←back to thread

Zoom needs to clean up its privacy act

(blogs.harvard.edu)
1597 points seapunk | 6 comments | 27 Mar 20 14:18 UTC | HN request time: 0s | source | bottom
Show context
mrpippy ◴[27 Mar 20 20:39 UTC] No.22706650[source]
I just downloaded Zoom for Mac, saw that it was a .pkg file. Great, I can see what files it installs before I install it.

I open the .pkg, click Continue so it can run its script, then a second later Installer quits and the app launches. What?!

Turns out, Zoom installs the entire app in the 'preinstall' script of the installer package! Inside there's a copy of '7z', and the app is extracted with that. The preinstall script is littered with typos and poor grammar.

I'm not one of those people who thinks that Apple is going to force all Mac software to come through the App Store, but when I see stuff this stupid...I start to wonder.

replies(7): >>22707224 #>>22707541 #>>22707597 #>>22707817 #>>22707988 #>>22734686 #>>22752961 #
Wowfunhappy ◴[27 Mar 20 21:50 UTC] No.22707224[source]
While I also dislike this type of thing, remember that Zoom's business is built on getting people into calls as quickly as possible. Seconds matter.

So I can totally understand why they would want to use 7zip to shave kilobytes off the download size.

replies(3): >>22707302 #>>22707333 #>>22764419 #
1. zndr ◴[27 Mar 20 22:00 UTC] No.22707302[source]
This is a great point. People understand installers/.pkg files far better than `.app`'s wrapped in a DMG. Those often get launched inside the DMG which has a ton of other issues, rather than being dragged to the Application folder.

Also packages allow for easier deployment rather than dmg's.

replies(1): >>22707616 #
2. ThePowerOfFuet ◴[27 Mar 20 22:52 UTC] No.22707616[source]
This isn't the point, it's the fact that the installer is being abused to install an app without even giving the user the option to proceed or not. Nothing should be installed as part of the preflight.

Par for the course with Zoom, so it seems.

replies(1): >>22707671 #
3. zndr ◴[27 Mar 20 23:00 UTC] No.22707671[source]
I don't think it installs it I think it just calls the resource from the package.

NVM I decided to inspect the package with `pkgutil`

Here's the offending code

```################################### function install_app_to_path(){ #path=$1 InstallPath="$1/.zoomus_"$(date)"" mkdir -p "$InstallPath" mkdir -p "$InstallPath/Frameworks" if [[ $? != 0 ]] ; then rm -rf "$InstallPath" return 1 fi

    if [[ -d "$1/zoom.us.app" ]] ; then
        rm -f "$1/zoom.us.app/Contents/Info.plist"
        mv "$1/zoom.us.app/Contents" "$InstallPath/trash"
    fi

    if [[ $? != 0 ]] ; then
        rm -rf "$InstallPath"
        return 4
    fi

    rm -rf "$1/zoom.us.app"
    if [[ $? != 0 ]] ; then
        rm -rf "$InstallPath"
        return 4
    fi

    mdfind 'kMDItemCFBundleIdentifier == "us.zoom.xos"'> .zoom.us.applist.txt

    echo "["$(date)"]un7z zm.7z =================================" >>"$LOG_PATH"
    if [[ -f res.7z ]] ; then
        ./7zr x -mmt ./res.7z -o"$InstallPath/Frameworks"&
    fi

    if [[ -f resReitna.7z ]] ; then
        ./7zr x -mmt ./resReitna.7z -o"$InstallPath/Frameworks"&
    fi

    if [[ -f bundles.7z ]] ; then
        ./7zr x -mmt ./bundles.7z -o"$InstallPath/Frameworks"&
    fi

    un7zresult=$(./7zr x -mmt ./zm.7z -o"$InstallPath" 2>>"$LOG_PATH")
    ret=$?
    echo "["$(date)"]check un7z return:$ret, $un7zresult">>"$LOG_PATH"
    wait
    echo "["$(date)"]un7z all finished">>"$LOG_PATH"
    if [[ $ret != 0 ]] ; then
        rm -rf "$InstallPath"
        return 3
    fi

    mv "$InstallPath/Frameworks/"* "$InstallPath/zoom.us.app/Contents/Frameworks">>"$LOG_PATH"
    mv "$InstallPath/zoom.us.app" "$1" >>"$LOG_PATH"
    if [[ $? != 0 ]] ; then
        rm -rf "$InstallPath"
        return 1
    fi

    if [[ "$APP_PATH" == "$GLOBAL_APP_PATH" ]] ; then
        chmod -R 775 "$APP_PATH"
        chown -R :admin "$APP_PATH"
    fi

    echo "["$(date)"]mv $InstallPath/zoom.us.app into $1">>"$LOG_PATH"

    rm -rf "$InstallPath"&
    return 0
}```
replies(1): >>22709798 #
4. saagarjha ◴[28 Mar 20 07:35 UTC] No.22709798{3}[source]
This is just horrendous.
replies(1): >>22713056 #
5. zndr ◴[28 Mar 20 18:14 UTC] No.22713056{4}[source]
ugly? Most definitely, offensive? Not really.
replies(1): >>22714506 #
6. saagarjha ◴[28 Mar 20 21:38 UTC] No.22714506{5}[source]
Among other things, it offends me that this runs in a preinstall script.