Most active commenters
  • bwb(5)
  • latexr(4)
  • eeeeeeeeeeeee(3)
  • giancarlostoro(3)
  • MacroChip(3)

Zoom is reinstalling itself after a minute of being uninstalled [video]

(www.youtube.com)
223 points maloga | 54 comments | 09 Jul 19 11:33 UTC | HN request time: 2.322s | source | bottom
1. KenanSulayman ◴[09 Jul 19 11:52 UTC] No.20390860[source]
Looks like a background self-update was in progress while it was deleted?

Or is there an official uninstaller, and Zoom simply tries to „fix“ itself after the deletion-hook was invoked by MacOS? I can imagine plenty of people wondering why Zoom doesn’t work after they „moved it“.

replies(1): >>20390900 #
2. uj8efdkjfdshf ◴[09 Jul 19 11:53 UTC] No.20390863[source]
Seems like ZoomOpener automatically reinstalls the Zoom app if it is uninstalled? [1]

[1]https://support.zoom.us/hc/en-us/articles/201362983-How-to-u...

replies(1): >>20390896 #
3. stefan_ ◴[09 Jul 19 11:58 UTC] No.20390896[source]
This support article was silently updated after the Zoom debacle. Google cache has the old version, that doesn't mention removing their trojan:

https://webcache.googleusercontent.com/search?q=cache:QxuW6p...

>To uninstall any Mac App, see this article by Apple. Please also see http://www.wikihow.com/Uninstall-Programs-on-Mac-Computers

4. maloga ◴[09 Jul 19 11:59 UTC] No.20390900[source]
Very unlikely, because we've double-checked on a couple of machines at the office here. Only on Mac though. Would be useful if we get some more confirmations.
5. ◴[09 Jul 19 12:14 UTC] No.20390994[source]
6. eeeeeeeeeeeee ◴[09 Jul 19 12:25 UTC] No.20391053[source]
I couldn't reproduce it (Mac, Mojave 10.14.5). I did this:

1. Ensure Zoom client is not running (the GUI, not the ZoomOpener)

2. Completely delete Zoom client app from /Applications, empty trash

(ZoomOpener continues to run from ~/.zoomus/, not just from memory, it is never deleted)

3. Wait 5 minutes

However, if you click on any Zoom link after you've done those three steps, it will absolutely re-install that client app into /Applications AND launch it into that video room. I confirmed that.

I still feel this is a violation of my trust and I'm uninstalling this app entirely and won't use Zoom again.

Also, if Apple actually cared about the Mac and privacy like they say they do, they would temporarily revoke Zoom's app signing key until they cut this shit out.

replies(5): >>20391115 #>>20391836 #>>20391859 #>>20392126 #>>20392982 #
7. jonwinstanley ◴[09 Jul 19 12:36 UTC] No.20391115[source]
They need to leave them with their key so they can issue an update.
replies(2): >>20391119 #>>20392046 #
8. eeeeeeeeeeeee ◴[09 Jul 19 12:38 UTC] No.20391119{3}[source]
Why? The company blog post is pretty clear that they don't see any of the security issues to be a problem.
9. mcdingle ◴[09 Jul 19 12:52 UTC] No.20391193[source]
Give this a try:

https://www.objective-see.com/products/blockblock.html

10. PhasmaFelis ◴[09 Jul 19 12:52 UTC] No.20391194[source]
Could you explain the problem in words, please? Not in a position to watch a video right now.
replies(1): >>20391272 #
11. sundayedition ◴[09 Jul 19 12:54 UTC] No.20391210[source]
Related?

https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-milli...

12. latexr ◴[09 Jul 19 12:58 UTC] No.20391245[source]
Between 00:15 and 01:30 it’s just waiting, so you might want to skip that section if you’re only interested in seeing it happen.
13. latexr ◴[09 Jul 19 13:01 UTC] No.20391272[source]
It’s a silent video of less than two minutes. It shows a user on macOS quitting the Zoom app[1], dragging it to the Trash and emptying it. They stay still for about one minute and fifteen seconds, at which point Zoom pops up on the Dock again, opening its window.

[1]: This Zoom: https://news.ycombinator.com/item?id=20387298

replies(1): >>20396699 #
14. maxbaines ◴[09 Jul 19 13:24 UTC] No.20391432[source]
Luckily I use Pi Hole I just Blacklisted zoom.us and zipow.com
replies(2): >>20391476 #>>20393048 #
15. hnarn ◴[09 Jul 19 13:30 UTC] No.20391476[source]
Pi Hole only covers DNS queries though, right?
replies(2): >>20391525 #>>20391561 #
16. knd775 ◴[09 Jul 19 13:34 UTC] No.20391525{3}[source]
Correct.
17. maxbaines ◴[09 Jul 19 13:37 UTC] No.20391561{3}[source]
Yep, but from the original https://news.ycombinator.com/item?id=20387298 it looks like zoom uses zipow.com for re-install
18. giancarlostoro ◴[09 Jul 19 14:06 UTC] No.20391836[source]
I am not a big Zoom fan but everyone else but me at work has issues with Zoom. One vendor we do calls with sometimes gets the web version instead of the desktop version any time he joins a Zoom call.

My biggest pet peeve was Ciscos version. I had to install: a browser plugin, which wasnt used, then a desktop app, then a follow up desktop app to support voice and audio. What the actual heck is Cisco smoking!? I was shocked. I cannot believe the sheer incompetency and what saddens me is they probably advertise Webex as a solution but it is such garbage on a Mac. I dare not ask what its like on Windows or Linux (ha!). I hate to say it but Webex might benefit from becoming an Electron app.

replies(1): >>20391948 #
19. runeb ◴[09 Jul 19 14:07 UTC] No.20391859[source]
Most likely the video creator has a webpage open, waiting to send a request to the zoom localhost webserver after 90 seconds triggering the install.
20. yebyen ◴[09 Jul 19 14:17 UTC] No.20391948{3}[source]
Webex and Zoom are absolutely not the same product, they are competitive offerings from different companies.
replies(1): >>20392047 #
21. danShumway ◴[09 Jul 19 14:26 UTC] No.20392046{3}[source]
> so they can issue an update.

Revoking the key and making its restoration conditional on issuing a security patch would be a way to make sure an update does happen. I'm not a fan Apple's approach to software signing, but this is a good opportunity to showcase some of the benefits that their system does legitimately have.

They'd be stepping in on behalf of users and saying, "Sure you can issue updates. After you fix the security hole."

Right now, Zoom is gambling that they don't need to care about security from a business point of view. Apple can change the situation so they do.

22. giancarlostoro ◴[09 Jul 19 14:27 UTC] No.20392047{4}[source]
> My biggest pet peeve was Ciscos version.

I mentioned this, I just went off on a tangeant cause it amazes me how broken some of these pieces of software are, it's a problem we solved a long time ago (audio and video conferencing) and it seems only Electron based apps have been getting it right lately for whatever reason.

replies(1): >>20392157 #
23. bastawhiz ◴[09 Jul 19 14:27 UTC] No.20392056[source]
I really hope Zoom promptly fixes all these recent issues. I've used so many video conferencing solutions. Vidyo was amazingly unreliable. BlueJeans had the most amazingly awful interface I've ever encountered. P2P WebRTC solutions get destroyed when there's more than a couple people on a call. Hangouts has decent call quality but had spooky issues, like all parties joining a call, but each appearing as if they're the only ones present.

Zoom is the only solution that's been decent for me. The UI for the desktop client is a bit rough around the edges, but it's certainly not the worst. I'd really like to continue to like Zoom but I can't do that if they're going to do shady things or bungle security.

replies(3): >>20392798 #>>20393417 #>>20397247 #
24. MacroChip ◴[09 Jul 19 14:33 UTC] No.20392126[source]
You sure you want that last sentence? If that were happening, we would all be commenting on here about how Apple decides who succeeds and who fails by threatening to revoke companies' keys on a whim.
replies(3): >>20392353 #>>20392395 #>>20392665 #
25. yebyen ◴[09 Jul 19 14:36 UTC] No.20392157{5}[source]
If Zoom has a web-based client, I haven't seen it. I know that WebEx has a web-only client. I thought you had them like, really confused, y'know?

Turns out there is a Zoom Web Client though and I'm all wet.

replies(2): >>20392193 #>>20392497 #
26. giancarlostoro ◴[09 Jul 19 14:39 UTC] No.20392193{6}[source]
All good, but yeah, I didn't know either, sounds like it is yet another one of those "works best in Chrome" clients, I usually use Firefox, and it probably tries to open Zoom. Maybe sometimes people click "open in browser" instead or something? Not sure...

