Video conferencing app Zoom has updated its macOS installer, removing the installation process that was described as "shady" that it had recently been criticized for.
Zoom has been under intense scrutiny for its shady installation process, which utilizes similar workarounds that are often used by macOS malware.
The Zoom app was able to be installed on a Mac without a user's final consent, as discovered by software engineer Felix Seele.
Ever wondered how the @zoom_us macOS installer does it's job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed). pic.twitter.com/qgQ1XdU11M
— Felix (@c1truz_) March 30, 2020
Zoom's CEO responded, saying that the installer was meant to simplify the process, as many new users may not be able to join a meeting without the exploits quickly. The company made note that since the outbreak of the COVID-19 pandemic, they ballooned from 10 million daily users to over 200 million daily users.
Despite the company's reasoning, public backlash was intense. On Thursday, Zoom issued a new update, replacing the "shady" installer with a more traditional one.
"They completely removed the preinstall stuff, so you now need to click through the installer as it ought to be," explains Seele in a message to The Verge. The fake prompt has also been removed so users have to specifically click through and install Zoom. "I must say that I am impressed," says Seele. "I expected them to maybe change the dialog, but since the 'zero-click' aspect was so important to them, I thought they would stick with the preinstall-trick."
The company has said they will undergo a 90-day feature and development freeze to work on security issues and fix existing problems.
The most recent flurry of complaints started when it was discovered that the company was sending user data to Facebook without their permission. Zoom notified Facebook when the iOS app was opened, what device a user was using, what carrier they're on, and what city and time zone they're connecting from. The data included a unique advertiser tag, connected to a user's device, that companies use to target advertisements.
Zoom had publicly told news outlets that the information had been anonymized, but understood why users were upset. The company removed the app's ability to send data to Facebook in an update pushed out on March 27.
Shortly after, security experts found that Zoom was able to install itself on Macs by working around Apple's security features. It was concurrently discovered that the company had claimed the service offered end-to-end encryption but did not possess those features.
On April 1, it was discovered that a flaw in Zoom's software allows a local user or piece of malware to piggyback on Zoom's camera and microphone permissions. An attacker can inject malicious code into Zoom's process space and "inherit" camera and microphone permissions, allowing them to hijack them without a user's knowledge.
In 2019, a security researcher found a zero-day vulnerability in the app that could have allowed malicious websites to activate and view a Mac webcam without user knowledge.
16 Comments
This is a pivotal moment for Zoom to get it right, so glad that they are taking the high road. I hold any developer accountable that doesn't follow Mac standards. Adobe is one of the biggest violators of this, still to this day!
Given its history, I don't believe a word Zoom says. They clearly are in the business of slurping and monetising client data. They always come with fixes for the stuff they got caught out on, but what other crap is left lurking below their surface?
And Governments (UK) in particular are using this software for conferencing. Scary. A sure fire way to easily listen in.
good for zoom for moving to fix things. Now Apple needs to fix the hole that allowed the install in the first place
I have zoom installed on my computer because it's required for work and I was a bit confused at how it installed without any permissions. Now I know why.
Too little, too late. The company sounds like a bunch of unprofessional hacks.