
Tell HN: Zoom runs application from Time Machine backup when uninstalled on Mac - vicken
I noticed something really peculiar this morning when I was invited to a Zoom meeting. I had uninstalled Zoom the night before but when I clicked the Join Meeting link, I was still prompted by the browser to open the zoom.us application. I went ahead and clicked OK to open it and I got the OSX popup: &quot;You&#x27;re opening the application &quot;zoom.us&quot; for the first time. Are you sure you want to open this application?&quot; (<a href="https:&#x2F;&#x2F;imgur.com&#x2F;nsOV3d5" rel="nofollow">https:&#x2F;&#x2F;imgur.com&#x2F;nsOV3d5</a>)<p>I checked my Applications folder and didn&#x27;t see Zoom there so I clicked the &quot;Show Application&quot; button in the popup and it ended up opening the Applications folder from one of my Time Machine backups with Zoom installed.<p>I tested this with both Firefox and Chrome with the same results. Now I don&#x27;t know if this is an OSX specific issue, a browser issue, or a Zoom issue.<p>Can anyone else confirm the same or similar behavior on Mac? If anyone can also shed some insight about this behavior, it would be much appreciated.
======
saagarjha
This sounds like it might be a bug/misconfiguration in Launch Services, which
deals things like application registration and URL scheme handling. Since I
would expect your browser to do something like call to the system to open the
URL (LSOpenURLsWithRole, et al.) I don't think this is a problem with Zoom.

~~~
1over137
In which case the following may help:

Dump LS database:
/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister
-dump > ~/lsdump.txt

Purge LS database:
/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister
-kill -r -domain local -domain system -domain user

------
wool_gather
It's doubtful that this is Zoom doing anything in particular.

Rather it's likely the OS doing the best it can to handle the URL for you. The
OS has a mapping between the URL and the bundle identifier of the app, and
apparently looked for the bundle on a disk that happened to be attached, after
it didn't find it on your main disk. Which is perfectly reasonable in itself.

~~~
mulmen
This is unexpected to me. If I remove an application I do not expect it to
run. If the OS is willing to reach into the Time Machine backups will it also
modify them? What if I delete an app, run it then install an update? Will it
install to the backup? That would be very unexpected.

Looking at multiple application directories is one thing but executing things
from the backup directory is another.

~~~
szhu
I checked before, and if I recall correctly, Time Machine backups are
protected at the kernel level -- you cannot modify them, even with sudo. You
can delete the whole backup, but you cannot modify part of it.

> but executing things from the backup directory is another.

Time Machine backups are structured in a very non-proprietary way. Each backup
is just a folder, protected from modifications, with hard links used to save
space. If anything, I'd say good on Apple for supporting a backup format that
works exactly like making a copy of a folder.

~~~
macshome
You can also delete items from your backup. So like if wanted to delete Zoom
from Time Machine just select it in a backup and then select the option to
remove it from all your backups from the Action menu or a right-click.

~~~
mulmen
Ok but why would I do that? The whole idea of a backup is that I can... go
back.

Do other apps launch from backups like this? It’s very strange.

My expectation is that if I want to go back to a backup I have to restore that
backup first then run the application. Executing from a backup is surprising
and frankly difficult to reason about. What version is even running? How would
I know?

------
floatingatoll
Open a bug with Apple about this. They fixed an issue I reported a few years
back about being able to launch applications in the Trash. They will likely
want to add the same restriction to Time Machine Backups as well.

~~~
rbanffy
What if you need to run an old version of the application?

~~~
greglindahl
An informative popup beats running a deleted app any day of the week.

------
ben509
It'll do that with any application on the Mac, this is not peculiar to Zoom.
The Time Machine backup is, as far as the Finder is concerned, just another
volume. It'll prefer applications on the root volume, but it'll launch them
from other volumes as well.

~~~
ddrt
So as long as the victim has time machine enabled and had an attack tool on
their computer within the TM timeframe… the attacker could at any time re-
initiate that tool from the grave? That's a huge security logic hole…

------
mikekij
I wasn't aware that any non-OS service even had access to data and
applications saved in Time Machine. This might be worthy of a bug bounty
report to Apple.

~~~
aasasd
There's at least one app for figuring out why every hourly backup takes half a
gigabyte. It _might_ require root privileges, but I doubt that.

~~~
saagarjha
Wait, is that not normal?

~~~
yjftsjthsd-h
... unless you are writing a half-gig every hour, why would that be _remotely_
expected?

~~~
saagarjha
I would think that it's touching a bunch of log files slightly or something…

~~~
aasasd
My guess so far is something like Firefox's history database.

~~~
Yetanfou
If that is half a GB Firefox would be crawling. Here is is around 60MB on a
well-used machine with an ancient FF profile.

