Hacker News new | past | comments | ask | show | jobs | submit login
Zoom has a signed binary that runs any unsigned script (twitter.com/danamodio)
562 points by kccqzy 8 months ago | hide | past | favorite | 214 comments

Some more shadiness from this company. The Zoom.us-website is explicitly allowing the browser with its content security policy-headers to load scripts from these domains:






Doing a fast google for these domains shows they are mostly known for being associated with malware...

I saw somewhere on Twitter, possibly as a reply to Scott Helme, that they possibly added these URLs to their CSP because they were getting errors in their CSP logs from machines that had adware/malware loaded. Can't find the tweet though, so maybe it wasn't him (but I'm reasonably sure it was a discussion of CSP, ReportURI, and the fact the CSP changes depending on logged in/out of zoom's site).

Pretty bad solution if that was indeed the case.

Ah, the classic "fix it just to shut the error up" without actually looking at the cause. Lowest bidder contractor probably.

I had some audio issues today on a zoom and they helpfully asked for me to sudo to fix the problem


"just to shut the error up" is about right.

Its amazing how many Zoom screenshots have spelling or grammar errors, like this one. For a supposedly US based company, its pretty clear a lot of the UI text isn't written by a native English speaker.

I'm not intedning to demean non-native English speakers or their ability to write code - but this looks pretty bad from a QA standpoint.

edit: elsewhere in the thread its shown most of the software engineering team is in China, which explains this.

what version of macos are you using?

Actually, killing coreaudiod can be necessary every once in a while.

Having worked with CSP this isn't really something that can be fixed. If you disable scripts from all but approved sources your reporting URI will be flooded with reports from browser extensions and malware trying to inject code. The best you can do is silence the reports after they arrive (or in this case just allow them, yuck).

You are supposed to set a strict policy and disable the reporting. Reporting is for dev/debugging purpose, it’s not meant to be the end state.

Wow you're right. Here I was about to comment that you've probably got some browser extension installed doing that.

To see for yourself, simply `curl -I https://zoom.us`

Yeah...about that: ad sites are contacted by malware a lot so google results will show as such. Adware is technically malware.

I am testing these URLs with the DNS from Cloudflare launched today, and it seems it works fine blocking them.


At least it's shady enough :D cX

To clarify, this zoomAutenticationTool† is part of the preflight "script" that gets run inside the Zoom installer. It is a signed binary that happily runs anything, including unsigned scripts. This generic-looking tool can be used to bypass code signing requirements. (It does prompt the user for administrator privileges.)

†: I didn't misspell the name of the executable. It's missing an h.

In other misspelling news, the preflight script also has a typo that apparently causes Retina images to not get installed. The typo is "reitna". ;)

See: https://twitter.com/cabel/status/1244788931427622912

Is this like when you have to spell cheese as something like "cheez" for legal reasons?

Meat flavored sausage. "flavored" is in extra small letters.

Even worse when it has "X with real Y flavor" meaning "something that has the same flavor of Y".

And it’s missing the ‘u’ *flavoured

A little ‘humour’ is allowed, right?

It depends on if the colour is grey or gray when you buy it at the meat shoppe.

> †: I didn't misspell the name of the executable. It's missing an h.

Ty for making me laugh.

* laug

Thanks all, this thread is brigtening up my day.

What is with Zoom misspelling everything? Their shady installer pops up "System request administrator privileges", and the code it runs misspells "retina" as "reitna".

Lack of code reviews and quality assurance.

It is also reported that their engineering team are not native English speakers but I don't think that's the main issue. I've seen codebases full of spelling errors where all developers were native speakers.

Yeah, that just seems to be dog whistling to me. A native speaker isn't going to think "reitna" is right but "retina" is not. It's just poor QA IMO.

I mean, I'm not a native speaker but I could do better than that :-)

Probably because they don't employ native English speakers for this sort of work. Also, no QA. You'd expect these errors in a 3 person startup, not a public company worth almost 40 billion USD.

> †: I didn't misspell the name of the executable. It's missing an h.

I've seen a lot of posts defending Zoom wrt other offences. But at this point it should be clear what their practices are.

It does make me feel a bit better though - sometimes I go overboard with security and spend hours making certificate validation work everywhere etc - the people actually making money skip all that and just ignore it. They typically get away with bad practices until they really get massive, as long as the software works well otherwise.

Sometimes when coding I think there is technically an obscure race condition security flaw and, from time to time, leave a TODO instead of spending those grueling hours. This weirdly makes me sleep better at night.

At any rate, "sunlight is the best disinfectant"!

IMHO those you mention who make money are, in this case, qualified further to a category of products that in essence are not complicated. Video conferencing is not complicated until you have scaling problems. Similarly, Facebook was not complicated until it got millions of users at which point most of their interesting code had to do with scaling.

My point is that Zoom is replaceable and in fact, IMO should be replaced. Their tactics of using these dodgy techniques is because they want to have an edge over competition along the lines of "it just works".

I would contrast this to pure research services that add value that would otherwise not be there. Examples of this would be at the time that they were startups: Google (search algorithms) or Spotify (music categorisation algorithms). I'm not saying that today either of Google or Spotify are paragons of morality. At the hardware level I would include Tesla (battery tech) and Intel (processors).

My point is that the shady practises are at this point Zoom's product offering. If their video scaling algorithms are superior (and not just lifted from some open source libraries) then that should be their product offering. Not "it just works" via security exploits.

Edit: Typos.

If video conferencing wasn't complicated, there'd actually be a product everyone likes. So far, everyone seems to hate all of them.

