from Hacker News

Ask HN: Why does Zoom Desktop examine all processes and arguments?

by neolog on 8/17/21, 6:38 PM with 263 comments

    [pid 3844872] stat("/proc/1", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
    [pid 3844872] openat(AT_FDCWD, "/proc/1/stat", O_RDONLY) = 4
    [pid 3844872] openat(AT_FDCWD, "/proc/1/cmdline", O_RDONLY) = 4
    [pid 3844872] readlink("/proc/1/exe", 0x20c0520, 1024) = -1 EACCES (Permission denied)
    [pid 3844872] stat("/proc/2", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
    [pid 3844872] openat(AT_FDCWD, "/proc/2/stat", O_RDONLY) = 4
    [pid 3844872] openat(AT_FDCWD, "/proc/2/cmdline", O_RDONLY) = 4
    [pid 3844872] stat("/proc/3", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
    [pid 3844872] openat(AT_FDCWD, "/proc/3/stat", O_RDONLY) = 4
    [pid 3844872] openat(AT_FDCWD, "/proc/3/cmdline", O_RDONLY) = 4    
    ...

• by reilly3000 on 8/17/21, 9:25 PM

  Zoom has a popular feature which allows for screen sharing a single application window instead of the entire desktop. I assume this is how its discovering running applications with GUI windows open in a cross-platform manner. Perhaps there is a better API for this? Its not a common use-case that an app would need to know all of the other open windows, but it seems like a perfectly valid use case, and frankly handy for sharing a PPT without fear of an embarrassing email showing up in during a meeting.

• by dllthomas on 8/17/21, 10:45 PM

  > Why would it do that?

  We can answer part of that with just a little more reading. What's pid 3844872?

  For me, the series of queries against /proc happen from a process that, just a bit earlier, called exec. So it's not really zoom reading "all processes and arguments" but ... `pidof gnome-session`, so I guess zoom is looking for the pid of gnome-session.

  To what nefarious purpose zoom intends to put this knowledge of gnome-session's pid, I can't say - I am not running gnome-session so my trail goes cold; but at least for me, for that particular run, zoom itself doesn't actually see the contents of all of those files.

• by xfitm3 on 8/17/21, 11:38 PM

  It not only examines all processes and arguments - it leverages the microphone to act on ultrasonic cues for "integrations". Zoom is a privacy dumpster fire.

  https://devforum.zoom.us/t/ultrasonic-connection/3318

• by vishho on 8/18/21, 12:52 AM

  Zoom has attention tracking, which when enabled silently, shows an admin if the screen is maximized or if the user is focused on other applications. They don't yet tell admins what other apps the user is active in, just whether the user is active.

  Another angle for Zoom to do that, is that it is a massive Chinese spyware application, which can target users by meta data or IP, like it did by messing with the calls of activists. A bit like how anti-virus companies are sometimes charged with exfiltrating secret documents.

• by dmart on 8/17/21, 11:28 PM

  Perhaps a better question to ask would be "why is any process allowed to do this by default in 2021?"

• by jlgaddis on 8/17/21, 9:36 PM

  > Is there any way to prevent it?

  Mounting /proc with "hidepid=2" should prevent it from seeing processes owned by other users, although it would still be able to see your processes.

  Alternatively, it shouldn't be too hard to create an AppArmor profile that blocks access to /proc.

  Other options might include things like SELinux, seccomp-bpf, namespaces, cgroups, etc., depending on what's available on your host.

  Or you could just, you know, obliterate it from your system altogether. That's almost certainly the best option.

• by noobermin on 8/18/21, 5:36 AM

  I'll be annoying and say if people used the FOSS alternatives we wouldn't have to be so paranoid about a tool we all use.

• by wins32767 on 8/17/21, 8:45 PM

  If I had to guess it's for screen sharing.

• by laurensr on 8/17/21, 8:46 PM

  Also note the news and discussion at https://news.ycombinator.com/item?id=28210076

• by luke2m on 8/17/21, 8:49 PM

  > Is there any way to prevent it?

  Use a flatpak

• by jagged-chisel on 8/17/21, 9:08 PM

  > Is there any way to prevent it?

  Hook the stat, openat, readlink functions within the zoom process, experiment with blocking (returning failure) based on arguments.

• by nullc on 8/18/21, 5:34 AM

  How else would they backup your command-line passed passwords and private keys for you?

• by akira2501 on 8/17/21, 8:48 PM

  > Is there any way to prevent it?

  Put it into it's own namespace, and only allow it to connect to your X11 session over TCP.

• by the8472 on 8/17/21, 9:53 PM

  > Is there any way to prevent it?

  Firejail[0] allows cobbling together various linux sandboxing features, including namespaces which should result in an isolated proc filesystem which doesn't see the other processes. But I don't know if the default profile for zoom does that, you have to test it or write your own.

  [0] https://github.com/netblue30/firejail

• by tryauuum on 8/17/21, 8:46 PM

  (incompetence here) Maybe it's like discord, it does the same to display messages like "$username is playing terraria right now"

• by gwbas1c on 8/18/21, 2:23 AM

  I'm going to assume this happens when you aren't trying to share your screen.

  I once worked on a file synchronization application that would scan processes when files were locked. I don't remember if we put the process name in the UI, but we logged detailed information about the other process in case someone contacted support. (Sometimes users ran weird applications that kept files locked.) I believe we had to scan through all processes and inspect their open file handles.

  I would assume some things like: Maybe there are applications that are known to cause problems for Zoom? Maybe some applications lock the camera or microphone? Maybe some applications hog the CPU and cause encoder problems?

  If you really want to know more, consider decompiling zoom and/or looking at strings compiled into the binary.

• by egberts on 8/18/21, 11:39 AM

  Polling for all processes is the technique used by some educators’ quiz/test/exam program.

  Zoom is probably footholding their place as to be able to inform its educator whether their students’ behavior are acceptable or are cheating.

  Most probably.

• by mcrmonkey on 8/17/21, 11:51 PM

  I can only think the most direct usage for this info is to feed the performance screen/tab that lives in settings showing CPU and memory usage

  But some of the info its reading seems a little bit too much

  cough 'telemetry' cough

• by amelius on 8/17/21, 10:27 PM

  I've used the method of scanning the environment variables of other processes to find the PID of certain applications which advertised themselves using their environment variables. This could be similar?

• by fsflover on 8/17/21, 9:30 PM

  > Is there any way to prevent it?

  I prevent it by running Zoom in a VM on Qubes OS.

• by sneak on 8/17/21, 11:58 PM

  The way to prevent it is to not install their poorly engineered spyware and only use the sandboxed web app.

  You'd have to be crazy to install Zoom given their history.

• by MattGaiser on 8/17/21, 9:10 PM

  And for people giving ways to prevent it, can you please provide some context for those of us who aren't OS experts?

• by ayush--s on 8/18/21, 2:28 PM

  So should I move it to docker? Since X11 socket will be shared, I'm assuming screen sharing might work

• by phendrenad2 on 8/17/21, 8:57 PM

  > Is there any way to prevent it?

  Maybe run it in a chroot?

• by andrewlevi on 8/17/21, 9:57 PM

  Does Teams or Discord do anything similar?

• by kevmo on 8/17/21, 10:06 PM

  Zoom is pursuing surveillance profits.

  Shoshanna Zuboff has an excellent book on "surveillance capitalism", if you want to read more on the trend.

• by MichaelGroves on 8/17/21, 9:34 PM

  > Is there any way to prevent it?

  Do what I do: Run it on a burner computer connected to your guest network.

• by swiley on 8/18/21, 8:16 AM

  Your crap is being exfiltrated.

  Stop using non-free software if you're doing anything important on that machine.

• by ianlevesque on 8/17/21, 8:43 PM

  Zoom is basically malware with video chat.

• by 99mans on 8/17/21, 10:01 PM

  Because they can get away with it and use it to make more money from your "experience".

• by aFaid7see0ni on 8/17/21, 11:03 PM

  Zoom has a paid feature to view processes of other meeting attendees. Yes. Scary.

• by gigatexal on 8/17/21, 6:45 PM

  Im on a Mac so I can’t issue the same … did you use strace on Linux?

  This is enough for me to remove the app and just use it in the browser.

• by 0xbadcafebee on 8/17/21, 11:55 PM

  It's not really worth wondering. There are a million potential reasons that you and I don't know or can't come up with, but they may have a specific reason for.

  You can probably prevent it with capabilities, or selinux, or with a container. Unless you just enjoy the fashion statement of tinfoil hats, it's not worth it.

• by GekkePrutser on 8/17/21, 9:58 PM

  I know a really good way to prevent it. Don't use zoom :) Seriously they've done so many things that show they don't care about privacy. Like that backdoor on Macs.

  But if you really must, use the web version only.

  If you can avoid it, jitsi is a great alternative. Much smoother video than teams and much lighter