Safari asks you if you want to open an app that owns a URL scheme to prevent webpages from automatically triggering behavior you might not want.
Zoom decided they know better than the Safari team and decided to install this local webserver specifically to bypass the operating system's security policies, supposedly because "it is their key differentiator" or whatever.
Basically their product managers decided they wanted it to work a certain way and demanded someone do whatever nasty hacks were necessary to make it happen.
It turns out their nasty hack doesn't set the proper CORS policy so any random webpage can force you to join a meeting.
It also turns out they don't do what mac apps are supposed to do: keep this crap inside the app bundle so dragging the app to the trash effectively uninstalls everything. Instead they install to ~/.zoomus, don't document that fact, and if you hit a zoom link after "uninstalling" they automatically reinstall themselves.
Oh and they let the registration for one of their domains expire and nearly lost control of it, which would make this a RCE because their client doesn't do anything to validate their update packages as far as anyone can tell.
you forgot one more thing: they don't distribute their crap as a regular self-contained .app, they give you a .pkg which asks for elevated privileges during installation (this is why I don't have it installed)
It's not to hard to extract the app bundle from the .pkg file. This is how I've always installed it. Do this from an empty directory, though, since it will just spray files everywhere...
* Use `xar` to extract the contents of the .pkg file:
$ xar -xf Zoom.pkg
* Use `cpio` to extract the payload, which is in a file oddly named "Scripts":
* The app bundle is compressed within a 7z archive, but the .pkg file contains a precompiled decompressor. Either use that or install your own (e.g. via Homebrew) to extract the app bundle:
$ 7zr x zm.7z
Now you will have a directory called "zoom.us.app", which is the app bundle. Move this to wherever you want it to live, and now you've "installed" the app without running the scripts from the .pkg.
Importantly, note that the app will still exhibit the behavior discussed in the article. When you run it the first time, it will install ZoomOpener, which is the helper app that includes the web server. It will not install any browser extensions, however, which is the behavior I was originally trying to avoid by going through this procedure.
Those little tricks to make things easier is why it's popular and why they're currently valued at $25,000,000,000 (though that should go down quite a bit tomorrow, still just an insane number for a company with $8m in annual profits).
Safari asks you if you want to open an app that owns a URL scheme to prevent webpages from automatically triggering behavior you might not want.
Zoom decided they know better than the Safari team and decided to install this local webserver specifically to bypass the operating system's security policies, supposedly because "it is their key differentiator" or whatever.
Basically their product managers decided they wanted it to work a certain way and demanded someone do whatever nasty hacks were necessary to make it happen.
It turns out their nasty hack doesn't set the proper CORS policy so any random webpage can force you to join a meeting.
It also turns out they don't do what mac apps are supposed to do: keep this crap inside the app bundle so dragging the app to the trash effectively uninstalls everything. Instead they install to ~/.zoomus, don't document that fact, and if you hit a zoom link after "uninstalling" they automatically reinstall themselves.
Oh and they let the registration for one of their domains expire and nearly lost control of it, which would make this a RCE because their client doesn't do anything to validate their update packages as far as anyone can tell.
I think that about covers it?
you forgot one more thing: they don't distribute their crap as a regular self-contained .app, they give you a .pkg which asks for elevated privileges during installation (this is why I don't have it installed)
It's not to hard to extract the app bundle from the .pkg file. This is how I've always installed it. Do this from an empty directory, though, since it will just spray files everywhere...
* Use `xar` to extract the contents of the .pkg file:
* Use `cpio` to extract the payload, which is in a file oddly named "Scripts":
* The app bundle is compressed within a 7z archive, but the .pkg file contains a precompiled decompressor. Either use that or install your own (e.g. via Homebrew) to extract the app bundle:
Now you will have a directory called "zoom.us.app", which is the app bundle. Move this to wherever you want it to live, and now you've "installed" the app without running the scripts from the .pkg.
Importantly, note that the app will still exhibit the behavior discussed in the article. When you run it the first time, it will install ZoomOpener, which is the helper app that includes the web server. It will not install any browser extensions, however, which is the behavior I was originally trying to avoid by going through this procedure.
1 reply →
I almost never run .pkg installers either. Maybe 1% of apps need elevated installation privileges.
Those little tricks to make things easier is why it's popular and why they're currently valued at $25,000,000,000 (though that should go down quite a bit tomorrow, still just an insane number for a company with $8m in annual profits).