How the Zoom macOS installer does its job without you clicking ‘install’

I think this also shows how macOS has been training users to enter their password in random dialogs that have absolutely nothing that identifies them as being legit OS dialogs. The dialog that Zoom uses could very well be sending the credentials to a remote server, and the user would be none the wiser.

Note that in this case, it's still a legit OS dialog. Preflight scripts are very much built into the macOS pkg format, they're just not intended to be used like this.

It doesn't look legit, it looks like the installer script is faking a system dialog in this screenshot:

https://twitter.com/c1truz_/status/1244737675191619584/photo...

This message is a lie; it not coming from system but from the installer script.

Just because the OS is used to show the dialog doesn't mean it should be trusted. As other commenter noted this could be used to steal passwords; that is effectively what it does.

To their credit, they seem to be using AuthorizationExecuteWithPrivileges which doesn't get the user's password, but executes a command as root, which is marginally better than stealing the password like Dropbox did.

How hard do you think it is to steal a password once you have root?

It should be impossible with SIP enabled, as in OS X 10.14 Apple protected the files in /var/db/dslocal where the user shadow files are stored so that root could not read them (unless triggered by an Apple signed executable, like Software Update). If you are running with SIP disabled you've taken the risk of it happening, and if you are on a corporate laptop (or 99% of personal machines) it is engaged.

https://apple.stackexchange.com/questions/344117/mac-10-13-1...

Think a little harder. With root, you can install a keylogger.