Hacker News new | past | comments | ask | show | jobs | submit login

Some more shadiness from this company. The Zoom.us-website is explicitly allowing the browser with its content security policy-headers to load scripts from these domains:

https://*.50million.club

https://apiurl.org

https://secure.myshopcouponmac.com

https://serve2.cheqzone.com

https://ad.lkqd.net

Doing a fast google for these domains shows they are mostly known for being associated with malware...




I saw somewhere on Twitter, possibly as a reply to Scott Helme, that they possibly added these URLs to their CSP because they were getting errors in their CSP logs from machines that had adware/malware loaded. Can't find the tweet though, so maybe it wasn't him (but I'm reasonably sure it was a discussion of CSP, ReportURI, and the fact the CSP changes depending on logged in/out of zoom's site).

Pretty bad solution if that was indeed the case.


Ah, the classic "fix it just to shut the error up" without actually looking at the cause. Lowest bidder contractor probably.


I had some audio issues today on a zoom and they helpfully asked for me to sudo to fix the problem

https://i.imgur.com/oCqmZZ3.png

"just to shut the error up" is about right.


Its amazing how many Zoom screenshots have spelling or grammar errors, like this one. For a supposedly US based company, its pretty clear a lot of the UI text isn't written by a native English speaker.

I'm not intedning to demean non-native English speakers or their ability to write code - but this looks pretty bad from a QA standpoint.

edit: elsewhere in the thread its shown most of the software engineering team is in China, which explains this.


what version of macos are you using?


Actually, killing coreaudiod can be necessary every once in a while.


Having worked with CSP this isn't really something that can be fixed. If you disable scripts from all but approved sources your reporting URI will be flooded with reports from browser extensions and malware trying to inject code. The best you can do is silence the reports after they arrive (or in this case just allow them, yuck).


You are supposed to set a strict policy and disable the reporting. Reporting is for dev/debugging purpose, it’s not meant to be the end state.


Wow you're right. Here I was about to comment that you've probably got some browser extension installed doing that.

To see for yourself, simply `curl -I https://zoom.us`


Yeah...about that: ad sites are contacted by malware a lot so google results will show as such. Adware is technically malware.


I am testing these URLs with the 1.1.1.2 DNS from Cloudflare launched today, and it seems it works fine blocking them.

https://news.ycombinator.com/item?id=22748141


At least it's shady enough :D cX




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: