Hacker News new | past | comments | ask | show | jobs | submit login
Zoom is reinstalling itself after a minute of being uninstalled [video] (youtube.com)
223 points by maloga on July 9, 2019 | hide | past | favorite | 52 comments

I couldn't reproduce it (Mac, Mojave 10.14.5). I did this:

1. Ensure Zoom client is not running (the GUI, not the ZoomOpener)

2. Completely delete Zoom client app from /Applications, empty trash

(ZoomOpener continues to run from ~/.zoomus/, not just from memory, it is never deleted)

3. Wait 5 minutes

However, if you click on any Zoom link after you've done those three steps, it will absolutely re-install that client app into /Applications AND launch it into that video room. I confirmed that.

I still feel this is a violation of my trust and I'm uninstalling this app entirely and won't use Zoom again.

Also, if Apple actually cared about the Mac and privacy like they say they do, they would temporarily revoke Zoom's app signing key until they cut this shit out.

You sure you want that last sentence? If that were happening, we would all be commenting on here about how Apple decides who succeeds and who fails by threatening to revoke companies' keys on a whim.

Apple did that when Facebook was abusing enterprise signed apps and nobody threw shade at Apple. There's a time and place for that, and this is it.

Now, if Apple revoked their cert because they didn't like Zooms view on <some political issue> then I'd be ranting and raving with the rest of HN.

Ok thanks for the example. I hadn't heard of that, so I just briefly read about it. It looked like there were clear terms about the Enterprise apps: that it was for internal, employee use. Facebook was distributing it to non employees. I imagine that is why there was little shade thrown.

Why not? The software is effectively working as malware. I should be revoked. And when they approve it again, they should issue a new certificate, to make sure the old software never gets past GateKeeper again.

Yes, I do. And in no way is revocation in this instance a “whim.”

Understood. I would hope that they spell out the terms of when a key revocation would happen if they were to revoke keys.

This is the point of sandboxing apps in the Mac App Store, and (to my understanding) providing simple and complete uninstallation. Mac users that care about issues like this (and I'm not saying they shouldn't) can avoid them by choosing to only install apps from the App Store.

Revoking signing keys on the Mac is pretty extreme considering that Zoom is creator of the software — and that is what the key is meant to prove / enforce. I think that sets a very bad precedent.

The fact that Zoom is distributed outside of the App Store should at least raise eyebrows for Mac users. At this point, I tend to ask what specific functionality is required by an app, such that it wouldn't be allowed in the Mac App Store — especially for free client software (there can be perfectly valid reasons for this, such as previous versions of BBEdit).

Most likely the video creator has a webpage open, waiting to send a request to the zoom localhost webserver after 90 seconds triggering the install.

I am not a big Zoom fan but everyone else but me at work has issues with Zoom. One vendor we do calls with sometimes gets the web version instead of the desktop version any time he joins a Zoom call.

My biggest pet peeve was Ciscos version. I had to install: a browser plugin, which wasnt used, then a desktop app, then a follow up desktop app to support voice and audio. What the actual heck is Cisco smoking!? I was shocked. I cannot believe the sheer incompetency and what saddens me is they probably advertise Webex as a solution but it is such garbage on a Mac. I dare not ask what its like on Windows or Linux (ha!). I hate to say it but Webex might benefit from becoming an Electron app.

Webex and Zoom are absolutely not the same product, they are competitive offerings from different companies.

> My biggest pet peeve was Ciscos version.

I mentioned this, I just went off on a tangeant cause it amazes me how broken some of these pieces of software are, it's a problem we solved a long time ago (audio and video conferencing) and it seems only Electron based apps have been getting it right lately for whatever reason.

If Zoom has a web-based client, I haven't seen it. I know that WebEx has a web-only client. I thought you had them like, really confused, y'know?

Turns out there is a Zoom Web Client though and I'm all wet.

All good, but yeah, I didn't know either, sounds like it is yet another one of those "works best in Chrome" clients, I usually use Firefox, and it probably tries to open Zoom. Maybe sometimes people click "open in browser" instead or something? Not sure...

What's worse is WebEx is supposed to be web only supposedly, but I installed 3 things to use it... Totally not HTML5 friendly at all...

For anybody interested in the Zoom web client:


Their web client is actually doing something quite interesting. Instead of using webRTC, they load a webassembly video codec. They then encode frames in a webworker and transport them via websockets over their servers.

They need to leave them with their key so they can issue an update.

> so they can issue an update.

Revoking the key and making its restoration conditional on issuing a security patch would be a way to make sure an update does happen. I'm not a fan Apple's approach to software signing, but this is a good opportunity to showcase some of the benefits that their system does legitimately have.

They'd be stepping in on behalf of users and saying, "Sure you can issue updates. After you fix the security hole."

Right now, Zoom is gambling that they don't need to care about security from a business point of view. Apple can change the situation so they do.

Why? The company blog post is pretty clear that they don't see any of the security issues to be a problem.

I really hope Zoom promptly fixes all these recent issues. I've used so many video conferencing solutions. Vidyo was amazingly unreliable. BlueJeans had the most amazingly awful interface I've ever encountered. P2P WebRTC solutions get destroyed when there's more than a couple people on a call. Hangouts has decent call quality but had spooky issues, like all parties joining a call, but each appearing as if they're the only ones present.

Zoom is the only solution that's been decent for me. The UI for the desktop client is a bit rough around the edges, but it's certainly not the worst. I'd really like to continue to like Zoom but I can't do that if they're going to do shady things or bungle security.

The UI for the desktop client is a bit rough around the edges, but it's certainly not the worst.

It is the worst for giving presentations. I had practiced for giving a presentation from my MacBook, and it was sprung on me when I arrived. Zoom "oh so helpfully" pops down a control panel every time the mouse cursor approaches the menus at the top of the screen. It also "oh so helpfully" puts itself into fullscreen when I don't want it to do that.

As far as I'm concerned, the UX is bungled.

Unfortunately the default settings aren't great. But if you've got the patience to configure it (e.g., you're a remote employee) it's much more tolerable.

So basically, you have to become a Zoom expert to make it good for presentations? Funny, but Keynote hooked up to a projector or a screen just works.

> I really hope Zoom promptly fixes all these recent issues.

They don’t see them as issues, but as features. These happen on purpose. They’ve said as much, including that they don’t intend to change this behaviour. If they do it now, it’ll be because they’re trying to stop the bad press and not because they believe these are problems, which means they can’t be trusted to not pull other crap like this in the future.

It s funny that Flash group chats worked better 15 years ago

Seems like ZoomOpener automatically reinstalls the Zoom app if it is uninstalled? [1]


This support article was silently updated after the Zoom debacle. Google cache has the old version, that doesn't mention removing their trojan:


>To uninstall any Mac App, see this article by Apple. Please also see http://www.wikihow.com/Uninstall-Programs-on-Mac-Computers

Could you explain the problem in words, please? Not in a position to watch a video right now.

It’s a silent video of less than two minutes. It shows a user on macOS quitting the Zoom app[1], dragging it to the Trash and emptying it. They stay still for about one minute and fifteen seconds, at which point Zoom pops up on the Dock again, opening its window.

[1]: This Zoom: https://news.ycombinator.com/item?id=20387298

Thanks! That was a lot quicker to read than watching the video.

Thank you everyone for this little thread. This is exactly what I am looking for when I read the comments to a video link!

Between 00:15 and 01:30 it’s just waiting, so you might want to skip that section if you’re only interested in seeing it happen.

Are we sure they're not just using fleetsmith to install it and trolling all of us with the zoom news going on?

Looks like a background self-update was in progress while it was deleted?

Or is there an official uninstaller, and Zoom simply tries to „fix“ itself after the deletion-hook was invoked by MacOS? I can imagine plenty of people wondering why Zoom doesn’t work after they „moved it“.

Very unlikely, because we've double-checked on a couple of machines at the office here. Only on Mac though. Would be useful if we get some more confirmations.

I am pretty confident the Zoom team can fix this and the other issues mentioned in the great security article from yesterday. They seem to do good stuff and I love how well it works.

> I am pretty confident the Zoom team can fix this and the other issues mentioned in the great security article from yesterday.

I am pretty confident they won’t, because they’ve said they consider these to be features and intend to keep it that way. If they backpedal now it won’t be because they’ve realised how user-hostile this is, but because they’ve gotten so much bad press.

Lol, is this a paid account? This seems to ignore just how bad this issue is.

Super bad issue, just merely voicing I think they will fix it. Everyone seems to go into this shark feeding frenzy of how they are terrible and will never fix it. I get tired of that shit and merely pointing out this is a well run big company and they are going to fix it.

The mob mentality in these comments is overwhelming sometimes.

The question is not “Will it be fixed?” but “Why is it there In the first place?” Given that the app makes a request to zipow.com to download the new installer, the auto-reinstallation is not a bug or an issue, but an intentional and anti-consumer design decision.

Yep but everyone in this community should know the answer there, we aren't perfect, we don't think about everything and we make mistakes. Then you fix them.

Too many people are just piling on without examining themselves and their own work.

You're ignoring much of the story, such as the part where they ignored the issue for months and then released a patch that they were told is ineffective.

So yes, we all make mistakes, and we should fix them promptly and correctly. Zoom did neither, and then put out that nonsense PR blog.

There's no way I will trust that company again after how they handled this.

Not ignoring, but I've seen similar from many companies we all work for. Of course, your criticism against them is fair too. And, I can also show you many companies who haven't gotten their shit together in 90 to 120 days too.

Give them some time and I think they will fix this and fix the issues that caused them to not catch this the first time and fix it as quickly as we would all like.

If you go into the bathroom of a restaurant and see cockroaches, would you feel comforted by management telling you to give them time, because they will definitely get rid of them and to not be too worried that they haven't already gotten rid of them?

Bad analogy :)

But you guys do what you want, I am getting tired of the mob mentality and extremism that seems to permeate these and other discussions. Why not give them some time and not adopt such an extreme position.

They were informed of the issue, proposed a quick fix, were told why the quick fix wasn't adequate, then went through with it anyway. That doesn't really inspire confidence in a company's security, especially not when their PR response to a potential threat is "we have no indication that this has ever happened"

Luckily I use Pi Hole I just Blacklisted zoom.us and zipow.com

Why? Delete the apps and they won't be able to do anything.

Pi Hole only covers DNS queries though, right?

Yep, but from the original https://news.ycombinator.com/item?id=20387298 it looks like zoom uses zipow.com for re-install


Applications are open for YC Winter 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact