
BlueJeans also runs a webserver when installed on macOS - LeoNatan25
https://support.bluejeans.com/s/article/BlueJeans-Detector-Service
======
zelon88
Typical "My functionality is the only thing that matters" pretentious mindset.

It's a general purpose personal computer. Not some device you sold me which
exists for the purpose of solely connecting to your app.

Let's treat automobiles the same way you'd like us to treat computers. I go to
a Shell station to fill up with gas. They have custom nozzles, and I have to
drill a hole and weld on a special fitting to get gas. Two days later I go to
BP and fill up again. They have proprietary nozzles that don't work with Shell
fittings. So I drill another hole and weld on another fitting. 6 months and 40
gas stations later my car barely moves because it's a tragic mess of holes and
ugly shit welded all over it. Why? Well I might want to stop at a Shell
station in the future.

F __* that and any company who operates this way.

~~~
basch
It's a bit of an arms race between bluejeans, zoom, webex, gotmeeting, teams
for who can get people into a meeting with the least friction. The people
requesting meetings are probably also the ones requesting "make it easier for
people to get into my meetings."

------
LeoNatan25
To remove the BlueJeans daemon, run:

launchctl remove com.bluejeansnet.BlueJeansHelper rm
~/Library/LaunchAgents/com.bluejeansnet.BlueJeansHelper.plist

Then delete the app from /Applications

------
prophesi
Have these video conferencing services never heard about External Protocol
Requests in browsers? It's a much less hacky, and much more secure method to
pull off this same feature-set.

~~~
muzzio
Zoom responded to this point [1]:

> This is a workaround to a change introduced in Safari 12 that requires a
> user to confirm that they want to start the Zoom client prior to joining
> every meeting. The local web server enables users to avoid this extra click
> before joining every meeting. We feel that this is a legitimate solution to
> a poor user experience problem, enabling our users to have faster, one-
> click-to-join meetings. We are not alone among video conferencing providers
> in implementing this solution.

Presumably they're both doing the janky web server solution for the same
reason. Either way, I'm not sold, that browser behavior exists for for a
reason.

[1]: [https://blog.zoom.us/wordpress/2019/07/08/response-to-
video-...](https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-
concern/)

~~~
AgloeDreams
Wow that is really damning, trashing user security in trade to remove a single
click that makes it clear as to what is happening.

This totally breaks Apple's Developer Terms right?

~~~
josteink
> Wow that is really damning, trashing user security in trade to remove a
> single click

As someone who has had to develop and maintain a similar web-to-desktop bridge
I can tell you that this one issue was responsible for around 90% of my
company’s total support requests, despite only being a small feature in a
optional addon in one of our main products.

For businesses just trying to keep their customers happy, this particular one
click is a very real problem.

I can absolutely symphetize with people trying to come up with workarounds.

~~~
nickdandakis
Did your company try to write an FAQ page on how to accept the double-confirm
dialogs in all major browsers (with screenshots) to maybe reduce your "90% of
support tickets"? Does your ticketing software redirect you to (or display) an
FAQ page that matches the ticket title?

I've come to understand how features like these get built, but I've also come
to understand that people that use software are a lot more resilient and savvy
than we think.

If 90% of your support tickets are about getting through a standard double-
confirm, patio11 would probably recommend increasing your pricing to limit
your paying customers to a pool that probably won't have much more trouble
with that.

~~~
p_l
Ahhh, sweet naivety.

The people who end up calling support often aren't the ones paying the bill,
for starters. That's _definitely_ the case for Bluejeans and Zoom.

It also doesn't matter if you make a great FAQ page. Majority of dissatisfied
people will never see it. Majorly because they won't call support but instead
complain and grumble locally, the second biggest portion because once sent
towards FAQ by support.... They won't follow it.

Only the tiny sliver of most dedicated will follow up long enough to reach the
FAQ.

------
LeoNatan25
One of the advertised "features":

> Launch the BlueJeans desktop application into a meeting without prompting
> the user with confusing browser dialogs. This allows meetings to launch
> quickly on one click without requiring any additional user interaction. It
> also prevents the user from making a wrong decision on a browser dialog
> which might permanently lock them out of launching meetings.

~~~
dvtrn
join.me seems to have solved this problem effortlessly, and taking a gander at
procs, I only see a client running. The BlueJeans rationale here isn't passing
my anecdotal sniff-test...

~~~
TedDoesntTalk
Only problem I've found with join.me is performance. My experience may not be
common, but there is so much stuttering with join.me that it's unusable... And
I've tried it multiple times on different days with different people.

~~~
kitotik
Aren’t you talking about their actual video stream though? The focus here
seems to be on _initiating_ the conference, which join.me does without
installing a hidden web server on a users machine the way Zoom and BlueJeans
do.

------
ghostpepper
Why is this site completely unusable with cookies disabled? All I see is this:

Technical Stuff

To view this site, enable cookies in your browser.

