
Zoom has a signed binary that runs any unsigned script - kccqzy
https://twitter.com/DanAmodio/status/1245329512889487361
======
dang
A thread from yesterday:
[https://news.ycombinator.com/item?id=22736608](https://news.ycombinator.com/item?id=22736608)

------
Puts
Some more shadiness from this company. The Zoom.us-website is explicitly
allowing the browser with its content security policy-headers to load scripts
from these domains:

[https://*.50million.club](https://*.50million.club)

[https://apiurl.org](https://apiurl.org)

[https://secure.myshopcouponmac.com](https://secure.myshopcouponmac.com)

[https://serve2.cheqzone.com](https://serve2.cheqzone.com)

[https://ad.lkqd.net](https://ad.lkqd.net)

Doing a fast google for these domains shows they are mostly known for being
associated with malware...

~~~
gbea42d4
At least it's shady enough :D cX

------
kccqzy
To clarify, this zoomAutenticationTool† is part of the preflight "script" that
gets run inside the Zoom installer. It is a signed binary that happily runs
anything, including unsigned scripts. This generic-looking tool can be used to
bypass code signing requirements. (It does prompt the user for administrator
privileges.)

†: I didn't misspell the name of the executable. It's missing an h.

~~~
skykooler
What is with Zoom misspelling everything? Their shady installer pops up
"System request administrator privileges", and the code it runs misspells
"retina" as "reitna".

~~~
abiogenesis
Lack of code reviews and quality assurance.

It is also reported that their engineering team are not native English
speakers but I don't think that's the main issue. I've seen codebases full of
spelling errors where all developers were native speakers.

~~~
randoglando
Yeah, that just seems to be dog whistling to me. A native speaker isn't going
to think "reitna" is right but "retina" is not. It's just poor QA IMO.

------
erulabs
It does make me feel a bit better though - sometimes I go overboard with
security and spend hours making certificate validation work everywhere etc -
the people actually making money skip all that and just ignore it. They
typically get away with bad practices until they really get massive, as long
as the software works well otherwise.

Sometimes when coding I think there is technically an obscure race condition
security flaw and, from time to time, leave a TODO instead of spending those
grueling hours. This weirdly makes me sleep better at night.

At any rate, "sunlight is the best disinfectant"!

~~~
mikorym
IMHO those you mention who make money are, in this case, qualified further to
a category of products that in essence are not complicated. Video conferencing
is not complicated until you have scaling problems. Similarly, Facebook was
not complicated until it got millions of users at which point most of their
interesting code had to do with scaling.

My point is that Zoom is replaceable and in fact, IMO should be replaced.
Their tactics of using these dodgy techniques is because they want to have an
edge over competition along the lines of "it just works".

I would contrast this to pure research services that add value that would
otherwise not be there. Examples of this would be at the time that they were
startups: Google (search algorithms) or Spotify (music categorisation
algorithms). I'm not saying that today either of Google or Spotify are
paragons of morality. At the hardware level I would include Tesla (battery
tech) and Intel (processors).

My point is that the shady practises _are_ at this point Zoom's product
offering. If their video scaling algorithms are superior (and not just lifted
from some open source libraries) then that should be their product offering.
Not "it just works" via security exploits.

Edit: Typos.

~~~
larrik
If video conferencing wasn't complicated, there'd actually be a product
everyone likes. So far, everyone seems to hate all of them.

~~~
nilkn
How much of this is related to the software though and how much is related to
home internet speeds, camera quality, microphone quality, etc.? Most laptops
ship with really low quality webcams and mics, and that’s predominantly what
people are using.

~~~
lukeschlather
The difference between Zoom and Google Hangouts is staggering. Zoom works way
better. I actually love it from a usability perspective, though it's
frustrating because if Apple/Microsoft/Google could agree on an open standard
with open-source clients/protocols Zoom wouldn't be necessary.

~~~
nilkn
I've just been using Slack video (for small groups or one-on-ones) and
BlueJeans for larger meetings. I've tried Zoom and didn't see what it added on
top of BlueJeans except for feeling like malware.

------
crazygringo
Legitimate question: what is bad about this? I've read all the comments and
still don't see a convincing explanation.

Code signing just says you can trust that the software you clicked on came
from the actual developer.

It doesn't say anything at all about what the software does. Of course signed
software can do whatever it wants. It's not like there's supposed to be some
chain of trust that it's only allowed to run further signed code. It's free to
run a Python script or shell command or whatever it wants. And installers
certainly run scripts.

And as other comments here state, to do anything that requires root
privileges, it pops up to ask for your admin password, so it's not getting
around that.

I see references to this being a "malware pattern" but no explanation of why
or what that means specifically. Zoom is commercial software (not malware) and
I don't see how this is a vulnerability (something malware could take
advantage of) so I'm not getting it.

Can someone explain what the problem is here? Or is there no problem?

~~~
kryogen1c
i was about to write the same comment. id bet the percentage of HN readers
running 100% signed code is damn close to 0.

the zoom witchhunt is really something. zoom may or may not be a witch (im no
China apologist, i yell at all my friends for using tiktok), but if we get the
answer right it will be based on luck and emotion, not logic and reason.

~~~
jdm2212
> zoom may or may not be a witch (im no China apologist

Zoom is an American company, headquartered in the US, employing mostly
Americans, subject to US law, etc. Its CEO is an immigrant, but that's true of
half the _American_ tech companies out there, including Google and Microsoft.

EDIT: I'm white, but my wife is Asian-American and has told me more than once
how white people often treat Asian-Americans as if they're not real Americans.
I'd never witnessed that myself, but I guess the above comment is the kind of
sentiment she's talking about. Zoom may or may not be a scummy company, but
its founder's birthplace is immaterial. He's a US citizen, and deserves the
same treatment we give to maybe-scummy white American CEOs like Mark
Zuckerberg.

~~~
president
> employing mostly Americans

"“Our product development team is largely based in China, where personnel
costs are less expensive than in many other jurisdictions,” Zoom wrote in a
regulatory filing."

Source: [https://www.cnbc.com/2019/03/26/zoom-key-profit-driver-
ahead...](https://www.cnbc.com/2019/03/26/zoom-key-profit-driver-ahead-of-ipo-
engineers-in-china.html)

~~~
jdm2212
The concerns about TikTok are that it's potentially Chinese government spyware
because TikTok is owned by a mainland Chinese company which has legal
obligations to the Chinese government.

Zoom is a US company that is not answerable to the Chinese government. Like
many companies, Zoom has chosen to outsource some of its operations, and those
overseas offices create various infosec risks. And given that Zoom infosec
seems to be a total clown show, those infosec risks are probably more serious
at Zoom. But that would be equally true of any other American company that is
really lax about security and too cheap to employ American developers.

~~~
abiogenesis
Not entirely true. While Zoom as a company is not answerable to the Chinese
government, the developers are.

Given that we have such horrible laws even in the "more democratic" parts of
the world, such as Australia [1], it is not unthinkable that the Chinese
government may ask a Chinese developer to install a backdoor to a foreign
based product they are working on:

[1] [https://www.bbc.com/news/world-
australia-46463029](https://www.bbc.com/news/world-australia-46463029)

> The Electronic Frontier Foundation has said police could order individual IT
> developers to create technical functions without their company's knowledge.

~~~
jdm2212
The same concern applies to any American company with Chinese offices,
including Google, Facebook, etc.

~~~
kryogen1c
except its not an office, its the majority of their dev team operating inside
one of the top 3 unsafest, most anti-american (with respect to cybersecurity)
countries in the world.

------
d4n
Hey! I posted this. Just want to be clear it still pops up and asks the user
to authenticate as seen in the original post. Tried to clarify this in the
thread I don’t want people to get confused and think this is worse than it is.
Still really weird and follows malware patterns. Most likely not a gatekeeper
bypass or anything because delivery would be difficult but seemed like a
sketchy decision to basically write their own sudo tool into the pre install
scripts.

~~~
ajphdiv
Why did you delete the tweet?

~~~
circa
Its been re-posted -
[https://twitter.com/DanAmodio/status/1245329512889487361](https://twitter.com/DanAmodio/status/1245329512889487361)

~~~
dang
We changed to that from
[https://twitter.com/danamodio/status/1245032929635586053](https://twitter.com/danamodio/status/1245032929635586053).
Thanks!

------
pvg
I'm not super familiar with Apple's policies but is this really such a grave
sin on OS X? The purpose of the signature, as I understand it, is mostly to
assure the user of the provenance of the code and, in a pinch, let Apple
disable it. It's not intended as some bulletproof runtime security mechanism
and it's easy to think of lots of apps that would be signed but could
legitimately execute some form of unsigned code.

