Hacker News new | past | comments | ask | show | jobs | submit login

Click on the app icon, hold, move to Trash.

It is mentioned in the third paragraph already, highlighted in green. They don't offer a method of clean removal to their users. They run a web server on your machine that will reinstall Zoom on your macOS whenever it is convenient for them (secretly, without asking you first).

See here: https://apple.stackexchange.com/questions/358651/unable-to-c...

That web server is exploitable, as explained in the article.

Note that most Zoom users (probably lots of business people) won't be capable of following the uninstall steps necessary at the moment..

Now, notwithstanding what I posted above, THIS is fucked up and inexcusable.

I do NOT appear to have the web server running, but I did have the ~/.zoomus folder and the ZoomOpener app there.

Is this because I'm scrupulous about killing LaunchAgents and LaunchDaemons?

Run this:

ps aux | grep zoom

You'll probably see "ZoomOpener" there. It is running but it's not in the "Force Quit" menu. Then, to kill it run:

killall zoom

Then you can follow the other directions indicated by the previous poster who gave information about how to lock your ~/.zoomus directory down to root so that it can't install itself again.

I do not have ZoomOpener running.

My feeling is that removing the startup item probably cripples this, no? I mean, fuck them for doing this, and get rid of all of it, but I think the StartupItem is required for their hack to work.


Which isn't actually enough, since the surreptitiously installed server will happily go and reinstall the Zoom client for you whenever you load a zoom link, or a malicious link. You have to kill the server, and remove the ~/.zoomus directory as well. This is all pretty damning to be honest.

I would have loved to be a fly on the wall of the meetings where that policy was designed and approved.

Did no one at all speak up and say "hey, running secret webservers on obscure ports without telling the user is shady stuff"?

Just to be sure, I don't think that's enough. You might want to kill the running process and remove the binary (as described under "Quick Fix" section in the blog post)

Leaves behind an exploitable web server on localhost

Not an option if your employer uses Zoom for all of its internal and customer-facing meetings.

... and delete the webserver from the background

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact