Most active commenters
  • Wowfunhappy(9)
  • danieldk(4)
  • tantalor(3)
  • saagarjha(3)

←back to thread

How the Zoom macOS installer does its job without you clicking ‘install’

(twitter.com)
796 points _Microft | 43 comments | 31 Mar 20 11:41 UTC | HN request time: 1.456s | source | bottom
1. lultimouomo ◴[31 Mar 20 12:08 UTC] No.22736730[source]
I think this also shows how macOS has been training users to enter their password in random dialogs that have absolutely nothing that identifies them as being legit OS dialogs. The dialog that Zoom uses could very well be sending the credentials to a remote server, and the user would be none the wiser.
replies(2): >>22736941 #>>22742904 #
2. Wowfunhappy ◴[31 Mar 20 12:44 UTC] No.22736941[source]
Note that in this case, it's still a legit OS dialog. Preflight scripts are very much built into the macOS pkg format, they're just not intended to be used like this.
replies(4): >>22737018 #>>22737061 #>>22738118 #>>22741908 #
3. tantalor ◴[31 Mar 20 12:56 UTC] No.22737018[source]
It doesn't look legit, it looks like the installer script is faking a system dialog in this screenshot:

https://twitter.com/c1truz_/status/1244737675191619584/photo...

This message is a lie; it not coming from system but from the installer script.

Just because the OS is used to show the dialog doesn't mean it should be trusted. As other commenter noted this could be used to steal passwords; that is effectively what it does.

replies(2): >>22737159 #>>22737550 #
4. danieldk ◴[31 Mar 20 13:02 UTC] No.22737061[source]
I never understood why Apple still supports the pkg format. It seems a half-baked leftover from the 2000s and even then I was already surprised that there is no way to uninstall things through the macOS GUI. I am not sure if this has changed (I try to avoid pkg files and use Homebrew cask to uninstall such packages), but IIRC you had to list the files with pkgutil on the command-line, remove stuff by hand and then --forget the package.

They should just kill the format. Everything should just be drag to install, drag to trash to remove.

replies(5): >>22737190 #>>22737837 #>>22737980 #>>22747295 #>>22747843 #
5. rainforest ◴[31 Mar 20 13:15 UTC] No.22737159{3}[source]
To their credit, they seem to be using AuthorizationExecuteWithPrivileges which doesn't get the user's password, but executes a command as root, which is marginally better than stealing the password like Dropbox did.
replies(1): >>22737179 #
6. tantalor ◴[31 Mar 20 13:16 UTC] No.22737179{4}[source]
How hard do you think it is to steal a password once you have root?
replies(2): >>22737310 #>>22740559 #
7. javagram ◴[31 Mar 20 13:17 UTC] No.22737190{3}[source]
In my experience I’ve seen even technical users (Who were used to windows) struggle with the idea of dragging an .app from an open disk image to the Applications folder. They would end up running the app from the disk image and then getting confused when it disappears after restart.
replies(2): >>22737624 #>>22737658 #
8. swiley ◴[31 Mar 20 13:30 UTC] No.22737310{5}[source]
It would take an extra step, you have access to the hash and maybe shared memory/SOs but you’d need a second trick to actually steal it.
9. Wowfunhappy ◴[31 Mar 20 13:57 UTC] No.22737550{3}[source]
The script asks for root which subsequently pops up an OS password prompt. Zoom never sees your password.

How is this different from the way e.g. Virtualbox gets root?

replies(2): >>22738134 #>>22738303 #
10. Wowfunhappy ◴[31 Mar 20 14:05 UTC] No.22737624{4}[source]
This system worked so much better when the Applications folder was placed in the Dock by default, and everyone used that folder launch applications (which weren't common enough to keep in the Dock directly).

It was actually a really beautiful synergy—you install applications by copying them to a folder, and launch them from that folder. Same way you'd acquire and open files. Lovely.

Then Apple ruined it in Lion with Launchpad. Their app install flow for anything outside of the app store doesn't make any sense.

replies(1): >>22744136 #
11. AnIdiotOnTheNet ◴[31 Mar 20 14:09 UTC] No.22737658{4}[source]
One wonders why Apple didn't just treat DMGs like Application Folders in the first place. If they had an icon and you could run them directly then there wouldn't be any confusion. AppImage works like that and I think it was a wise decision.
replies(1): >>22737872 #
12. drampelt ◴[31 Mar 20 14:30 UTC] No.22737837{3}[source]
> Everything should just be drag to install, drag to trash to remove.

I wish it were that easy, most apps leave files in other places on your computer like ~/Library that will never get cleaned up if you just move the app to trash.

replies(1): >>22738101 #
13. Wowfunhappy ◴[31 Mar 20 14:34 UTC] No.22737872{5}[source]
Developers can distribute .app's inside of .zip files, and many do, but this can result in users just running the .app inside of their downloads folder. And then this causes problems if they ever decide to clean out their Downloads folder.

The DMGs are a clever way to (A) make sure the app gets to the proper location while simultaneously (B) teaching the user about what's actually happening on their computer. As I said in a sibling comment, this all made much more sense when users also launched apps from the Applications folder directly.

replies(2): >>22738217 #>>22766252 #
14. samcat116 ◴[31 Mar 20 14:44 UTC] No.22737980{3}[source]
One thing to note here: people who administer macOS for organizations basically convert everything to .pkgs (or DMGs). Its the only easy way to silently install application, and perform post install actions like performing licensing or activation steps.
15. Wowfunhappy ◴[31 Mar 20 14:55 UTC] No.22738101{4}[source]
As much as this bothers me because of who I am, I don't think it's a real problem. Those files shouldn't take up significant space unless the developer is doing something stupid.

It might be nice if macOS had some sort of automatic cleanup routine when an app is trashed, but that would either require showing the user an extra dialog (a la AppCleaner's) or introducing an opaque system which could potentially lead to data loss.

replies(1): >>22738249 #
16. lonelappde ◴[31 Mar 20 14:57 UTC] No.22738118[source]
Incorrect. Look at the second tweet in the thread. It's a phishing popup that misidentifies itself in order to steal priveleges intended for System, not Zoom.

https://mobile.twitter.com/c1truz_/status/124473767519161958...

replies(1): >>22738224 #
17. lonelappde ◴[31 Mar 20 14:59 UTC] No.22738134{4}[source]
Because it lies about its identity, calling itself "System" not Zoom.

This is also a MacOS vuln that lets apps lie about their identity in sudo prompts, much like a browser showing an https site with no certificate checking.

replies(1): >>22738200 #
18. Wowfunhappy ◴[31 Mar 20 15:05 UTC] No.22738200{5}[source]
macOS allows apps to write arbitrary lines of text above password prompts, which is what Zoom is doing. I don't see how that's different from a shell script echo'ing something before a sudo prompt.

How would you design this system?

replies(1): >>22740596 #
19. danieldk ◴[31 Mar 20 15:07 UTC] No.22738217{6}[source]
Developers can distribute .app's inside of .zip files, and many do, but this can result in users just running the .app inside of their downloads folder. And then this causes problems if they ever decide to clean out their Downloads folder.

Some applications offer to move themselves to the /Applications folder when started the first time outside /Applications or ~/Applications. Though in general, it would be better if Apple made it more attractive to publish in the App Store, since it brings other advantages (e.g. mandatory sandboxing).

replies(2): >>22738918 #>>22745753 #
20. Wowfunhappy ◴[31 Mar 20 15:08 UTC] No.22738224{3}[source]
That's still an OS prompt, they just put their own message at the top, as you're allowed to do.
replies(1): >>22741551 #
21. danieldk ◴[31 Mar 20 15:10 UTC] No.22738249{5}[source]
Indeed, data outside the application folder usually consists of a preferences plist and saved application state. Of course, there could be caches as well, which could take up a fair amount of disk space.

But I think the primary argumentation in favor of what macOS does now on drag-to-trash is that the users preferences are preserved, for when they install an application again.

22. auiya ◴[31 Mar 20 15:15 UTC] No.22738303{4}[source]
It's not making the proper privilege escalation call, it's faking the box entirely. There's even a typo in the dialog box.
replies(2): >>22738340 #>>22742584 #
23. Wowfunhappy ◴[31 Mar 20 15:19 UTC] No.22738340{5}[source]
...are you sure? I'm pretty sure that code just pops up the system box to get privileges, with a custom message at the top.

I'm running Mavericks—the last version of macOS before they made the UI flat—and the prompt didn't look out of place. If Zoom is indeed faking the box, they actually went through the trouble to make a separate version for Mavericks with Mavericks-style visuals.

24. Wowfunhappy ◴[31 Mar 20 16:06 UTC] No.22738918{7}[source]
Yeah, and that's a fine solution given the situation Apple has left us in. But it's also kind of a hack, which shouldn't have become necessary.

Also, personally, I sometimes purposefully put apps in places other than /Applications—for example, I like to keep games in their own Games folder. And then the dialogs are kind of annoying.