~~~
oefrha
It’s not per se, otherwise Terminal.app and iTerm2.app would be among the most
sinister signed apps ever. Signatures only protect the app bundle itself, not
user-supplied code or code fetched to locations outside the bundle.

However, it’s bafflingly weird to include such a thing just to skip a button
press or two in the installer.

~~~
pvg
I can see how skipping the installer flow might skeeve people out but this
particular bit about some signed doodad in the installer being able to launch
scripts seems like something between a nothingburger and mildly curious. Just
wondering if I'm missing something here.

~~~
oefrha
Yeah I don’t think this additional swipe adds much to
[https://news.ycombinator.com/item?id=22736608](https://news.ycombinator.com/item?id=22736608).

------
ajconway
Meanwhile most of us curl stuff directly into our shells sometimes:
[https://brew.sh](https://brew.sh)

~~~
DarkWiiPlayer
At least in those cases we know it's happening and we can have a look at the
script if we want.

~~~
tpxl
Daily reminder: You can detect whether the script is being piped to shell or
not, so inspecting the script, then curl | shell might not get you the same
script. curl > file, inspect file, ./file is (probably) safe.

~~~
Tyr42
To expand on this, it is possible to tell apart the redirection to file and
pipe to shell.

[https://www.idontplaydarts.com/2016/04/detecting-curl-
pipe-b...](https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-
server-side/)

~~~
DarkWiiPlayer
Sounds interesting and excessively comples; You can just as easily do this:

\- Send X bytes of the script

\- Send the line `curl my.server.com/asdjkfh`

\- Stop sending data, wait for a request to `/asdjkfh`

\- If you receive said request, start sending malicious data

\- If you don't, wait 5 seconds and continue sending a "fake" script

------
Thomaschaaf
In a couple weeks the public will have done a complete audit of all of zooms
tools.

~~~
iainmerrick
With zero impact on Zoom’s practices or their popularity, probably.

 _Edit to add:_ I mean, I _hope_ they’ll lose a substantial number of paying
customers over this? But I doubt it.

~~~
kockic
I actually hope they will just fix all of their security/privacy issues, and
that we will end up with a decent video conferencing app that actually values
users privacy.

I don't get why people are so negative. I mean zoom is not unique in this
sense, many of the everyday apps we use share at least some of these issues.

How many of us use Intel CPUs that had (still have) infinite number of
vulnerabilities? Or MacOS that at some point allowed root to login without
passwords? How many security issues we (software engineers) create on a daily
bases simply because the management needs something for yesterday?

~~~
iainmerrick
_I actually hope they will just fix all of their security /privacy issues_

Yes, me too! I was going to edit my comment again to clarify, but I figured it
wasn’t worthwhile trying to list all the caveats explicitly. But yes, if they
fix this stuff and continue to be successful, that would be good.

 _How many security issues we (software engineers) create on a daily bases
simply because the management needs something for yesterday?_

I disagree with your premise there. Sure, security bugs can sneak in if you’re
rushed, but that’s qualitatively different from actively exploiting security
holes and using dark UI patterns to make your own life easier. I hope most
engineers would refuse to implement feature requests like that. It should be
considered a form of malpractice.

------
rvz
That my friends is the text book definition of high quality malware.

------
badrabbit
Not a problem if everyone used Linux. (Sarcasm intended: no workable binary
signing)

~~~
e12e
You're right, but there is signing of kernel and modules now, via secure boot,
eg: [https://access.redhat.com/documentation/en-
US/Red_Hat_Enterp...](https://access.redhat.com/documentation/en-
US/Red_Hat_Enterprise_Linux/7/html/Kernel_Administration_Guide/sect-signing-
kernel-modules-for-secure-boot.html)

I'm not sure about binaries in general - having secure boot as an anchor at
least makes the exercise less futile - but there an interesting point brought
up here:

[https://stackoverflow.com/questions/1732927/signed-
executabl...](https://stackoverflow.com/questions/1732927/signed-executables-
under-linux)

Dynamic linker, dynamic libraries and dlopen.

I see solaris has elfsign - and it appears to be in OpenSolaris too:
[https://github.com/joyent/illumos-
joyent/blob/master/usr/src...](https://github.com/joyent/illumos-
joyent/blob/master/usr/src/cmd/cmd-crypto/elfsign/elfsign.c)

Not sure if it would work on Linux - and you'd might want to prevent running
unsigned binaries. Not sure if that's a thing on OpenSolaris. Still, being
able to verify a binary might help with handling random downloads, I suppose.

~~~
badrabbit
Yeah, module signing but not turned on by any distro. I can't even imagine not
having driver signing on windows in 2020. There is IMA in Linux too. Even
package signing barely started catching up in the last few years on most non-
mainstream distros. It's practically unthinkable to have script signing too.

~~~
e12e
AFAIK it's on by default in Ubuntu?

> Modules built and shipped by Canonical with the official kernels are signed
> by the Canonical UEFI key and as such, are trusted. Custom-built modules
> will require the user to take the necessary steps to sign the modules before
> they loading them is allowed by the kernel.

[https://wiki.ubuntu.com/UEFI/SecureBoot](https://wiki.ubuntu.com/UEFI/SecureBoot)

------
gregoriol
Now that it's clear that Zoom developers do their best to do the worst, Apple
should ban it entirely from their platforms

~~~
HumblyTossed
They can't. Not now at least. For better or worse, people all over are using
Zoom to stay in contact. If Apple banned it, it would be extremely difficult
for them to not take a PR hit right now.

~~~
ratww
Instead of banning, Apple should be working together with them to understand
why they're resorting to such ugly hacks just to improve the installation UX,
and use that feedback to improve macOS instead.

~~~
Longhanks
The installation UX needs not be improved. It needs the holes Zoom abused
fixed, so that it can no longer circumvent asking for the user's final
consent. There is absolutely no reason Zoom should get away with intentionally
abusing the platform they're given.

~~~
jcelerier
> It needs the holes Zoom abused fixed, so that it can no longer circumvent
> asking for the user's final consent.

but... installing zoom is already asking for my consent, through an OS prompt.
Do you want to have to type your user password two times for every app you
install or what ?

~~~
randoglando
It could prevent an app from posing as "System" in the prompt for starters.

------
fouc
I wouldn't be surprised if some other MacOS apps pull similar tricks.

Interesting that we didn't know Zoom did this until everyone started using it,
and someone finally audited it.

------
dchest
How would you bypass Gatekeeper with that? Something needs to run it. If you
can, why can't you just do the same with osascript instead of running
zoomAuthenticator?

    
    
       /usr/bin/osascript -e 'do shell script "touch /tmp/ran_successfully " with administrator privileges'

------
peterwwillis
The tweet has already been deleted. You don't get substantive content from a
tweet, you don't get detail, they're hard to follow when threaded, and usually
they aren't well thought out or researched. Please don't submit (or upvote)
tweets. It would actually be better if you created a blog post with a
screenshot of it and posted that.

~~~
Chlorus
Not sure why you're being downvoted - I expect more meat from a submission
than 'here's a context-free few sentences on a tweet!'

------
ktm5j
Google cache has a copy of the deleted tweet:
[https://webcache.googleusercontent.com/search?q=cache:a7E7do...](https://webcache.googleusercontent.com/search?q=cache:a7E7domEms0J:https://twitter.com/danamodio/status/1245032929635586053+&cd=1&hl=en&ct=clnk&gl=us)

------
zelivans
Any context as to why the tweet was deleted?

------
ptlu
Link to the cached version of the tweet:
[https://webcache.googleusercontent.com/search?q=cache:a7E7do...](https://webcache.googleusercontent.com/search?q=cache:a7E7domEms0J:https://twitter.com/danamodio/status/1245032929635586053+&cd=3&hl=en&ct=clnk&gl=us)

------
macspoofing
Curious why the focus on Zoom specifically given that there are 10,000
different conferencing products out there.

Are they the biggest?

~~~
shrew
Since all the lockdowns and social distancing rules have come into play for
COVID-19, Zoom has seen a huge increase in consumer usage. That in turn has
lead to increased scrutiny as more people use it.

Besides that, this certainly isn't the first time Zoom's shady practices have
been exposed, where many other conferencing products haven't had such a track
record.

~~~
maest
What about using one of the many conferencing services that run from your
browser?

Zoom has been repeatedly breaking the trust of their users - it's a clear
pattern that won't change.

~~~
cesarb
Isn't Zoom also one of the many conferencing services that run from your
browser?

