. It's free to run a Python script or shell command or whatever it wants. And installers certainly run scripts.
And as other comments here state, to do anything that requires root privileges, it pops up to ask for your admin password, so it's not getting around that.
I see references to this being a "malware pattern" but no explanation of why or what that means specifically. Zoom is commercial software (not malware) and I don't see how this is a vulnerability (something malware could take advantage of) so I'm not getting it.
Can someone explain what the problem is here? Or is there no problem?
[+] [-] criddell|6 years ago|reply
If the binary runs an unsigned script, then that script could be modified to do something malicious.
Signing isn't difficult or expensive so why not insist on it?
[+] [-] thu2111|6 years ago|reply
Consider that any Mac app that:
* Supports plugins that aren't signed by Apple
* Executes scripts or macros from a file
would technically have the same "problem". That's a heck of a lot of apps.
On iOS Apple do insist on a full chain of security, which is why only Apple's own browser app can JIT code. It's an extremely perverse and serious limitation that has no real security justification: consider that Android manages just fine without it.
As far as I can tell, Zoom is currently the target of a witchhunt. People are digging for dirt and blowing stuff well out of proportion.
[+] [-] kryogen1c|6 years ago|reply
the zoom witchhunt is really something. zoom may or may not be a witch (im no China apologist, i yell at all my friends for using tiktok), but if we get the answer right it will be based on luck and emotion, not logic and reason.
[+] [-] d4n|6 years ago|reply
[+] [-] ajphdiv|6 years ago|reply
[+] [-] pvg|6 years ago|reply
[+] [-] ajconway|6 years ago|reply
[+] [-] DarkWiiPlayer|6 years ago|reply
[+] [-] stuff4ben|6 years ago|reply
[+] [-] saagarjha|6 years ago|reply
[+] [-] Thomaschaaf|6 years ago|reply
[+] [-] iainmerrick|6 years ago|reply
Edit to add: I mean, I hope they’ll lose a substantial number of paying customers over this? But I doubt it.
[+] [-] rvz|6 years ago|reply
[+] [-] badrabbit|6 years ago|reply
[+] [-] e12e|6 years ago|reply
I'm not sure about binaries in general - having secure boot as an anchor at least makes the exercise less futile - but there an interesting point brought up here:
https://stackoverflow.com/questions/1732927/signed-executabl...
Dynamic linker, dynamic libraries and dlopen.
I see solaris has elfsign - and it appears to be in OpenSolaris too: https://github.com/joyent/illumos-joyent/blob/master/usr/src...
Not sure if it would work on Linux - and you'd might want to prevent running unsigned binaries. Not sure if that's a thing on OpenSolaris. Still, being able to verify a binary might help with handling random downloads, I suppose.
[+] [-] gregoriol|6 years ago|reply
[+] [-] HumblyTossed|6 years ago|reply
[+] [-] gtirloni|6 years ago|reply
[+] [-] ajphdiv|6 years ago|reply
[+] [-] fouc|6 years ago|reply
Interesting that we didn't know Zoom did this until everyone started using it, and someone finally audited it.
[+] [-] dchest|6 years ago|reply
[+] [-] peterwwillis|6 years ago|reply
[+] [-] Chlorus|6 years ago|reply
[+] [-] ktm5j|6 years ago|reply
[+] [-] zelivans|6 years ago|reply
[+] [-] ptlu|6 years ago|reply
[+] [-] macspoofing|6 years ago|reply
Are they the biggest?
[+] [-] shrew|6 years ago|reply
Besides that, this certainly isn't the first time Zoom's shady practices have been exposed, where many other conferencing products haven't had such a track record.
[+] [-] gnachman|6 years ago|reply
[+] [-] saagarjha|6 years ago|reply