------
pvg
On a current version of OS X you should be getting something that looks like
this on attempts to launch an app from a backup:

[https://i.imgur.com/eHlkGt0.png](https://i.imgur.com/eHlkGt0.png)

------
netsharc
It sounds like a (Mac OS|OSX) issue, because why is it looking for URL
handlers in its backups?

You could test it with Slack, they also use the same way ("tell the browser to
load a URL") to load their app from the browser.

------
aasasd
Sort of sidetracking, but: afaik applications open from a browser via a custom
protocol in a link, and for that the application has to be already
installed—unless MacOS offers to search the app store (if it does, not sure).
So, this suggests to me that either MacOS leaves protocol associations in
place after uninstalling an app, and has the machinery to resurrect such an
app from the backups, or Zoom leaves around a protocol-handling app after an
uninstall.

~~~
kalleboo
As with file types, the URL protocols an app can handle are configured in the
app's Info.plist. An app doesn't have to be "installed" in any special way,
the app just has to be somewhere on a disk mounted where the OS can see it in
order for the OS to find it.

In OPs case, Zoom.app was still hanging out in his backup, ready to be
launched (Time Machine backups are just a standard disk image)

------
thr0w__4w4y
I wish I could remember / find it right now, maybe it was my Witopia VPN? Need
to check...

Anyway, I've had at least one application that said to remove it, first delete
it, AND THEN EMPTY THE TRASH (?!?!) and maybe even reboot. Most of us are
probably more troubled by the trash-empty thing than the reboot thing.

EDIT: OK Alzheimer's hasn't gotten me yet. It was Witopia / personalVPN:

[https://www.personalvpn.com/support/set-vpn-mac/app-setup-
fo...](https://www.personalvpn.com/support/set-vpn-mac/app-setup-for-
macos-10.14)

Just search the page for the word "empty". It reads:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

2\. If you already had the WiTopia personalVPN app installed previously: Go to
your FINDER > Applications folder > Drag the WiTopia app from there to the
trash > and empty the trash* to remove the existing app.

* If the trash is not emptied, this will not work!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

------
taurath
I guess in some sense it is the price one pays for "it just works". The main
problem I have is this seems like going to very far extremes in order to run
the app no matter what and the tradeoffs were never discussed or put in front
of people, which I find to be pretty unethical. Sort of like the privacy
debate - the tradeoffs of everyone sharing their personal data were never
really up for debate.

~~~
nexuist
This is a bit of a charitable explanation. How can any project manager say,
with a straight face, "we need to make sure the application is still
available, even if the user deletes it." How can you accidentally delete an
application? It is not like you press a button by accident and it is suddenly
gone. Deleting an application requires the user to express intent and go
through a process (go to the Applications folder, find the app, delete it,
remove from trash).

There is malware that is easier to get rid of than Zoom.

~~~
Izkata
> How can any project manager say, with a straight face, "we need to make sure
> the application is still available, even if the user deletes it."

Someone absolutely did, though. Remember last summer when it came out that
uninstalling Zoom would leave a local webserver running that would
automatically reinstall it if you accessed a Zoom link?

[https://www.macworld.com/article/3407764/zoom-mac-app-
flaw-c...](https://www.macworld.com/article/3407764/zoom-mac-app-flaw-camera-
patch.html)

------
robterrell
If your time machine backup volume was mounted, I would expect this behavior.
Back in the old days, when storage was at a premium, you could have
applications stored on a network volume, so they would be shared by everyone
on the LAN. The OS would launch an application that matched the requested file
type from any mounted volume.

If it wasn't mounted, I would file a bug.

Either way, not really Zoom's fault.

------
s09dfhks
another plug for the zoom redirect plugin [https://github.com/arkadiyt/zoom-
redirector](https://github.com/arkadiyt/zoom-redirector)

~~~
ComputerGuru
Except it appears Zoom has disabled their web client for now?

~~~
doc_gunthrop
How up-to-date is this? I was able to join a zoom videoconference yesterday
evening from the web browser.

And while on the topic of the web client, it turned out to be a very
disappointing experience. There was no way to set focus on a given attendee; I
wanted to view the host's video feed but the website kept switching feeds,
seemingly haphazardly, to different attendees.

~~~
ComputerGuru
This is just today. [https://github.com/arkadiyt/zoom-
redirector/issues/7](https://github.com/arkadiyt/zoom-redirector/issues/7)

~~~
toohotatopic
My guess is that people stop using their native clients due to the security
problems and now their webrtc servers are beyond capacity.

Could it be that they are limited by the number of servers that are available
to them? A webrtc bridge shouldn't have a bottleneck and should perfectly
scale. Who is their cloud provider?

