Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Zoom runs application from Time Machine backup when uninstalled on Mac
368 points by vicken on April 3, 2020 | hide | past | favorite | 47 comments
I noticed something really peculiar this morning when I was invited to a Zoom meeting. I had uninstalled Zoom the night before but when I clicked the Join Meeting link, I was still prompted by the browser to open the zoom.us application. I went ahead and clicked OK to open it and I got the OSX popup: "You're opening the application "zoom.us" for the first time. Are you sure you want to open this application?" (https://imgur.com/nsOV3d5)

I checked my Applications folder and didn't see Zoom there so I clicked the "Show Application" button in the popup and it ended up opening the Applications folder from one of my Time Machine backups with Zoom installed.

I tested this with both Firefox and Chrome with the same results. Now I don't know if this is an OSX specific issue, a browser issue, or a Zoom issue.

Can anyone else confirm the same or similar behavior on Mac? If anyone can also shed some insight about this behavior, it would be much appreciated.




This sounds like it might be a bug/misconfiguration in Launch Services, which deals things like application registration and URL scheme handling. Since I would expect your browser to do something like call to the system to open the URL (LSOpenURLsWithRole, et al.) I don't think this is a problem with Zoom.


In which case the following may help:

Dump LS database: /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump > ~/lsdump.txt

Purge LS database: /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -kill -r -domain local -domain system -domain user


It's doubtful that this is Zoom doing anything in particular.

Rather it's likely the OS doing the best it can to handle the URL for you. The OS has a mapping between the URL and the bundle identifier of the app, and apparently looked for the bundle on a disk that happened to be attached, after it didn't find it on your main disk. Which is perfectly reasonable in itself.


This is unexpected to me. If I remove an application I do not expect it to run. If the OS is willing to reach into the Time Machine backups will it also modify them? What if I delete an app, run it then install an update? Will it install to the backup? That would be very unexpected.

Looking at multiple application directories is one thing but executing things from the backup directory is another.


I checked before, and if I recall correctly, Time Machine backups are protected at the kernel level -- you cannot modify them, even with sudo. You can delete the whole backup, but you cannot modify part of it.

> but executing things from the backup directory is another.

Time Machine backups are structured in a very non-proprietary way. Each backup is just a folder, protected from modifications, with hard links used to save space. If anything, I'd say good on Apple for supporting a backup format that works exactly like making a copy of a folder.


Sure nothing wrong with the format of the backups, that makes total sense. What doesn't make sense is executing things in those directories.


You can also delete items from your backup. So like if wanted to delete Zoom from Time Machine just select it in a backup and then select the option to remove it from all your backups from the Action menu or a right-click.


Ok but why would I do that? The whole idea of a backup is that I can... go back.

Do other apps launch from backups like this? It’s very strange.

My expectation is that if I want to go back to a backup I have to restore that backup first then run the application. Executing from a backup is surprising and frankly difficult to reason about. What version is even running? How would I know?


I've cloned drives with SuperDuper and had an uninstalled app launch from the clone. So, toss that anecdote on the pile.


Open a bug with Apple about this. They fixed an issue I reported a few years back about being able to launch applications in the Trash. They will likely want to add the same restriction to Time Machine Backups as well.


What if you need to run an old version of the application?


An informative popup beats running a deleted app any day of the week.


The bug is in the "find an application and launch it" code, which is distinct from the "user located this application within Time Machine and tried to open it" code. Apple will either make the distinction so that you can manually open an application from a Time Machine backup, or simply prohibit launching applications in both scenarios and require you to restore it to your user partition to do so.


Then you would go into your Time Machine backup and restore the version your want to /Applications


Copy it out.


Find it in Time Machine and click the restore button.


It'll do that with any application on the Mac, this is not peculiar to Zoom. The Time Machine backup is, as far as the Finder is concerned, just another volume. It'll prefer applications on the root volume, but it'll launch them from other volumes as well.


So as long as the victim has time machine enabled and had an attack tool on their computer within the TM timeframe… the attacker could at any time re-initiate that tool from the grave? That's a huge security logic hole…


I wasn't aware that any non-OS service even had access to data and applications saved in Time Machine. This might be worthy of a bug bounty report to Apple.


  $ ls /Volumes/YourTimeMachineBackup/Backups.backupdb/YourComputerName


But Time Machine is just a file system volume, mounted like any other? It has some unusual hard links in it, but it's just a regular file system mount.


There's at least one app for figuring out why every hourly backup takes half a gigabyte. It might require root privileges, but I doubt that.


Wait, is that not normal?


Hourly backups with rsnapshot - which serves more or less the same task but does it without a fancy UI - take no more than the size of the changed files plus some space for file system metadata. If Time Machine takes half a GB on a quiescent file system I'd say something is amiss...


... unless you are writing a half-gig every hour, why would that be remotely expected?


I would think that it's touching a bunch of log files slightly or something…


My guess so far is something like Firefox's history database.


If that is half a GB Firefox would be crawling. Here is is around 60MB on a well-used machine with an ancient FF profile.


On a current version of OS X you should be getting something that looks like this on attempts to launch an app from a backup:

https://i.imgur.com/eHlkGt0.png


It sounds like a (Mac OS|OSX) issue, because why is it looking for URL handlers in its backups?

You could test it with Slack, they also use the same way ("tell the browser to load a URL") to load their app from the browser.


Sort of sidetracking, but: afaik applications open from a browser via a custom protocol in a link, and for that the application has to be already installed—unless MacOS offers to search the app store (if it does, not sure). So, this suggests to me that either MacOS leaves protocol associations in place after uninstalling an app, and has the machinery to resurrect such an app from the backups, or Zoom leaves around a protocol-handling app after an uninstall.


As with file types, the URL protocols an app can handle are configured in the app's Info.plist. An app doesn't have to be "installed" in any special way, the app just has to be somewhere on a disk mounted where the OS can see it in order for the OS to find it.

In OPs case, Zoom.app was still hanging out in his backup, ready to be launched (Time Machine backups are just a standard disk image)


It might be possible that the uninstaller does something strange to "uninstall" the app and leaves macOS confused.


I wish I could remember / find it right now, maybe it was my Witopia VPN? Need to check...

Anyway, I've had at least one application that said to remove it, first delete it, AND THEN EMPTY THE TRASH (?!?!) and maybe even reboot. Most of us are probably more troubled by the trash-empty thing than the reboot thing.

EDIT: OK Alzheimer's hasn't gotten me yet. It was Witopia / personalVPN:

https://www.personalvpn.com/support/set-vpn-mac/app-setup-fo...

Just search the page for the word "empty". It reads:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

2. If you already had the WiTopia personalVPN app installed previously: Go to your FINDER > Applications folder > Drag the WiTopia app from there to the trash > and empty the trash* to remove the existing app.

* If the trash is not emptied, this will not work!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I guess in some sense it is the price one pays for "it just works". The main problem I have is this seems like going to very far extremes in order to run the app no matter what and the tradeoffs were never discussed or put in front of people, which I find to be pretty unethical. Sort of like the privacy debate - the tradeoffs of everyone sharing their personal data were never really up for debate.


This is a bit of a charitable explanation. How can any project manager say, with a straight face, "we need to make sure the application is still available, even if the user deletes it." How can you accidentally delete an application? It is not like you press a button by accident and it is suddenly gone. Deleting an application requires the user to express intent and go through a process (go to the Applications folder, find the app, delete it, remove from trash).

There is malware that is easier to get rid of than Zoom.


> How can any project manager say, with a straight face, "we need to make sure the application is still available, even if the user deletes it."

Someone absolutely did, though. Remember last summer when it came out that uninstalling Zoom would leave a local webserver running that would automatically reinstall it if you accessed a Zoom link?

https://www.macworld.com/article/3407764/zoom-mac-app-flaw-c...


This seems like a macOS bug, not a Zoom bug, right?


It’s what happens when you optimize for one thing only. Just like “engagement at all costs” that the entire internet ad economy is based around.


If this is intentional, I'm just curious how it works. I feel like this could lead to a vulnerability or exploit.


If your time machine backup volume was mounted, I would expect this behavior. Back in the old days, when storage was at a premium, you could have applications stored on a network volume, so they would be shared by everyone on the LAN. The OS would launch an application that matched the requested file type from any mounted volume.

If it wasn't mounted, I would file a bug.

Either way, not really Zoom's fault.


another plug for the zoom redirect plugin https://github.com/arkadiyt/zoom-redirector


Except it appears Zoom has disabled their web client for now?


How up-to-date is this? I was able to join a zoom videoconference yesterday evening from the web browser.

And while on the topic of the web client, it turned out to be a very disappointing experience. There was no way to set focus on a given attendee; I wanted to view the host's video feed but the website kept switching feeds, seemingly haphazardly, to different attendees.



My guess is that people stop using their native clients due to the security problems and now their webrtc servers are beyond capacity.

Could it be that they are limited by the number of servers that are available to them? A webrtc bridge shouldn't have a bottleneck and should perfectly scale. Who is their cloud provider?


That's too bad because it is the only way I am willing to use Zoom.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: