Source: @c1truz
What you need to know
- A malware expert has revealed that video-conferencing app Zoom has "very shady" installation protocols.
- Zoom uses preinstallation scripts to bypass macOS security.
- The finder notes that it's the same trick being used by macOS malware.
In another damning indictment on Zoom's privacy and security practices, a malware expert has revealed that Zoom's macOS installation protocol is "very shady".
In a tweet posted March 30, Twitter user @c1truz_ stated:
Ever wondered how the @zoom_us macOS installer does it's job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed).
This is not strictly malicious but very shady and definitely leaves a bitter aftertaste. The application is installed without the user giving his final consent and a highly misleading prompt is used to gain root privileges. The same tricks that are being used by macOS malware.
The revelation is another mark of Zoom's apparently lax privacy and security practices. The app has risen to prominence following global lockdown and social-distancing measures that have forced many organizations to resort to remote working. Last week it emerged that Zoom was sending data to Facebook even if users didn't have a Facebook account, a problem that has now been fixed.
More recently, it emerged that Zoom calls are not end-to-end encrypted despite claims to the contrary. From that report:
In several instances within Zoom's security white paper, it mentions E2E encryption, and when you enable E2E, you can hover over the green padlock in the top left corner of a meeting and see the popup "Zoom is using an end to end encrypted connection." However, The Intercept claims that when it reached out to Zoom for comment a spokesperson stated:
"Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection."
Apple is no longer signing iOS 14.7 — it's iOS 14.7.1 or nothing now
Apple has stopped signing iOS 14.7 which means people can no longer install it on iPhones. That means that the only version of iOS that can be installed as of right now is the iOS 14.7.1 update that was released last week.
Apple Watch Series 7 pops up in regulatory filings as expected launch nears
As we get closer to an expected announcement, Apple Watch Series 7 appears to have popped up in the Eurasian Economic Commission (EEC) database. While the database doesn't explicitly list the devices as new Apple Watches, that's very likely to be what they are.
Will we ever get a shared family iCloud Photo Library?
Even after WWDC 2021, iCloud Photo Library still lacks a fully-fledged shared family photo library and it's long overdue at this point.
Workout and track all your metrics with the best Fitbit for men
Whether you're tracking weightlifting, cycling, running, or other forms of exercise, these are the best Fitbits for men.