25. jedieaston ◴[31 Mar 20 18:14 UTC] No.22740559{5}[source]
It should be impossible with SIP enabled, as in OS X 10.14 Apple protected the files in /var/db/dslocal where the user shadow files are stored so that root could not read them (unless triggered by an Apple signed executable, like Software Update). If you are running with SIP disabled you've taken the risk of it happening, and if you are on a corporate laptop (or 99% of personal machines) it is engaged.

https://apple.stackexchange.com/questions/344117/mac-10-13-1...

replies(1): >>22741172 #
26. jedieaston ◴[31 Mar 20 18:16 UTC] No.22740596{6}[source]
Don't allow the application to do any of it, and when the app asks for access, have the system instead say "{processName}.app is requesting {permissionFlavorText}. Enter a name and password to continue."
27. tantalor ◴[31 Mar 20 19:02 UTC] No.22741172{6}[source]
Think a little harder. With root, you can install a keylogger.
replies(1): >>22742525 #
28. joshuaissac ◴[31 Mar 20 19:35 UTC] No.22741551{4}[source]
Yes, they are allowed to put a fake message (identifying the requester as System instead of Zoom), but that does not make it OK.
29. thaumasiotes ◴[31 Mar 20 20:07 UTC] No.22741908[source]
> Note that in this case, it's still a legit OS dialog.

No it isn't. The dialog prompt is "System need your privilege to change." That's not passing QA anywhere -- it's just a custom message someone put into Zoom without bothering to proofread.

30. saagarjha ◴[31 Mar 20 21:00 UTC] No.22742525{7}[source]
You'd still need to bypass TCC.
31. saagarjha ◴[31 Mar 20 21:06 UTC] No.22742584{5}[source]
No, they're using the (deprecated) Authorization Services API from the (renamed) BLAuthentication.
32. Aachen ◴[31 Mar 20 21:38 UTC] No.22742904[source]
One could say the same for gksudo, UAC prompts, or the equivalent dialog on your favorite operating system, no? Or is there something on other OSes that identifies it?
replies(2): >>22743357 #>>22746458 #
33. sudosysgen ◴[31 Mar 20 22:22 UTC] No.22743357[source]
gksudo and UAC don't let the process lie about what it is.
34. Smoosh ◴[31 Mar 20 23:53 UTC] No.22744136{5}[source]
In even earlier days, applications didn't need to be installed at all. You just ran them from wherever they were. Of course, it made sense to store them somewhere together, and you could cause yourself problems if you put applications onto disks you then ejected. But the current system is clearly influenced by the UNIX underpinnings, and I'm not sure that the average user fully "gets it".

though preferences files were a bit of a mess.

I vaguely remember if early Macintosh System versions you would be prompted to insert the disk (with the correct disk name in the message) if you tried to open a file belonging to an application which was on an ejected disk.

replies(1): >>22745817 #
35. kelnos ◴[01 Apr 20 04:40 UTC] No.22745753{7}[source]
Hell, why doesn't Finder do this? If you try to run a .app from a .dmg, it should pop up a dialog asking you if you want Finder to move it to /Applications for you and run it from there.
replies(1): >>22746098 #
36. int_19h ◴[01 Apr 20 04:52 UTC] No.22745817{6}[source]
You can still run them from wherever they are. The problem is that users do that once, exit, and then later forget where the app was.
replies(1): >>22746119 #
37. danieldk ◴[01 Apr 20 05:52 UTC] No.22746098{8}[source]
I agree, that would be awesome!
38. saagarjha ◴[01 Apr 20 05:57 UTC] No.22746119{7}[source]
There are issues when running from the downloads folder (translocation).
39. lultimouomo ◴[01 Apr 20 07:15 UTC] No.22746458[source]
I don't think UAC is spoofable - if I remember well it minimizes all the other windows and hides the taskbar, which you shouldn't be able to do with a regular dialog.

gksudo is definitely spoofable, except I almost never get a gksudo dialog. I am not trained to expect every other app to periodically ask me for my password.

replies(1): >>22753963 #
40. fouc ◴[01 Apr 20 10:27 UTC] No.22747295{3}[source]
pkg is there explicitly to let companies install sketchy shit. Any application that relies on pkg to be installed is fundamentally risky.
41. latexr ◴[01 Apr 20 12:11 UTC] No.22747843{3}[source]
If the pkg format was no longer supported, developers might use GUI installers instead, and those are harder to verify and install/uninstall programmatically.
42. Aachen ◴[01 Apr 20 22:00 UTC] No.22753963{3}[source]
Any application can draw over the task bar as far as I know? Seems weird if games needed root permissions just to be full screen.
43. ksec ◴[03 Apr 20 04:08 UTC] No.22766252{6}[source]
I thought some of these interaction was from a design where Apple wanted the Mac to be more appliance. I think the goal / target market has changed. The super easy to use Computer to use is now the iPad.

Mac is now Prosumers and Professionals. And its UX should be treated as such.