How much of this is related to the software though and how much is related to home internet speeds, camera quality, microphone quality, etc.? Most laptops ship with really low quality webcams and mics, and that’s predominantly what people are using.

The difference between Zoom and Google Hangouts is staggering. Zoom works way better. I actually love it from a usability perspective, though it's frustrating because if Apple/Microsoft/Google could agree on an open standard with open-source clients/protocols Zoom wouldn't be necessary.

I've just been using Slack video (for small groups or one-on-ones) and BlueJeans for larger meetings. I've tried Zoom and didn't see what it added on top of BlueJeans except for feeling like malware.

Dropbox won early on for having the same user-friendly affordances. I can't say if I was making Zoom, that I wouldn't err on the side of usability at first, also.

And then they started running kernel extensions that made your computer slow.

When I was first asked to install Zoom I hadn't heard of it, so I googled "Zoom malware" (to see if it's malware, as I assumed someone would have written that up if it was.) I didn't find a clear "zoom is malware" blog post at the time. So I said that's good enough for me and installed it.

Later when I heard that Zoom installs and leaves a web server open on your machine, even if you uninstall it, I felt duped, since I did my due dilligence by Googling if it's malware. If it leaves a webserver running after uninstall, it's obviously malware, same as if it launched a Windows search for "passwords.txt". There's no real room for interpretation here.

But I didn't find that at the time.

Whereas if I did that Google search today I would find that it:

monitors activity on your computer - https://news.ycombinator.com/item?id=22657384

is not encrypting end to end despite claims - https://news.ycombinator.com/item?id=22735746

allows any web site to access your camera at any time without requesting any kind of permission or making the user aware - https://news.ycombinator.com/item?id=20387298

reinstalls itself silently after uninstall (if you click a zoom link, after uninstall) - https://news.ycombinator.com/item?id=20390755

If I were considering installing it today, I would install it only in a virtual machine after Googling what kind of protections to use when trying malware in a VM. (Since it can be expected to play shenanigans with your network and with the host's USB devices etc.) Just basic stuff, as Zoom isn't very sophisticated.

After I read all this I was angry. Not because all of this makes it obviously malware but because it's sloppy malware, and I specifically Googled whether it was sloppy, obvious malware and didn't get a clear "yes, Zoom is malware."

By the way sending data to Facebook doesn't make my list of links, as that is par for the course and anyone might do that. I have a pretty high tolerance for crap and to be honest Zoom is the only mainstream software that failed it so far.

Though I guess technically I still use Zoom every day (until I buy a new computer), you know, since I did install it that one time, before I uninstalled it...

How do I uninstall the web server - or better, can you please point me to guides to remove the bits left after the uninstall. I don't mind uninstalling/reinstalling this till I get a VM setup.

sorry, I don't know. I only just ran the uninstaller.

Ha, for sure. E.g. SnapChat didn't actually delete the pictures in the first versions. Apparently, they didn't know how. So they renamed them with a different extension so the photo app didn't find them. But tether your phone, and voila! they were all still there on the phone.

Didn't stop them from becoming very successful.

> They typically get away with bad practices until they really get massive

They get away with it because they aren't liable for any damage caused by exploitation of vulnerabilities caused by their bad practices. If they had to indemnify the victims of their negligence, I guarantee they'd care a lot more about doing things right.

Legitimate question: what is bad about this? I've read all the comments and still don't see a convincing explanation.

Code signing just says you can trust that the software you clicked on came from the actual developer.

It doesn't say anything at all about what the software does. Of course signed software can do whatever it wants. It's not like there's supposed to be some chain of trust that it's only allowed to run further signed code. It's free to run a Python script or shell command or whatever it wants. And installers certainly run scripts.

And as other comments here state, to do anything that requires root privileges, it pops up to ask for your admin password, so it's not getting around that.

I see references to this being a "malware pattern" but no explanation of why or what that means specifically. Zoom is commercial software (not malware) and I don't see how this is a vulnerability (something malware could take advantage of) so I'm not getting it.

Can someone explain what the problem is here? Or is there no problem?

If a script is signed, then there's a high probability that the script is going to do what it's supposed to do.

If the binary runs an unsigned script, then that script could be modified to do something malicious.

Signing isn't difficult or expensive so why not insist on it?

But how could it be modified? What is the threat model? An evil network? TLS solves that. Evil code on the local machine? You are boned anyway and probably lose to TOCTOU problems when validating the signature on the script.

redistribute the modified zoom installer from your own domain. Send meeting invites with a link to the modified zoom installer.

You get the zoom signed package installing your unsigned code.

And somehow break the binary's signature?

But the truth is you don't really need to do that. If people are coming to your own domain you can ship them whatever you want. I'd wager that well below 1/1,000,000 users actually verify signatures on binaries. For the huge majority of users, there is little you can do to prevent this.

But if you modify it, it's no longer signed?

apparently the issue is that you could modify the script, keeping the script-launching binary unchanged and signed?

did not try/verify though

How are you planning on modifying the script?

The network can't do it if it is downloaded over TLS. A malicious host can already ship evil scripts. Malware on the local machine can already do worse that edit a script.

The installer is code-signed, and requests root privileges, right?

>Malware on the local machine can already do worse that edit a script.

Malware on the local machine may not have root rights. You're basically arguing that privilege escalation isnt a real threat.

I agree that a dumb signature validation will have TOCTOU problems but the solution is better validation, not to abandon signatures.

I'll ask again.

What is the threat model?

To me, all this looks like people knowing that signing is somehow good and demanding it in a context where it isn't clear that it makes sense. And given that the top post in this thread is about skeevy domains, how the heck would signing scripts achieve anything? Even the reposted tweet says "don't think you could weaponize".

