Of the main facets of the problem, the vulnerability bothered me less than their obviously poor attitude towards fixing it in a responsible timeline, and that bothered me less than the discovery that they were running an always-active webserver to assist call launches and reinstallation.
Is that a common thing that programs do? Should I be expected to portscan myself frequently to see if software is unexpectedly running web servers? How much battery am I losing to this stuff?
The verge article mentions it's reasonably common and mentions some programs that do it.
From the article, a tweet
--------
They are far from alone, a quick `lsof -i | grep LISTEN` shows that I have: Spotify, Keybase, KBFS, iTunes, Numi, https://t.co/MVSAJgN9yY… All running locally listening web servers.
The spotify one is for spotify connect most likely. I'm guessing (although not sure, someone could verify it) that spotify connect requires some sort of authorization to work.
It's one thing to run a webserver while your software is running.
It's quite another to leave it installed and running even after the user has uninstalled your application.
And to actively evade the user's attempts to remove the webserver component. Until this update, if you removed ZoomOpener from your Login Items and via `rm -rf ~/.zoomus`, it would miraculously reappear every time you participated in another Zoom meeting. (To stop this, you had to touch .zoomus as a file or otherwise make it harder to recreate as a directory. But if they had chosen to, Zoom could have coded around these countermeasures thus leading to an arms race, at least for a while.)
Not only is it common, there was an article about "how to write performant electron apps" at the top of HN last week explaining exactly why you should do that.
While Electron apps have the ability to introduce a security nightmare (just like every desktop app framework really), the authors do try to teach Electron users how to make the apps they develop a bit more secure - https://github.com/electron/electron/blob/master/docs/tutori...
Unless they coded something very stupidly, a listening socket that nobody connects to is not going to be on the CPU. It will be asleep waiting to be woken up by actual activity.
Not sure if any operating system would use that socket as a reason not to enter a low power state but I kind of doubt that.
I've noticed that the Intel software update scan tool is a web page now, I presume it is a client side application that communicates with a local web server.
Is that a common thing that programs do? Should I be expected to portscan myself frequently to see if software is unexpectedly running web servers? How much battery am I losing to this stuff?