←back to thread

How the Zoom macOS installer does its job without you clicking ‘install’

(twitter.com)
796 points _Microft | 1 comments | 31 Mar 20 11:41 UTC | HN request time: 0.209s | source
Show context
lultimouomo ◴[31 Mar 20 12:08 UTC] No.22736730[source]
I think this also shows how macOS has been training users to enter their password in random dialogs that have absolutely nothing that identifies them as being legit OS dialogs. The dialog that Zoom uses could very well be sending the credentials to a remote server, and the user would be none the wiser.
replies(2): >>22736941 #>>22742904 #
Wowfunhappy ◴[31 Mar 20 12:44 UTC] No.22736941[source]
Note that in this case, it's still a legit OS dialog. Preflight scripts are very much built into the macOS pkg format, they're just not intended to be used like this.
replies(4): >>22737018 #>>22737061 #>>22738118 #>>22741908 #
tantalor ◴[31 Mar 20 12:56 UTC] No.22737018[source]
It doesn't look legit, it looks like the installer script is faking a system dialog in this screenshot:

https://twitter.com/c1truz_/status/1244737675191619584/photo...

This message is a lie; it not coming from system but from the installer script.

Just because the OS is used to show the dialog doesn't mean it should be trusted. As other commenter noted this could be used to steal passwords; that is effectively what it does.

replies(2): >>22737159 #>>22737550 #
rainforest ◴[31 Mar 20 13:15 UTC] No.22737159[source]
To their credit, they seem to be using AuthorizationExecuteWithPrivileges which doesn't get the user's password, but executes a command as root, which is marginally better than stealing the password like Dropbox did.
replies(1): >>22737179 #
tantalor ◴[31 Mar 20 13:16 UTC] No.22737179[source]
How hard do you think it is to steal a password once you have root?
replies(2): >>22737310 #>>22740559 #
1. swiley ◴[31 Mar 20 13:30 UTC] No.22737310[source]
It would take an extra step, you have access to the hash and maybe shared memory/SOs but you’d need a second trick to actually steal it.