~~~
dastx
Least you get something. I get a blank page when JS is disabled...

~~~
dvtrn
_BlueJeans extends the war on its users to the browser_

------
AlexandrB
I don't understand the rationale here:

> Determine if the BlueJeans desktop application is already installed. This
> allows us to offer a new installation or launch the existing app based on
> the user's machine.

If the "Detector" is installed, but the desktop app is not the user removed
the BlueJeans app at some point because they didn't want it. How is silently
installing it again against the user's prior wishes a reasonable behaviour?

~~~
dpkonofa
I don't think that's the rationale behind this. If a user is clicking a link
to start a BlueJeans session, then it's not against the user's prior wishes
anymore. It's the user's current wish to start a BlueJeans meeting and that
wish requires the BlueJeans app to continue. Without the "detector", the link
click just fails and nothing happens. With the detector, it's determined that
the app isn't installed and the user is _prompted_ to install BlueJeans.
Otherwise, the app is opened and the correct meeting is started/joined.
Nothing is silently done here.

That being said, this is still a crappy way to do this. Installing a server is
not the solution to this. Browsers need to do a better job of dealing with
this and that would get rid of the root issue but, in the interim, these
developers need to figure out a better way than installing web servers on
everyone's machine. Otherwise, everyone's computer ends up with 10000 of these
stupid little single-purpose applications that are always running.

------
McDev
Unrelated note:

>"Your browser isn't supported

This browser won't play nicely with some features on this site. For the best
experience, update your browser to the latest version, or switch to another
browser."

What on earth is that supposed to mean? Update to what browser? (Using Firefox
on Android, latest version)

~~~
LeoNatan25
Usually that means “use the IE6 of our times, aka Chrome”.

------
volfied
> However, this dialog is an annoyance to the user at best, and at worst may
> scare the user into denying a legitimate request.

It is a great security feature at best. It tells me that a website I visited
is about to launch something on my computer. A website launching an app on my
machine scares me more than any pop up.

------
sodabrew
Logitech also runs a local webserver. It's listening on port 4800. I've never
even used a Logitech video conference. I do have a Logitech camera though, so
perhaps this is from the driver.

/Library/Application
Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService

------
sunils34
Found the BlueJeans server listening on :18171

To test if the BlueJeans server is running:

    
    
      lsof -i  :18171

------
dmix
> It also prevents the user from making a wrong decision on a browser dialog
> which might permanently lock them out of launching meetings.

> This allows us to offer a new installation or launch the existing app based
> on the user's machine.

These all sound like problems that can be solved by fixing the interface
itself and by polling for a desktop client connection.

~~~
javagram
However, the developers of this software have no way to force browser
developers to “fix their interface.” So they make a workaround instead.

------
Randgalt
Has anyone found a similar vulnerability with the BlueJeans local server? I
tried sending a few test URLs and they don't seem to do anything so I'm not
sure what the protocol is. If BlueJeans can't cause a webpage to launch it's
app like Zoom does then I'm less concerned.

------
vomitcuddle
Why is this news?

A lot of desktop applications do this. The Spotify client used to do it to
enable play/pause controls from any webpage. Dropbox also definitely used the
same method for single sign on, maybe still does, I don't use it anymore.

~~~
eeeeeeeeeeeee
You’ve used past tense in all your examples. Is it still true? As Apple has
moved more towards a system with GateKeeper where apps must operate in a
sandbox, this behavior seems less acceptable in 2019. I don’t want apps having
complete access to my home directory because they absolutely do not need it to
function.

I like that when I remove an app installed via App Store on Mac, I know it’s
actually gone. It seems like this was part of the thing that people couldn’t
stand about Windows — spyware coming along for the ride that is not removed
when you delete the main app.

~~~
javagram
Use the App Store and the preference setting to only allow App Store apps if
you want that behavior.

Macs are general purpose computers and it would be absolutely inappropriate
for Apple to try to prevent users from running software on them.

~~~
braythwayt
Look, all that makes sense if users are giving _informed consent_ to have an
app install a web server. Users should be able to run whatever they want, but
they should also know what an app is installing.

At least the Bluejeans people have this page. The Zoom people did the same
thing (possibly worse), but it was undocumented.

------
eridius
It looks like if you delete Blue Jeans.app and then restart (or log out), the
webserver won't relaunch. It will attempt to run on load, but the actual
script to start it invokes the app binary with a special argument, so deleting
the app is sufficient.

The "log out" part is because the webserver will presumably continue running
in memory after deleting the app until you force it to quit. It's possible
that it watches for the app to be thrown away, but I don't have any way of
testing that right now.

~~~
LeoNatan25
Yes, I’m the case of BlueJeans, the server sits inside the app bundle.

~~~
eridius
What's rather curious is it uses what appeared to be a nodejs server stored in
~/Library/Application Support/Blue Jeans/, but it passes the path to that to
the app bundle (I can't inspect it further since I already deleted that whole
folder). My best guess is Blue Jeans wanted the ability to update the server
independently of the app, though I don't know why.

------
cwyers
I am learning about a lot of video conferencing solutions for all the wrong
reasons this week, between this and Zoom.

------
bibbitybobbity
Deleted, what garbage