The threat model is a malicious entity has limited access and can swap out the intended script for a malicious one, and have it run in a root context.

This is equivalent to not having signatures on your repository packages and saying "no biggie, we rely on transport encryption". Might work in most cases, but there's a reason good security uses layers. A failure at any point-- TLS downgrade attack, repo compromise, proxy compromise, DNS poisoning-- can result in your preflight script executing malicious code.

Requiring code signing with a pinned cert would solve this issue, but would be terribly out of character for the company that brought us a hidden local REST API to bypass OSX security prompts.

But isn't this an issue in the OS security system? Zoom is only using a loophole, just like any malware would.

Same with the recent story on UNC links in Zoom chat. That's an issue in Windows. Why is windows sending your password out on the internet willy nilly? In this climate, 2020, Microsoft should know better.

One could argue that legitimate software acting like malware is an issue in and of itself.

You're right.

Consider that any Mac app that:

* Supports plugins that aren't signed by Apple

* Executes scripts or macros from a file

would technically have the same "problem". That's a heck of a lot of apps.

On iOS Apple do insist on a full chain of security, which is why only Apple's own browser app can JIT code. It's an extremely perverse and serious limitation that has no real security justification: consider that Android manages just fine without it.

As far as I can tell, Zoom is currently the target of a witchhunt. People are digging for dirt and blowing stuff well out of proportion.

There are a lot of people blowing things out of proportion who don't know what they're talking about. However these things are newsworthy and probably worth Zoom fixing. (I think to a certain extent if I say something like "It's dumb that Zoom doesn't have real e2e encryption and they should fix it." That sounds harsh and I mean it. That said I'm still going to use Zoom unless something with equivalent UX and e2e encryption comes along.

(Someday there will be a solid cross-platform native p2p video client with e2e encryption.)

FaceTime? It probably doesn't work at conference scale but it is E2E.

> We designed iMessage and FaceTime to use end-to-end encryption, so there’s no way for Apple to decrypt the content of your conversations when they are in transit between devices.


But that's a total lie, isn't it? They can just send your iPhone a public key owned by Apple. Or they can put a backdoor in the app and get you to install an upgrade.

FaceTime isn’t cross platform.

E2E is snake oil at the moment. Nobody has developed a reasonable UX to let people exchange keys, and closed source clients that can be centrally updated render any such encryption pointless. It could be disabled at a moment's notice and you'd never know. I don't blame Zoom for not investing in it.

The problem isn’t that Zoom is lacking E2E. The problem is they claim to have it and actually don’t.

i was about to write the same comment. id bet the percentage of HN readers running 100% signed code is damn close to 0.

the zoom witchhunt is really something. zoom may or may not be a witch (im no China apologist, i yell at all my friends for using tiktok), but if we get the answer right it will be based on luck and emotion, not logic and reason.

> zoom may or may not be a witch (im no China apologist

Zoom is an American company, headquartered in the US, employing mostly Americans, subject to US law, etc. Its CEO is an immigrant, but that's true of half the American tech companies out there, including Google and Microsoft.

EDIT: I'm white, but my wife is Asian-American and has told me more than once how white people often treat Asian-Americans as if they're not real Americans. I'd never witnessed that myself, but I guess the above comment is the kind of sentiment she's talking about. Zoom may or may not be a scummy company, but its founder's birthplace is immaterial. He's a US citizen, and deserves the same treatment we give to maybe-scummy white American CEOs like Mark Zuckerberg.

> employing mostly Americans

"“Our product development team is largely based in China, where personnel costs are less expensive than in many other jurisdictions,” Zoom wrote in a regulatory filing."

Source: https://www.cnbc.com/2019/03/26/zoom-key-profit-driver-ahead...

The concerns about TikTok are that it's potentially Chinese government spyware because TikTok is owned by a mainland Chinese company which has legal obligations to the Chinese government.

Zoom is a US company that is not answerable to the Chinese government. Like many companies, Zoom has chosen to outsource some of its operations, and those overseas offices create various infosec risks. And given that Zoom infosec seems to be a total clown show, those infosec risks are probably more serious at Zoom. But that would be equally true of any other American company that is really lax about security and too cheap to employ American developers.

Not entirely true. While Zoom as a company is not answerable to the Chinese government, the developers are.

Given that we have such horrible laws even in the "more democratic" parts of the world, such as Australia [1], it is not unthinkable that the Chinese government may ask a Chinese developer to install a backdoor to a foreign based product they are working on:

[1] https://www.bbc.com/news/world-australia-46463029

> The Electronic Frontier Foundation has said police could order individual IT developers to create technical functions without their company's knowledge.

The same concern applies to any American company with Chinese offices, including Google, Facebook, etc.

except its not an office, its the majority of their dev team operating inside one of the top 3 unsafest, most anti-american (with respect to cybersecurity) countries in the world.

> Zoom is a US company that is not answerable to the Chinese government.

If that was true, then events like the Huawei USA "Tappy" [1] incident wouldn't have occurred. In any case, I'm not trying to take a stance here but merely wanted to correct your statement that they had more engineers in the US than in China.


Their employees are mostly American, as I originally stated. Their engineers are not.

Huawei USA is almost certainly majority controlled by Huawei China, whereas Zoom's Chinese subsidiary is almost certainly majority controlled by the US parent company. Hence, Huawei is a Chinese company for practical purposes (the people calling the shots will go to jail if they don't do what the CCP wants) and Zoom is an American company (the people calling the shots go to jail if they break American law, and are mostly out of reach of the CCP).

I'd bet the number of Mac users running 100% signed code is well over 50%

I bet it's close to 0%, and I think I can prove it too. How much do you want to bet?

I’m genuinely curious how you could prove anything that is applicable to all Mac users (lets say OS 10.5.x through the current version).

Is there an unsigned app/package included with all Mac OS X installs?

Did you even have signed apps (typically) installed in Leopard? Anyway, it depends on the standard of proof. But for the parent comment, it's fairly easy to get most reasonable people to agree that it's false. As a reminder, the claim is about:

> the number of Mac users running 100% signed code

You just have to ask yourself:

- what percent of Mac users run Javascript code

- what percent of Javascript code is signed.

Obviously OP meant outside of sandboxed environment.

There might be exploit out there that exit the sandbox, but they are unintended. But here zoom is intentionaly widening an exploit by being reckless. So thanks to zoom we might now expect even more drastic sandboxing in next MacOS release.

I disagree, not only is it not obvious - it's fairly obvious that he didn't mean that.

> the number of Mac users running 100% signed code is well over 50%

Would you say he meant "number of users running exclusively sandboxed code"? Or do you claim he means "number of users running 100% signed code outside the sandbox"? The only claim that would even make sense is "more than 50% of Mac users run exclusively sandboxed code". And it can't mean "app sandbox", but any kind of sandbox? Like, do java programs qualify? Is the JVM malware? If you install a signed app that requires the JRE, do you also install something that could run unsigned code?

Yeah something like 80% of my code is unsigned since I almost never pay for store apps.

> the zoom witchhunt is really something

I'm beginning to think the same thing. Someone seems to be orchestrating a full out attack on Zoom. I'd say it's working.

Hey! I posted this. Just want to be clear it still pops up and asks the user to authenticate as seen in the original post. Tried to clarify this in the thread I don’t want people to get confused and think this is worse than it is. Still really weird and follows malware patterns. Most likely not a gatekeeper bypass or anything because delivery would be difficult but seemed like a sketchy decision to basically write their own sudo tool into the pre install scripts.

Why did you delete the tweet?

We detached this subthread from https://news.ycombinator.com/item?id=22747727.

dang - could you change URL to this one instead of the deleted tweet?

I'm not super familiar with Apple's policies but is this really such a grave sin on OS X? The purpose of the signature, as I understand it, is mostly to assure the user of the provenance of the code and, in a pinch, let Apple disable it. It's not intended as some bulletproof runtime security mechanism and it's easy to think of lots of apps that would be signed but could legitimately execute some form of unsigned code.

It’s not per se, otherwise Terminal.app and iTerm2.app would be among the most sinister signed apps ever. Signatures only protect the app bundle itself, not user-supplied code or code fetched to locations outside the bundle.

However, it’s bafflingly weird to include such a thing just to skip a button press or two in the installer.

However, it’s bafflingly weird to include such a thing just to skip a button press or two in the installer.

Not at all. Generally every mouse click required to get an app running will slash your userbase in size by some staggering amount, like 20-50%. I can't quite recall the exact number or where I've seen this, but I've definitely heard this fact from multiple sources, including at Google. Try counting how many clicks are required to get Chrome on your system and you'll be surprised how optimised it is.

Companies measure this, they're very sensitive to it of course. They want as many conversions as possible, but they can see that the more complex the install process gets, the fewer users make it through the other end. It's entirely normal for Zoom to want to simplify as much as possible.

I wonder if it's just a case of an opinionated junior developer. I've been there. I've written a Windows NT console app once upon a time and there was something about the console that bugged me to no end, so I ended up rewriting it as a graphical app using my own fonts and terminal emulation. Probably wasted days doing this for some minor artifact of the UI, but it felt like a huge accomplishment at the time. Similarly here, guy or gal get it in their head that the extra click just won't do, and then find a hack around it.

I can see how skipping the installer flow might skeeve people out but this particular bit about some signed doodad in the installer being able to launch scripts seems like something between a nothingburger and mildly curious. Just wondering if I'm missing something here.

Yeah I don’t think this additional swipe adds much to https://news.ycombinator.com/item?id=22736608.

It is, from an Apple developer guidelines point of view. They have detailed docs on what situations to avoid[0] in order to elevate privaleges as safe as possible (ie: to not leave gaping holes). Granted, the best solutions they propose are not trivial to implement. Like installing a signed minimal attack surface helper that communicates over secure RPC to execute privileged functions (also don't forget to sanitise your inputs). Or having your App audited and signed so your App can access privileged Frameworks and API's (which means you have to shell out at least $100/y for a developer license for your open-source project).

All in all Apple does their best to provide the mechanisms but they are not necessary easy or trivial (w're dealing with the topic of security so what's to expect). Also with every step Apple takes to bind things down there is a public outcry that they are restricting peoples freedom in installing custom applications and pushing everyone into the Appstore ecosystem.

This of course doesn't excuse bad developer practices, but often it's the choice of doing things right or not being able to do them at all (never meeting your deadlines).

I had the pleasure of implementing one of the suggested privilege escallation systems in a pet project[1] and it was a fun puzzle for me. But I can tell you it will be a PITA if you solve this problem under pressure as (even though Apple provides some tooling to verify everything [2]) it's really hard to figure out if all moving components are setup right for everything to work and to debug any issues.

[0] https://developer.apple.com/library/archive/documentation/Se...

[1] https://github.com/aequitas/macos-menubar-wireguard/

[2] https://developer.apple.com/library/archive/samplecode/SMJob... https://github.com/brenwell/SMJobBless-Demo

The tweet is not about privilege escalation, though, just the fact that signed code can invoke unsigned code.

Meanwhile most of us curl stuff directly into our shells sometimes: https://brew.sh

At least in those cases we know it's happening and we can have a look at the script if we want.

Daily reminder: You can detect whether the script is being piped to shell or not, so inspecting the script, then curl | shell might not get you the same script. curl > file, inspect file, ./file is (probably) safe.

To expand on this, it is possible to tell apart the redirection to file and pipe to shell.


Sounds interesting and excessively comples; You can just as easily do this:

- Send X bytes of the script

- Send the line `curl my.server.com/asdjkfh`

- Stop sending data, wait for a request to `/asdjkfh`

- If you receive said request, start sending malicious data

- If you don't, wait 5 seconds and continue sending a "fake" script

It'll get you the same script, it just may not execute the same, right? curl is the thing being redirected, and the http server doesn't know about curl's redirections.

No, the point of the findings in that blog post is that a malicious HTTP server could infer that you're piping curl to bash, and serve you a _different_ script. Hence why it's safer to curl the script to a file, inspect the file, then execute locally.

I don't see how they could serve you a different script. How would they make the inference?

Read the article. It's based on timing; if you send a "sleep 10" command and then a bunch of data, the client will either display the "sleep 10" and go on consuming the data, or, if it's being executed, will actually sleep for 10 seconds and the data will pile up until its OS stops accepting new data, so you as the server will see that the client has suspended the download and can deduce that it's being executed live on the target machine. You can then choose how to end the script; with harmless looking code or the actual payload you want to run on their system.

What article?

It was linked in another comments a few ndoes up this tree

Found it. It was a parent sibling. Thanks. I understand now.

Yes! I second that feeling: knowing we are executing something and that thing being open source, it's up to us to check (plus running shell scripts is for power users). Here the user, average joe doesn't know what's happening, and can't check anything as it is hidden.

But so what? All it’s doing is installing the tool he needs.

He knows theoretically that this could be spyware or worse, but hey, everybody else is using it. Seems like no big deal.

Same with that curl script. What are the chances it’s bad? Small. So you run it and hope for the best.

Oh I hate that! For apps I want that do that, I first search if there's alternative installation methods available and use those, even if it's more work. Barring that, I will usually take a look at the script for anything it tries to download or any permissions its trying to set. But if I'm in a hurry...sometimes I just run it...

…that’s just one of the security issues with Homebrew.

In a couple weeks the public will have done a complete audit of all of zooms tools.

With zero impact on Zoom’s practices or their popularity, probably.

Edit to add: I mean, I hope they’ll lose a substantial number of paying customers over this? But I doubt it.

I actually hope they will just fix all of their security/privacy issues, and that we will end up with a decent video conferencing app that actually values users privacy.

I don't get why people are so negative. I mean zoom is not unique in this sense, many of the everyday apps we use share at least some of these issues.

How many of us use Intel CPUs that had (still have) infinite number of vulnerabilities? Or MacOS that at some point allowed root to login without passwords? How many security issues we (software engineers) create on a daily bases simply because the management needs something for yesterday?

I actually hope they will just fix all of their security/privacy issues

Yes, me too! I was going to edit my comment again to clarify, but I figured it wasn’t worthwhile trying to list all the caveats explicitly. But yes, if they fix this stuff and continue to be successful, that would be good.

How many security issues we (software engineers) create on a daily bases simply because the management needs something for yesterday?

I disagree with your premise there. Sure, security bugs can sneak in if you’re rushed, but that’s qualitatively different from actively exploiting security holes and using dark UI patterns to make your own life easier. I hope most engineers would refuse to implement feature requests like that. It should be considered a form of malpractice.

> I mean zoom is not unique in this sense, many of the everyday apps we use share at least some of these issues.

Very few. Zoom is written with a total disregard to security.

History has shown that ease of use is more important than privacy or security in nearly every case.

The reason is that we are living in an age of cognitive overload and time poverty. Time and cognitive space are far more expensive than the long tail risks associated with bad security and privacy.

That my friends is the text book definition of high quality malware.

Not a problem if everyone used Linux. (Sarcasm intended: no workable binary signing)

You're right, but there is signing of kernel and modules now, via secure boot, eg: https://access.redhat.com/documentation/en-US/Red_Hat_Enterp...

I'm not sure about binaries in general - having secure boot as an anchor at least makes the exercise less futile - but there an interesting point brought up here:


Dynamic linker, dynamic libraries and dlopen.

I see solaris has elfsign - and it appears to be in OpenSolaris too: https://github.com/joyent/illumos-joyent/blob/master/usr/src...

Not sure if it would work on Linux - and you'd might want to prevent running unsigned binaries. Not sure if that's a thing on OpenSolaris. Still, being able to verify a binary might help with handling random downloads, I suppose.

Yeah, module signing but not turned on by any distro. I can't even imagine not having driver signing on windows in 2020. There is IMA in Linux too. Even package signing barely started catching up in the last few years on most non-mainstream distros. It's practically unthinkable to have script signing too.

AFAIK it's on by default in Ubuntu?

> Modules built and shipped by Canonical with the official kernels are signed by the Canonical UEFI key and as such, are trusted. Custom-built modules will require the user to take the necessary steps to sign the modules before they loading them is allowed by the kernel.


Now that it's clear that Zoom developers do their best to do the worst, Apple should ban it entirely from their platforms

They can't. Not now at least. For better or worse, people all over are using Zoom to stay in contact. If Apple banned it, it would be extremely difficult for them to not take a PR hit right now.

Instead of banning, Apple should be working together with them to understand why they're resorting to such ugly hacks just to improve the installation UX, and use that feedback to improve macOS instead.

The installation UX needs not be improved. It needs the holes Zoom abused fixed, so that it can no longer circumvent asking for the user's final consent. There is absolutely no reason Zoom should get away with intentionally abusing the platform they're given.

> It needs the holes Zoom abused fixed, so that it can no longer circumvent asking for the user's final consent.

but... installing zoom is already asking for my consent, through an OS prompt. Do you want to have to type your user password two times for every app you install or what ?

It could prevent an app from posing as "System" in the prompt for starters.

It needs both.

1. Built an app that violates every security concern. 2. Gain massive traction because of its easy-of-use ("it just works"). 3. Become ubiquitous. 4. Fix the security bugs. 5. You won.

I'm afraid step 4 is optional.

If I buy an Apple device, it's mine, not Apple's to decide what I run on it.

But Apple does, in fact, decide what you can run on your device, at least on iPhones. That's _the_ primary reason why I never even considered buying one.

In fact I never understood why the HN crowd finds this policy so inoffensive. I've always considered it a massive intrusion on computing freedom.

Because it's not the 1980s anymore, and the thinking around security is different today. Running arbitrary code was mostly fine on 8- and 16-bit micros not connected to a global network, but today we need some sort of attestation that the code we run is trustworthy, otherwise it must be assumed not trustworthy. Code signing plus whitelisting -- the App Store model -- is one of the easiest ways to provide some degree of assurance of a program's trustworthiness.

I'm not arguing against whitelisting/curation. I'm arguing against forbidding your users to install anything that's not on the whitelist.

I find it really shocking that "it is ok for a single entity to decide which software you can run on a device you own, with no accountability whatsoever", is now apparently a mainstream opinion on a tech forum. And more disturbingly, you make your case by arguing against the very notion of broadly-available general-purpose computing.

If I can’t decide what I can run on my iPhone, then bad actors like Zoom can’t expect me to sideload their product. Everybody must go through apple’s flow, nobody can strongarm users into sideloading this kind of shit.

It comes down to how you perceive the technology. My MacBook Pro is a tool I use for work that needs to be highly flexible and configurable, so I’m willing to work to maintain it. My iPhone is a convenience. I will not put work into maintaining a convenience, that defeats the point.

Others view their phones differently, they may elect for more configuration at the expense of maintenance burden. That’s their choice to make. I for example view the idea of wanting to root ones phone to be absolutely insane.

Interesting take. I always pictured my phone as a computing device, even though I don't use it like one really. Nevertheless I'm wary about giving up freedoms, even the ones I don't use. I'd say I mostly worry about slippery slopes.

I use Linux as my main OS even though I don't really customize it that much and never looked at the source code, because I think it's important that critical infrastructure (as operating systems are) should be open. I don't use Spotify, not because I think it's too expensive or inconvenient, but because I worry that the convenience of streaming can train us to not insist on our freedom to listen to music in DRM-free formats (I don't know if it exists already, but I kind of expect platform-exclusive music to be a thing soon). I use Firefox, not because I think it's better than Chromium but because I want to help avoid Google completely dominating the web, even at its endpoints, etc etc.

In the iPhone case, my worry is that if people get used to a smartphone not being a general purpose computing device, they can also be trained to view their laptop that way. I hope I don't need to argue why that would be a bad thing.

The difference is a phone has never been a general purpose computing device. So saying that we need to make them one so that laptops remain one sounds to me akin to “if we don’t have full control of the software our watches run, we might one day end up not having full control of the software our laptops run”. It’s a bizarre comparison to make in my opinion.

I think you have it backwards. A general purpose computing device had never been a phone until recently. Now that it is, why should it have to lose its general purpose computing roots.

I dreamed about having a portable computer, somewhat like what my phone is now, when I was a kid. It ended up even cooler than I imagined it. The eventual device that came along has amazing battery life, oodles of CPU, RAM, and secondary storage, a wide array of sensors, multiple cameras with high resolution sensors and great optics, water resistance, exceptional build quality, a very small form factor, and it's at a price point that's reasonable. It's all great, except that I don't actually own it and can't use it for what I want.

Giving up control of the devices we own is dangerous. It most certainly is a slippery slope. The manufacturers will use "security" and "privacy" as a way to erect walled gardens on our heretofore general purpose computing devices. They will use the walled gardens to extract more revenue from developers and end users, and they'll act as police over what are "acceptable" applications. The average non-technical person doesn't understand why it's a problem, and those of us who are technical should be championing ownership instead of giving up control.

Chromebooks had a physical interlock that enabled/disabled the "trusted" functionality (perhaps they still do-- I haven't followed them). That is an acceptable solution, to me. It wouldn't be difficult to do, either. The fact that manufacturers don't include such functionality speaks volumes about their motivations.

If it is designed to run arbitrary software, clearly it's a general-purpose computing device, no? And maybe the ergonomics of phones makes their potential as general-purpose computers limited, but that argument doesn't fly for tablets (even on HN people use their tablet as a main work device, eg: https://news.ycombinator.com/item?id=22731192), and iirc Apple's draconic policies also extend to iPads.

It certainly looks like a slippery slope from where I'm standing. People have gotten used to not having full ownership of their phones, and tablets are kinda just big phones, so people have gotten used to not having full ownership of their tablets. But a tablet is also kind of like a small, highly portable laptop, and in fact many people use them as such. The boundary between the two is also blurring, with tablets becoming more laptop-like and laptops becoming more tablet-like.