~~~
dividuum
They use dark pattern to hide that: You'll have to cancel their attempt to
open/download (one of that, don't remember) the native app three times before
the link appears.

------
gnachman
What’s the right way to sign a script? I’ve spent some time researching this
and never found a satisfactory answer.

~~~
saagarjha
Put it inside an app bundle?

------
sethgoodluck
How to completely remove zoom from a unix system...

[https://www.fosslinux.com/3534/how-to-completely-
uninstall-a...](https://www.fosslinux.com/3534/how-to-completely-uninstall-
applications-by-command-line-in-ubuntu.htm)

------
api
Last straw. Goodbye Zoom. I'll use it in a VM if I must.

------
_curious_
Could someone kindly ELI5?

------
evolveyourmind
Meanwhile, apple doesn't accept my app because they claim the UI sucks

~~~
galad87
Apple didn't review or accept Zoom. It's not on the App Store.

~~~
diggan
Yeah, as much as I don't like the locked down nature of Apple
devices/OS/software, this case with Zoom being able to do this stuff, is an
argument for the locked down garden.

~~~
NullPrefix
Isn't this the exact opposite? Zoom didn't bother to go get accepted into high
requirement locked down garden, instead they choose to distribute the binaries
on their own without having to deal with pesky rules about unsigned scripts.

~~~
diggan
Well, if it was only possible to install apps via the App Store (Apples wet
dream, but they'll lose a ton of users), then Zoom wouldn't be able to
distribute their app any other way and forced to follow the guidelines.

Again, I'm playing devils advocate for a pro-walled-garden opinion me myself
don't believe in, so don't take my opinion too seriously.

~~~
lloeki
It's not an either/or. You can simultaneously have more trust in apps coming
from the walled garden _and_ cherry-pick with greater care the select number
of potent applications that come from outside of it and are therefore harder
to trust, precisely because they may be able to do more than what's allowed
within the walled garden.

------
paulintrognon
Reposted tweet:
[https://twitter.com/DanAmodio/status/1245329512889487361](https://twitter.com/DanAmodio/status/1245329512889487361)

------
tiborsaas
Tweet got deleted :/

Just based on the title, consider that web browsers are signed binaries that
run any unsigned script :)

~~~
mnw21cam
In a sandbox, yeah.

------
emmelaich
Tweet removed and re-posted as
[https://twitter.com/DanAmodio/status/1245329512889487361](https://twitter.com/DanAmodio/status/1245329512889487361)

~~~
dang
Changed to that from
[https://twitter.com/danamodio/status/1245032929635586053](https://twitter.com/danamodio/status/1245032929635586053).
Thanks!

------
LockAndLol
Get your friends and family off of Zoom. Use Jitsi Meet
[https://jitsi.org/jitsi-meet/](https://jitsi.org/jitsi-meet/)

It's opensource, free and doesn't require user accounts. Plus you can host it
yourself.

------
OldTechSucks
I don't see anything wrongs here, you investigate the script and it just an
installer. Did you even look at nvidia-installer? Why no one talks on that
crap? So much hate on Zoom... I hate that too, I was at meeting yesterday and
my interentet got disconnected and couldn't get back but even after
reconnecting there was an audio issue.

~~~
t0mas88
What's wrong here is that Zoom hacked together an installer against all normal
structure that Apple recommends. And that installed includes a very stupidly
designed component that will try to run whatever you ask it with admin
privileges.

This is yet another indication that nobody at Zoom has a single clue on how to
build a secure and stable application. Another example of that mindset
released today: [https://www.theverge.com/2020/3/31/21201956/zoom-leak-
user-i...](https://www.theverge.com/2020/3/31/21201956/zoom-leak-user-
information-email-addresses-photos-contacts-directory) They are proving to
completely not understand how to design security/privacy features. Frankly,
their technology team sounds like total amateurs that hack things together.

~~~
oefrha
“Total amateurs hacking things together” somehow managed to ship something
functionally better than products from mature shops like MSFT that mean
serious business. The irony there.

~~~
valuearb
It's more like they gained better ease of use by bending platform rules, to
the detriment of security.

~~~
oefrha
I highly doubt Zoom’s video conferencing solution was solidly working while MS
Teams crumbled under load two weeks ago is due to magic in Zoom’s macOS
installer.

~~~
valuearb
Wasn't talking about infrastructure, was talking about the ease of use that
led to large market share. Zoom broke lots of platform rules to perform that
trick.