What's worse is WebEx is supposed to be web only supposedly, but I installed 3 things to use it... Totally not HTML5 friendly at all...

For anybody interested in the Zoom web client:

https://support.zoom.us/hc/en-us/articles/214629443

27. pxanyc ◴[09 Jul 19 14:46 UTC] No.20392272[source]
Are we sure they're not just using fleetsmith to install it and trolling all of us with the zoom news going on?
28. vorpalhex ◴[09 Jul 19 14:54 UTC] No.20392353{3}[source]
Apple did that when Facebook was abusing enterprise signed apps and nobody threw shade at Apple. There's a time and place for that, and this is it.

Now, if Apple revoked their cert because they didn't like Zooms view on <some political issue> then I'd be ranting and raving with the rest of HN.

replies(1): >>20408025 #
29. eeeeeeeeeeeee ◴[09 Jul 19 14:57 UTC] No.20392395{3}[source]
Yes, I do. And in no way is revocation in this instance a “whim.”
replies(1): >>20408001 #
30. kabes ◴[09 Jul 19 15:08 UTC] No.20392497{6}[source]
Their web client is actually doing something quite interesting. Instead of using webRTC, they load a webassembly video codec. They then encode frames in a webworker and transport them via websockets over their servers.
31. bwb ◴[09 Jul 19 15:17 UTC] No.20392607[source]
I am pretty confident the Zoom team can fix this and the other issues mentioned in the great security article from yesterday. They seem to do good stuff and I love how well it works.
replies(2): >>20393850 #>>20397268 #
32. princekolt ◴[09 Jul 19 15:22 UTC] No.20392665{3}[source]
Why not? The software is effectively working as malware. I should be revoked. And when they approve it again, they should issue a new certificate, to make sure the old software never gets past GateKeeper again.
33. buboard ◴[09 Jul 19 15:34 UTC] No.20392798[source]
It s funny that Flash group chats worked better 15 years ago
34. fitzroy ◴[09 Jul 19 15:49 UTC] No.20392982[source]
This is the point of sandboxing apps in the Mac App Store, and (to my understanding) providing simple and complete uninstallation. Mac users that care about issues like this (and I'm not saying they shouldn't) can avoid them by choosing to only install apps from the App Store.

Revoking signing keys on the Mac is pretty extreme considering that Zoom is creator of the software — and that is what the key is meant to prove / enforce. I think that sets a very bad precedent.

The fact that Zoom is distributed outside of the App Store should at least raise eyebrows for Mac users. At this point, I tend to ask what specific functionality is required by an app, such that it wouldn't be allowed in the Mac App Store — especially for free client software (there can be perfectly valid reasons for this, such as previous versions of BBEdit).

35. driverdan ◴[09 Jul 19 15:54 UTC] No.20393048[source]
Why? Delete the apps and they won't be able to do anything.
36. stcredzero ◴[09 Jul 19 16:20 UTC] No.20393417[source]
The UI for the desktop client is a bit rough around the edges, but it's certainly not the worst.

It is the worst for giving presentations. I had practiced for giving a presentation from my MacBook, and it was sprung on me when I arrived. Zoom "oh so helpfully" pops down a control panel every time the mouse cursor approaches the menus at the top of the screen. It also "oh so helpfully" puts itself into fullscreen when I don't want it to do that.

As far as I'm concerned, the UX is bungled.

replies(1): >>20399230 #
37. sieabahlpark ◴[09 Jul 19 16:52 UTC] No.20393850[source]
Lol, is this a paid account? This seems to ignore just how bad this issue is.
replies(1): >>20393999 #
38. bwb ◴[09 Jul 19 17:03 UTC] No.20393999{3}[source]
Super bad issue, just merely voicing I think they will fix it. Everyone seems to go into this shark feeding frenzy of how they are terrible and will never fix it. I get tired of that shit and merely pointing out this is a well run big company and they are going to fix it.

