Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

redistribute the modified zoom installer from your own domain. Send meeting invites with a link to the modified zoom installer.

You get the zoom signed package installing your unsigned code.



And somehow break the binary's signature?

But the truth is you don't really need to do that. If people are coming to your own domain you can ship them whatever you want. I'd wager that well below 1/1,000,000 users actually verify signatures on binaries. For the huge majority of users, there is little you can do to prevent this.


But if you modify it, it's no longer signed?


apparently the issue is that you could modify the script, keeping the script-launching binary unchanged and signed?

did not try/verify though


How are you planning on modifying the script?

The network can't do it if it is downloaded over TLS. A malicious host can already ship evil scripts. Malware on the local machine can already do worse that edit a script.


The installer is code-signed, and requests root privileges, right?

>Malware on the local machine can already do worse that edit a script.

Malware on the local machine may not have root rights. You're basically arguing that privilege escalation isnt a real threat.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: