Tell HN: Zoom runs application from Time Machine backup when uninstalled on Mac

I noticed something really peculiar this morning when I was invited to a Zoom meeting. I had uninstalled Zoom the night before but when I clicked the Join Meeting link, I was still prompted by the browser to open the zoom.us application. I went ahead and clicked OK to open it and I got the OSX popup: "You're opening the application "zoom.us" for the first time. Are you sure you want to open this application?" (https://imgur.com/nsOV3d5)

I checked my Applications folder and didn't see Zoom there so I clicked the "Show Application" button in the popup and it ended up opening the Applications folder from one of my Time Machine backups with Zoom installed.

I tested this with both Firefox and Chrome with the same results. Now I don't know if this is an OSX specific issue, a browser issue, or a Zoom issue.

Can anyone else confirm the same or similar behavior on Mac? If anyone can also shed some insight about this behavior, it would be much appreciated.

368 points | by vicken 1477 days ago

14 comments

  • saagarjha 1476 days ago
    This sounds like it might be a bug/misconfiguration in Launch Services, which deals things like application registration and URL scheme handling. Since I would expect your browser to do something like call to the system to open the URL (LSOpenURLsWithRole, et al.) I don't think this is a problem with Zoom.
    [-]
    • 1over137 1476 days ago
      In which case the following may help:

      Dump LS database: /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump > ~/lsdump.txt

      Purge LS database: /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -kill -r -domain local -domain system -domain user

  • wool_gather 1476 days ago
    It's doubtful that this is Zoom doing anything in particular.

    Rather it's likely the OS doing the best it can to handle the URL for you. The OS has a mapping between the URL and the bundle identifier of the app, and apparently looked for the bundle on a disk that happened to be attached, after it didn't find it on your main disk. Which is perfectly reasonable in itself.

    [-]
    • mulmen 1476 days ago
      This is unexpected to me. If I remove an application I do not expect it to run. If the OS is willing to reach into the Time Machine backups will it also modify them? What if I delete an app, run it then install an update? Will it install to the backup? That would be very unexpected.

      Looking at multiple application directories is one thing but executing things from the backup directory is another.

      [-]
      • szhu 1476 days ago
        I checked before, and if I recall correctly, Time Machine backups are protected at the kernel level -- you cannot modify them, even with sudo. You can delete the whole backup, but you cannot modify part of it.

        > but executing things from the backup directory is another.

        Time Machine backups are structured in a very non-proprietary way. Each backup is just a folder, protected from modifications, with hard links used to save space. If anything, I'd say good on Apple for supporting a backup format that works exactly like making a copy of a folder.

        [-]
        • mulmen 1476 days ago
          Sure nothing wrong with the format of the backups, that makes total sense. What doesn't make sense is executing things in those directories.
        • macshome 1476 days ago
          You can also delete items from your backup. So like if wanted to delete Zoom from Time Machine just select it in a backup and then select the option to remove it from all your backups from the Action menu or a right-click.
          [-]
          • mulmen 1474 days ago
            Ok but why would I do that? The whole idea of a backup is that I can... go back.

            Do other apps launch from backups like this? It’s very strange.

            My expectation is that if I want to go back to a backup I have to restore that backup first then run the application. Executing from a backup is surprising and frankly difficult to reason about. What version is even running? How would I know?

    • tvon 1476 days ago
      I've cloned drives with SuperDuper and had an uninstalled app launch from the clone. So, toss that anecdote on the pile.
  • floatingatoll 1476 days ago
    Open a bug with Apple about this. They fixed an issue I reported a few years back about being able to launch applications in the Trash. They will likely want to add the same restriction to Time Machine Backups as well.
    [-]
    • rbanffy 1476 days ago
      What if you need to run an old version of the application?
      [-]
      • greglindahl 1476 days ago
        An informative popup beats running a deleted app any day of the week.
      • floatingatoll 1476 days ago
        The bug is in the "find an application and launch it" code, which is distinct from the "user located this application within Time Machine and tried to open it" code. Apple will either make the distinction so that you can manually open an application from a Time Machine backup, or simply prohibit launching applications in both scenarios and require you to restore it to your user partition to do so.
      • Angostura 1476 days ago
        Then you would go into your Time Machine backup and restore the version your want to /Applications
      • ComputerGuru 1476 days ago
        Copy it out.
      • mike_d 1476 days ago
        Find it in Time Machine and click the restore button.
  • ben509 1476 days ago
    It'll do that with any application on the Mac, this is not peculiar to Zoom. The Time Machine backup is, as far as the Finder is concerned, just another volume. It'll prefer applications on the root volume, but it'll launch them from other volumes as well.
    [-]
    • ddrt 1476 days ago
      So as long as the victim has time machine enabled and had an attack tool on their computer within the TM timeframe… the attacker could at any time re-initiate that tool from the grave? That's a huge security logic hole…
  • mikekij 1476 days ago
    I wasn't aware that any non-OS service even had access to data and applications saved in Time Machine. This might be worthy of a bug bounty report to Apple.
    [-]
    • saagarjha 1476 days ago 

        $ ls /Volumes/YourTimeMachineBackup/Backups.backupdb/YourComputerName
    • chrisseaton 1476 days ago
      But Time Machine is just a file system volume, mounted like any other? It has some unusual hard links in it, but it's just a regular file system mount.
    • aasasd 1476 days ago
      There's at least one app for figuring out why every hourly backup takes half a gigabyte. It might require root privileges, but I doubt that.
      [-]
      • saagarjha 1476 days ago
        Wait, is that not normal?
        [-]
        • Yetanfou 1476 days ago
          Hourly backups with rsnapshot - which serves more or less the same task but does it without a fancy UI - take no more than the size of the changed files plus some space for file system metadata. If Time Machine takes half a GB on a quiescent file system I'd say something is amiss...
        • yjftsjthsd-h 1476 days ago
          ... unless you are writing a half-gig every hour, why would that be remotely expected?
          [-]
          • saagarjha 1476 days ago
            I would think that it's touching a bunch of log files slightly or something…
            [-]
            • aasasd 1476 days ago
              My guess so far is something like Firefox's history database.
              [-]
              • Yetanfou 1476 days ago
                If that is half a GB Firefox would be crawling. Here is is around 60MB on a well-used machine with an ancient FF profile.
  • pvg 1476 days ago
    On a current version of OS X you should be getting something that looks like this on attempts to launch an app from a backup:

    https://i.imgur.com/eHlkGt0.png

  • netsharc 1476 days ago
    It sounds like a (Mac OS|OSX) issue, because why is it looking for URL handlers in its backups?

    You could test it with Slack, they also use the same way ("tell the browser to load a URL") to load their app from the browser.

  • aasasd 1476 days ago
    Sort of sidetracking, but: afaik applications open from a browser via a custom protocol in a link, and for that the application has to be already installed—unless MacOS offers to search the app store (if it does, not sure). So, this suggests to me that either MacOS leaves protocol associations in place after uninstalling an app, and has the machinery to resurrect such an app from the backups, or Zoom leaves around a protocol-handling app after an uninstall.
    [-]
    • kalleboo 1476 days ago
      As with file types, the URL protocols an app can handle are configured in the app's Info.plist. An app doesn't have to be "installed" in any special way, the app just has to be somewhere on a disk mounted where the OS can see it in order for the OS to find it.

      In OPs case, Zoom.app was still hanging out in his backup, ready to be launched (Time Machine backups are just a standard disk image)

    • saagarjha 1476 days ago
      It might be possible that the uninstaller does something strange to "uninstall" the app and leaves macOS confused.
  • thr0w__4w4y 1475 days ago
    I wish I could remember / find it right now, maybe it was my Witopia VPN? Need to check...

    Anyway, I've had at least one application that said to remove it, first delete it, AND THEN EMPTY THE TRASH (?!?!) and maybe even reboot. Most of us are probably more troubled by the trash-empty thing than the reboot thing.

    EDIT: OK Alzheimer's hasn't gotten me yet. It was Witopia / personalVPN:

    https://www.personalvpn.com/support/set-vpn-mac/app-setup-fo...

    Just search the page for the word "empty". It reads:

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    2. If you already had the WiTopia personalVPN app installed previously: Go to your FINDER > Applications folder > Drag the WiTopia app from there to the trash > and empty the trash* to remove the existing app.

    * If the trash is not emptied, this will not work!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • taurath 1476 days ago
    I guess in some sense it is the price one pays for "it just works". The main problem I have is this seems like going to very far extremes in order to run the app no matter what and the tradeoffs were never discussed or put in front of people, which I find to be pretty unethical. Sort of like the privacy debate - the tradeoffs of everyone sharing their personal data were never really up for debate.
    [-]
    • nexuist 1476 days ago
      This is a bit of a charitable explanation. How can any project manager say, with a straight face, "we need to make sure the application is still available, even if the user deletes it." How can you accidentally delete an application? It is not like you press a button by accident and it is suddenly gone. Deleting an application requires the user to express intent and go through a process (go to the Applications folder, find the app, delete it, remove from trash).

      There is malware that is easier to get rid of than Zoom.

      [-]
      • Izkata 1476 days ago
        > How can any project manager say, with a straight face, "we need to make sure the application is still available, even if the user deletes it."

        Someone absolutely did, though. Remember last summer when it came out that uninstalling Zoom would leave a local webserver running that would automatically reinstall it if you accessed a Zoom link?

        https://www.macworld.com/article/3407764/zoom-mac-app-flaw-c...

      • geofft 1476 days ago
        This seems like a macOS bug, not a Zoom bug, right?
      • taurath 1476 days ago
        It’s what happens when you optimize for one thing only. Just like “engagement at all costs” that the entire internet ad economy is based around.
    • vicken 1476 days ago
      If this is intentional, I'm just curious how it works. I feel like this could lead to a vulnerability or exploit.
  • robterrell 1475 days ago
    If your time machine backup volume was mounted, I would expect this behavior. Back in the old days, when storage was at a premium, you could have applications stored on a network volume, so they would be shared by everyone on the LAN. The OS would launch an application that matched the requested file type from any mounted volume.

    If it wasn't mounted, I would file a bug.

    Either way, not really Zoom's fault.

  • s09dfhks 1476 days ago
    another plug for the zoom redirect plugin https://github.com/arkadiyt/zoom-redirector
    [-]
    • ComputerGuru 1476 days ago
      Except it appears Zoom has disabled their web client for now?
      [-]
      • doc_gunthrop 1476 days ago
        How up-to-date is this? I was able to join a zoom videoconference yesterday evening from the web browser.

        And while on the topic of the web client, it turned out to be a very disappointing experience. There was no way to set focus on a given attendee; I wanted to view the host's video feed but the website kept switching feeds, seemingly haphazardly, to different attendees.

        [-]
        • ComputerGuru 1476 days ago
          This is just today. https://github.com/arkadiyt/zoom-redirector/issues/7
          [-]
          • toohotatopic 1476 days ago
            My guess is that people stop using their native clients due to the security problems and now their webrtc servers are beyond capacity.

            Could it be that they are limited by the number of servers that are available to them? A webrtc bridge shouldn't have a bottleneck and should perfectly scale. Who is their cloud provider?

      • mulmen 1476 days ago
        That's too bad because it is the only way I am willing to use Zoom.
  • vernie 1476 days ago
    Tell HN: Come to think of it the name "Zoom" bugs me.