The mob mentality in these comments is overwhelming sometimes.

replies(2): >>20394685 #>>20395100 #
39. seieste ◴[09 Jul 19 17:55 UTC] No.20394685{4}[source]
The question is not “Will it be fixed?” but “Why is it there In the first place?” Given that the app makes a request to zipow.com to download the new installer, the auto-reinstallation is not a bug or an issue, but an intentional and anti-consumer design decision.
replies(1): >>20395128 #
40. BanazirGalbasi ◴[09 Jul 19 18:29 UTC] No.20395100{4}[source]
They were informed of the issue, proposed a quick fix, were told why the quick fix wasn't adequate, then went through with it anyway. That doesn't really inspire confidence in a company's security, especially not when their PR response to a potential threat is "we have no indication that this has ever happened"
41. bwb ◴[09 Jul 19 18:32 UTC] No.20395128{5}[source]
Yep but everyone in this community should know the answer there, we aren't perfect, we don't think about everything and we make mistakes. Then you fix them.

Too many people are just piling on without examining themselves and their own work.

replies(1): >>20395560 #
42. en-us ◴[09 Jul 19 19:17 UTC] No.20395560{6}[source]
You're ignoring much of the story, such as the part where they ignored the issue for months and then released a patch that they were told is ineffective.

So yes, we all make mistakes, and we should fix them promptly and correctly. Zoom did neither, and then put out that nonsense PR blog.

There's no way I will trust that company again after how they handled this.

replies(1): >>20395652 #
43. bwb ◴[09 Jul 19 19:28 UTC] No.20395652{7}[source]
Not ignoring, but I've seen similar from many companies we all work for. Of course, your criticism against them is fair too. And, I can also show you many companies who haven't gotten their shit together in 90 to 120 days too.

Give them some time and I think they will fix this and fix the issues that caused them to not catch this the first time and fix it as quickly as we would all like.

replies(1): >>20396519 #
44. seieste ◴[09 Jul 19 21:00 UTC] No.20396519{8}[source]
If you go into the bathroom of a restaurant and see cockroaches, would you feel comforted by management telling you to give them time, because they will definitely get rid of them and to not be too worried that they haven't already gotten rid of them?
replies(1): >>20397714 #
45. PhasmaFelis ◴[09 Jul 19 21:16 UTC] No.20396699{3}[source]
Thanks! That was a lot quicker to read than watching the video.
replies(1): >>20409683 #
46. latexr ◴[09 Jul 19 22:17 UTC] No.20397247[source]
> I really hope Zoom promptly fixes all these recent issues.

They don’t see them as issues, but as features. These happen on purpose. They’ve said as much, including that they don’t intend to change this behaviour. If they do it now, it’ll be because they’re trying to stop the bad press and not because they believe these are problems, which means they can’t be trusted to not pull other crap like this in the future.

47. latexr ◴[09 Jul 19 22:19 UTC] No.20397268[source]
> I am pretty confident the Zoom team can fix this and the other issues mentioned in the great security article from yesterday.

I am pretty confident they won’t, because they’ve said they consider these to be features and intend to keep it that way. If they backpedal now it won’t be because they’ve realised how user-hostile this is, but because they’ve gotten so much bad press.

48. bwb ◴[09 Jul 19 23:12 UTC] No.20397714{9}[source]
Bad analogy :)

But you guys do what you want, I am getting tired of the mob mentality and extremism that seems to permeate these and other discussions. Why not give them some time and not adopt such an extreme position.

49. bastawhiz ◴[10 Jul 19 04:52 UTC] No.20399230{3}[source]
Unfortunately the default settings aren't great. But if you've got the patience to configure it (e.g., you're a remote employee) it's much more tolerable.
replies(1): >>20399298 #
50. stcredzero ◴[10 Jul 19 05:13 UTC] No.20399298{4}[source]
So basically, you have to become a Zoom expert to make it good for presentations? Funny, but Keynote hooked up to a projector or a screen just works.
51. MacroChip ◴[11 Jul 19 00:29 UTC] No.20408001{4}[source]
Understood. I would hope that they spell out the terms of when a key revocation would happen if they were to revoke keys.
52. MacroChip ◴[11 Jul 19 00:33 UTC] No.20408025{4}[source]
Ok thanks for the example. I hadn't heard of that, so I just briefly read about it. It looked like there were clear terms about the Enterprise apps: that it was for internal, employee use. Facebook was distributing it to non employees. I imagine that is why there was little shade thrown.
53. fpalmans ◴[11 Jul 19 07:13 UTC] No.20409683{4}[source]
Thank you everyone for this little thread. This is exactly what I am looking for when I read the comments to a video link!