I don't think it's a huge leap from here to fear that we are witnessing a trend, and that our ownership of our true general-purpose computing devices, such as our laptops, is not something we should take for granted.

My phone isn't a computer; it's an appliance. It needs to be reliable and secure before it needs to be anything else. If being as reliable and secure as possible means it does not compute freely, that's fine by me; that's what I use computers for.

It's the slow rise of authoritarianism. Seeing people essentially say "please enslave us more" is quite disturbing.

Thank you for continuing to be a voice of reason. I'm simply blown away by the apologists for normalizing owner-hostile culture in personal technology.

Manufacturers could include physical interlocks to allow this "trusted" functionality. Early (all?) Chromebooks had this kind of functionality. Manufacturers aren't including it because it locks-in their revenue streams, and owners aren't demanding it because the average non-technical user (and, apparently, technical people too) don't understand the value of the ability to control the devices you own.

Yes being able to freely buy a product that offers a different point on the security / openness continuum is slavery, and phrasing it like that doesn't undermine either the meanings of the word 'enslave' or 'authoritarianism'. Congrats on your dedication to your cyberpunk larp!

Part of Apple's value proposition (to me at least) is that they are (supposed) to keep the bad guys away from the platform and have a huge influence on app developers to force them to comply with their rules.

But it provides a false sense of security.

Statistics say otherwise.

And yet, here we are. Again.

Fact is that the 3rd party apple ecosystem just moves more slowly, breaking less, but fixing less too.

Tradeoffs, not superiority, are the choices offered to consumers currently.

This software isn't available thru the mac app store. Hopefully, we never get to the point where Apple can decide what I can/can't run on my mac.

When it's a known malware/security hole/misleading with intent, you'll be happy someone prevents it from running on your mac.

I wouldn't be surprised if some other MacOS apps pull similar tricks.

Interesting that we didn't know Zoom did this until everyone started using it, and someone finally audited it.

How would you bypass Gatekeeper with that? Something needs to run it. If you can, why can't you just do the same with osascript instead of running zoomAuthenticator?

   /usr/bin/osascript -e 'do shell script "touch /tmp/ran_successfully " with administrator privileges'

The tweet has already been deleted. You don't get substantive content from a tweet, you don't get detail, they're hard to follow when threaded, and usually they aren't well thought out or researched. Please don't submit (or upvote) tweets. It would actually be better if you created a blog post with a screenshot of it and posted that.

Not sure why you're being downvoted - I expect more meat from a submission than 'here's a context-free few sentences on a tweet!'

Google cache has a copy of the deleted tweet: https://webcache.googleusercontent.com/search?q=cache:a7E7do...

Any context as to why the tweet was deleted?

Link to the cached version of the tweet: https://webcache.googleusercontent.com/search?q=cache:a7E7do...

Curious why the focus on Zoom specifically given that there are 10,000 different conferencing products out there.

Are they the biggest?

Since all the lockdowns and social distancing rules have come into play for COVID-19, Zoom has seen a huge increase in consumer usage. That in turn has lead to increased scrutiny as more people use it.

Besides that, this certainly isn't the first time Zoom's shady practices have been exposed, where many other conferencing products haven't had such a track record.

What about using one of the many conferencing services that run from your browser?

Zoom has been repeatedly breaking the trust of their users - it's a clear pattern that won't change.

Isn't Zoom also one of the many conferencing services that run from your browser?

They use dark pattern to hide that: You'll have to cancel their attempt to open/download (one of that, don't remember) the native app three times before the link appears.

>Zoom has seen a huge increase in consumer usage.

Moreso than others? I deal with customers/partners all the time, and I count the following desktop clients installed on my laptop:

- Zoom - GoToMeeting - BlueJeans - Skype for Business - WebEx - Join.me


- Teams - Slack - Hangout Meet

And I'm probably missing a bunch. Is Zoom that much bigger?

Yes, Zoom has recently been adopted by local non-business groups across the world. Anecdotally, my wife's momgroups have Zoom now, and she's also using it with her own family. None of the alternatives are even close to good comparatively in ease-of-use and stability.

Ah. Makes sense. I deal mostly with businesses, and Zoom, from my anecdotal experience, is a minor player there.

In mid-2019 Zoom was only behind Cisco WebEx: https://www.ciodive.com/news/zooms-rise-carving-market-share...

Now it is the market leader. Hence all the bad P.R. Zoom's CEO was the head engineer for WebEx.

Also public, profitable.

Ease of use that came from bending platform rules.

you know what is more important than platform rules ? satisfying consumers. Remember that tech is made for humans before everything else !

e.g., if a majority (or even strong minority) of people in a country bends a rule, you change the rule to accommodate people, you don't put 30% of your population in jail. If zoom was a country, it would be the ~10th european country by population, you can't just ignore that.

In this case they were breaking security rules. The main people that accommodates is hackers.

which rule is being broken here ?

What’s the right way to sign a script? I’ve spent some time researching this and never found a satisfactory answer.

Put it inside an app bundle?

How to completely remove zoom from a unix system...


Last straw. Goodbye Zoom. I'll use it in a VM if I must.

Could someone kindly ELI5?

Meanwhile, apple doesn't accept my app because they claim the UI sucks

Apple didn't review or accept Zoom. It's not on the App Store.

Yeah, as much as I don't like the locked down nature of Apple devices/OS/software, this case with Zoom being able to do this stuff, is an argument for the locked down garden.

Locking stuff down is the best thing we can do to protect non-technical users barring a complete re-design of operating systems from scratch with a renewed focus on security.

Isn't this the exact opposite? Zoom didn't bother to go get accepted into high requirement locked down garden, instead they choose to distribute the binaries on their own without having to deal with pesky rules about unsigned scripts.

Well, if it was only possible to install apps via the App Store (Apples wet dream, but they'll lose a ton of users), then Zoom wouldn't be able to distribute their app any other way and forced to follow the guidelines.

Again, I'm playing devils advocate for a pro-walled-garden opinion me myself don't believe in, so don't take my opinion too seriously.

It's not an either/or. You can simultaneously have more trust in apps coming from the walled garden and cherry-pick with greater care the select number of potent applications that come from outside of it and are therefore harder to trust, precisely because they may be able to do more than what's allowed within the walled garden.

>Again, I'm playing devils advocate for a pro-walled-garden opinion me myself don't believe in, so don't take my opinion too seriously.

Pure cynicism on my part by default, so it's all good, mate.

But they only do this stuff to make their software seem fast and easy to install for the non-technical users because of the lock down restrictions...

App Store, Gatekeeper, etc are now working against what they were supposed to solve and encouraging worse developer behavior.

Really the best solution would be tackling the reasons why Zoom are doing this in the first place. Like how they provided a gentler version of Sandboxing to work around pro creative apps being basically unusable in the first versions.

The more you lock it down the more bad behavior you'll encourage from less ethical developers.

Not sure I buy this reasoning. It's like having rules that you can't kill people at your house, so people go outside and do it. Ok if you let people kill inside your house they'll just kill there too AND outside.

Zoom cloud meetings does seem to be on the App Store: https://apps.apple.com/us/app/zoom-cloud-meetings/id54650530...

Are you talking about something else or am I misunderstanding here?

That's the iOS version. All the security issues are on the macOS version (that's not on the Mac App Store and it's not sandboxed)

Not on the Mac App Store

Tweet got deleted :/

Just based on the title, consider that web browsers are signed binaries that run any unsigned script :)

In a sandbox, yeah.

dang , you probably want to change to this URL


Please explain how you are justifying that statement. Zoom is a publicly traded company in the USA, their HQ is in San Jose. The founder lives in the USA etc etc. Currently on LinkedIn out of the 1973 employes 1475 are in the USA on LinkedIn. Another site said they have 2532 employees, but even then that means 58% of the team is American.

I think it comes from this:

"China-born entrepreneur hit a snag. The U.S. government denied his visa application -- eight times.

After two years of rejection, Yuan, 49, finally made it to the U.S. and is now the major shareholder of video conference services firm Zoom Video Communications Inc."

So what? My family came from Germany on one side, and Ireland on the other.

I do not know what their visa denial rate was but I am happy they persisted :)


Gitlab (partially) acknowledged the issue: https://gitlab.com/gitlab-com/www-gitlab-com/issues/5555

but most of the conversation is missing: "This comment is currently under review for potential violation of the GitLab Code of Conduct. For more information, please reach out to conduct@gitlab.com."

so we'll never know what's the end story there. If someone knows I'm curious.

Though personally, I don't think China is more a danger than the US, or any local spying organisation of your choice.

Rude, and not good conduct for the etiquette of this community. Instead of backing up your statement you attacked the messenger.

It's compromised by US. One more, one less. Use Zoom to planify when you are going to walk your dogs or what brand of flour you are going to buy. Nothing more sensitive. Just run it in a VM, after the security fiasco where anyone could literally snoop in your webcam.

Get your friends and family off of Zoom. Use Jitsi Meet https://jitsi.org/jitsi-meet/

It's opensource, free and doesn't require user accounts. Plus you can host it yourself.

I don't see anything wrongs here, you investigate the script and it just an installer. Did you even look at nvidia-installer? Why no one talks on that crap? So much hate on Zoom... I hate that too, I was at meeting yesterday and my interentet got disconnected and couldn't get back but even after reconnecting there was an audio issue.

What's wrong here is that Zoom hacked together an installer against all normal structure that Apple recommends. And that installed includes a very stupidly designed component that will try to run whatever you ask it with admin privileges.

This is yet another indication that nobody at Zoom has a single clue on how to build a secure and stable application. Another example of that mindset released today: https://www.theverge.com/2020/3/31/21201956/zoom-leak-user-i... They are proving to completely not understand how to design security/privacy features. Frankly, their technology team sounds like total amateurs that hack things together.

“Total amateurs hacking things together” somehow managed to ship something functionally better than products from mature shops like MSFT that mean serious business. The irony there.

It has long been the legendary case that Microsoft takes three major versions to get a usable product, then encrusts it with ornamental features until it has trouble breathing around version 7 or 8.

It's more like they gained better ease of use by bending platform rules, to the detriment of security.

I highly doubt Zoom’s video conferencing solution was solidly working while MS Teams crumbled under load two weeks ago is due to magic in Zoom’s macOS installer.

Wasn't talking about infrastructure, was talking about the ease of use that led to large market share. Zoom broke lots of platform rules to perform that trick.

Market Cap of 38bn USD, based on a single product that entered a settled and crowded market.

Public, profitable, founder was Head Engineer for Cisco WebEx. Runs global videoconferencing under massive new load during Covid-19, on their own servers.

HN comment: "total amateurs".

Love this place.

Better start getting used to it if you haven’t already.

> Did you even look at nvidia-installer?

You're free to analyse it and publish your findings. That's not making zoom any better.

Did you look at the tweet? The installer lets anyone run any script as root. That seems fairly bad.

It lets anyone with an admin account run any scripts as root. No privilege escalation here, it's basically a gatekeeper bypass.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact