WingNews logo WingNews GitHub [2]
top | item 28213292

Ask HN: Why does Zoom Desktop examine all processes and arguments?

547 points| neolog | 4 years ago

Looking at syscalls, I see Zoom desktop reads all processes and arguments.

    [pid 3844872] stat("/proc/1", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
    [pid 3844872] openat(AT_FDCWD, "/proc/1/stat", O_RDONLY) = 4
    [pid 3844872] openat(AT_FDCWD, "/proc/1/cmdline", O_RDONLY) = 4
    [pid 3844872] readlink("/proc/1/exe", 0x20c0520, 1024) = -1 EACCES (Permission denied)
    [pid 3844872] stat("/proc/2", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
    [pid 3844872] openat(AT_FDCWD, "/proc/2/stat", O_RDONLY) = 4
    [pid 3844872] openat(AT_FDCWD, "/proc/2/cmdline", O_RDONLY) = 4
    [pid 3844872] stat("/proc/3", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
    [pid 3844872] openat(AT_FDCWD, "/proc/3/stat", O_RDONLY) = 4
    [pid 3844872] openat(AT_FDCWD, "/proc/3/cmdline", O_RDONLY) = 4    
    ...
Why would it do that? Is there any way to prevent it?

263 comments

order
[+] reilly3000|4 years ago|reply
Zoom has a popular feature which allows for screen sharing a single application window instead of the entire desktop. I assume this is how its discovering running applications with GUI windows open in a cross-platform manner. Perhaps there is a better API for this? Its not a common use-case that an app would need to know all of the other open windows, but it seems like a perfectly valid use case, and frankly handy for sharing a PPT without fear of an embarrassing email showing up in during a meeting.
[+] cranekam|4 years ago|reply
There’s nothing in /proc/PID/cmdline etc that would definitely confirm an app has a GUI. The two concepts are at very different layers of the stack — to the OS the GUI is just another app on top of the kernel. Mayyyyyybe Zoom could be doing some crude pattern matching on process name or environment variables of a given process (though it’d only be able to read data of processes running as the same user) but it’s a long shot.

Personally I’d guess it is either some other library Zoom uses or some kind of debug info capturing system. But I don’t know work at Zoom so who knows.

[+] twic|4 years ago|reply
I run Zoom from flatpak, which runs it in a container, and sandboxes it to some extent [1]

This probably explains why, when i try to screenshare a single application window, not every application shows up! I can share my browser, file manager, and various other things, but not windows for games started by Steam.

[1] I followed these instructions https://www.mayrhofer.eu.org/post/zoom-flatpak-sandboxing/

[+] woodruffw|4 years ago|reply
Based on OP's snippet they're probably doing this on Linux. Assuming the presence of X11 and an EWMH-compatible window manager, they could query X11 directly and ask the root window for its `_NET_CLIENT_LIST` attribute. That, in turn, would list every "semantic" (i.e., non-decorative) window currently open on the current display.

But that doesn't work for non-X11 or if the WM is non-EWMH compliant. Presumably Wayland has a similar API, and non-EWMH is probably a minuscule group that considers this a desirable feature.

[+] kelnos|4 years ago|reply
> I assume this is how its discovering running applications with GUI windows open in a cross-platform manner.

That's definitely not a cross-platform way of doing it (and I doubt there is one, even).

On Linux you'd use libX11 and just enumerate all windows (using XQueryTree()). Walking the contents of /proc is not only unnecessary, but is more difficult to do, as looking at executable names won't tell you if a program has a GUI, or if it has any open windows. It won't give you window titles, or how many windows are open, or how to grab their contents.

Pretty sure Zoom is snooping on us and is gathering telemetry.

[+] yakubin|4 years ago|reply
> handy for sharing a PPT without fear of an embarrassing email showing up in during a meeting.

When you share a single window in Zoom, notifications are still visible to others in the meeting when they overlap with the window you're sharing. That's the case for e.g. Slack notifications.

[+] dathinab|4 years ago|reply
> I assume this is how its discovering running applications with GUI windows open in a cross-platform manner.

The screen sharing functionality is handled by a mix of protocols of the windows manger and service providers announced over dbus.

Even if you want to map GUI windows to processes you would do so by getting a list of windows from the window manager and getting the pid property of the windows, but if you have a list of windows you don't need to scan processes anymore...

There might (I'm not sure) be valid use-cases for this behaviour but I'm pretty confident screen sharing of specific windows isn't part of it.

[+] sails|4 years ago|reply
Does Teams do this in the same way? They offer the same feature
[+] ineedasername|4 years ago|reply
Reminds me a bit of how platforms like Citrix will publish single applications. Considering you can give control to another user with Zoom I suppose it's a lot like that, although I know the underlying tech is very different.
[+] barbs|4 years ago|reply
I'm pretty sure Jitsi allows for screen-sharing a particular application so I'm curious to know how that works. Might check the source later.
[+] birksherty|4 years ago|reply
Google meet running in a browser can share any application specific windows. Not sure if it also does the same thing though.
[+] dllthomas|4 years ago|reply
> Why would it do that?

We can answer part of that with just a little more reading. What's pid 3844872?

For me, the series of queries against /proc happen from a process that, just a bit earlier, called exec. So it's not really zoom reading "all processes and arguments" but ... `pidof gnome-session`, so I guess zoom is looking for the pid of gnome-session.

To what nefarious purpose zoom intends to put this knowledge of gnome-session's pid, I can't say - I am not running gnome-session so my trail goes cold; but at least for me, for that particular run, zoom itself doesn't actually see the contents of all of those files.

[+] xfitm3|4 years ago|reply
It not only examines all processes and arguments - it leverages the microphone to act on ultrasonic cues for "integrations". Zoom is a privacy dumpster fire.

https://devforum.zoom.us/t/ultrasonic-connection/3318

[+] xenonite|4 years ago|reply
Ultrasonic sound transmission is what Cisco WebEx also claims to do. So it not something unheard of (although it is not hearable).
[+] est|4 years ago|reply
Any application allows remote screen recording is basically a trojan horse.
[+] vishho|4 years ago|reply
Zoom has attention tracking, which when enabled silently, shows an admin if the screen is maximized or if the user is focused on other applications. They don't yet tell admins what other apps the user is active in, just whether the user is active.

Another angle for Zoom to do that, is that it is a massive Chinese spyware application, which can target users by meta data or IP, like it did by messing with the calls of activists. A bit like how anti-virus companies are sometimes charged with exfiltrating secret documents.

[+] bowmessage|4 years ago|reply
Oh, yuck, I didn't know this was a thing but it looks like it has since been removed:

https://support.zoom.us/hc/en-us/articles/115000538083-Atten...

> As of April 2, 2020, we have removed the attendee attention tracker feature as part of our commitment to the security and privacy of our customers. For more background on this change and how we are pivoting during these unprecedented times, please see a note from our CEO, Eric S. Yuan.

[+] hashhar|4 years ago|reply
That feature got pulled last year and hasn't existed for over a year and a half now.
[+] dmart|4 years ago|reply
Perhaps a better question to ask would be "why is any process allowed to do this by default in 2021?"
[+] acatton|4 years ago|reply
Because it's a legitimate behaviour. htop needs to do this, it's literally its main feature.

You can use hidepid=2 to prevent users from seeing other user's processes list.[1]

But I don't want my OS to ask me "do you want to allow htop to access the list of your processes" — à la Windows Vista — every time I want to run htop to see my user processes.

The issue here is closed source software with no way to inspect what they do.

If one really want to run closed source programs which were not vetted by their distro's maintainers, they should use firejail.[2]

[1] https://www.cyberciti.biz/faq/linux-hide-processes-from-othe...

[2] https://firejail.wordpress.com/

[+] swiley|4 years ago|reply
Because you're not supposed to be downloading random binaries from the internet and running them like some toddler on Windows or OSX would.

STOP DOING THAT.

[+] fsflover|4 years ago|reply
This is not the case on Qubes OS, which I use. If you care about security, can't recommend it enough.
[+] jlgaddis|4 years ago|reply
> Is there any way to prevent it?

Mounting /proc with "hidepid=2" should prevent it from seeing processes owned by other users, although it would still be able to see your processes.

Alternatively, it shouldn't be too hard to create an AppArmor profile that blocks access to /proc.

Other options might include things like SELinux, seccomp-bpf, namespaces, cgroups, etc., depending on what's available on your host.

Or you could just, you know, obliterate it from your system altogether. That's almost certainly the best option.

[+] nonameiguess|4 years ago|reply
You can edit /usr/share/applications/Zoom.desktop to run inside of bubblewrap, similar to how the Arch Wiki suggests doing this for Skype: https://wiki.archlinux.org/title/Bubblewrap#Skype_for_Linux

Since this puts it in its own PID and mount namespace, it won't see any processes except itself and its children. You can even try not mounting /proc in the container this makes at all and see what happens.

This is effectively what flatpak does, but doing it yourself doesn't require installing flatpak.

[+] hdjjhhvvhga|4 years ago|reply
I don't understand why anyone who is forced to use it doesn't use it in a browser (I have a separate Firefox container for that, same for Teams).
[+] minitech|4 years ago|reply
> Mounting /proc with "hidepid=2" should prevent it from seeing processes owned by other users

Note that this isn’t a supported configuration for systemd and will totally break it. (Which is too bad, because it’s a sensible default.)

[+] _Algernon_|4 years ago|reply
Wouldn't using it through the browser prevent this?
[+] noobermin|4 years ago|reply
I'll be annoying and say if people used the FOSS alternatives we wouldn't have to be so paranoid about a tool we all use.
[+] wins32767|4 years ago|reply
If I had to guess it's for screen sharing.
[+] _sgianelli|4 years ago|reply
If so that seems like a great place for someone like Apple or Microsoft to offer an API to bolster security and privacy
[+] tyingq|4 years ago|reply
Enumerating window handles and titles would be more suited to that. It will need that anyway to share the window. On a multi-user system, it could see processes attached to displays it has no access to.
[+] luke2m|4 years ago|reply
> Is there any way to prevent it?

Use a flatpak

[+] jagged-chisel|4 years ago|reply
> Is there any way to prevent it?

Hook the stat, openat, readlink functions within the zoom process, experiment with blocking (returning failure) based on arguments.

[+] nullc|4 years ago|reply
How else would they backup your command-line passed passwords and private keys for you?
[+] cranekam|4 years ago|reply
I assume this is a joke comment because I have never heard of passing a private key (the contents of one, not the file name) as a command line argument. It’d be ten times worse than asking what someone’s wifi password was and being told some 40-digit hex string.
[+] akira2501|4 years ago|reply
> Is there any way to prevent it?

Put it into it's own namespace, and only allow it to connect to your X11 session over TCP.

[+] the8472|4 years ago|reply
> Is there any way to prevent it?

Firejail[0] allows cobbling together various linux sandboxing features, including namespaces which should result in an isolated proc filesystem which doesn't see the other processes. But I don't know if the default profile for zoom does that, you have to test it or write your own.

[0] https://github.com/netblue30/firejail

[+] tryauuum|4 years ago|reply
(incompetence here) Maybe it's like discord, it does the same to display messages like "$username is playing terraria right now"
[+] wwweston|4 years ago|reply
Discord leaks which apps you're using to other people?
[+] gwbas1c|4 years ago|reply
I'm going to assume this happens when you aren't trying to share your screen.

I once worked on a file synchronization application that would scan processes when files were locked. I don't remember if we put the process name in the UI, but we logged detailed information about the other process in case someone contacted support. (Sometimes users ran weird applications that kept files locked.) I believe we had to scan through all processes and inspect their open file handles.

I would assume some things like: Maybe there are applications that are known to cause problems for Zoom? Maybe some applications lock the camera or microphone? Maybe some applications hog the CPU and cause encoder problems?

If you really want to know more, consider decompiling zoom and/or looking at strings compiled into the binary.

[+] dllthomas|4 years ago|reply
It happens right at startup, and is a result of some calls (via the usual fork/exec dance) to `pidof ...` seemingly trying to identify the window manager being used, possibly for telemetry or possibly to change behavior. Decompiling would be more certain (I don't have ghidra on this computer and it's a little more effort than I want to go to) but the pattern is pretty visible in the strace dump.
[+] egberts|4 years ago|reply
Polling for all processes is the technique used by some educators’ quiz/test/exam program.

Zoom is probably footholding their place as to be able to inform its educator whether their students’ behavior are acceptable or are cheating.

Most probably.

[+] mcrmonkey|4 years ago|reply
I can only think the most direct usage for this info is to feed the performance screen/tab that lives in settings showing CPU and memory usage

But some of the info its reading seems a little bit too much

cough 'telemetry' cough