My work Mac regularly pops up an alert box claiming that Slack is “trying to install a new helper tool”. I have no idea why or what it means. I asked IT how I could verify it was legit and they didn’t know.
I often wonder if this could also be exploited because it asks for a password and it keeps popping back up every time I click cancel.
This dialog comes from the System Management framework [1]. Slack is probably installing a privileged helper tool (conceptually similar to a setuid root binary) so that it can update itself regardless of where it is installed or which user originally installed it.
Seems like it should only need to do this once. I get this with almost every Slack and VSCode update. The correct solution for me is to quit Slack.app and let my company's management software do the update for me.
Chances are they have some kind of management software like SentinelOne that is preventing Slack from doing this (or storing the permission to do so), so it just asks over and over. Which is arguably worse.
Discord does this as well I believe. I often needed to enter the administrator password to install a helper after the system had been off for a couple days.
A software updater was going to be my best guess at what this was. I guess I understand the flexibility it brings, but it definitely does have some security trade-offs.
I'm not aware of the "helper tool" popup, but I would definitely be skeptical of it. Even if it is Slack, Slack is just a messaging application. I don't know what legitimate need it would have for a helper tool. I would ask Slack support, though (and hopefully you can get a real answer and explanation).
I kinda like this angle. While Slack makes an effort to work basically everywhere with low effort, I wonder what would follow if it wasn't the case.
For instance if for some stupid legal reason Slack was banned from macos, how many people would just switch to another OS ? I'd bet it would be a non trivial amount of users at this point.
> I kinda like this angle. While Slack makes an effort to work basically everywhere with low effort, I wonder what would follow if it wasn't the case.
This idea of respecting user preference is not the way, though. For example, back when Skype existed, you couldn't remove its icon from the macOS menu bar, because (1) Microsoft didn't believe you had the right to choose to remove that item, and (2) macOS believes an app developer should have more control over what goes in my menu bar than I do.
In environments like this, my trusted colleagues and I communicated using Signal (and before that, WhatsApp).
One somewhat paranoid department that was convinced they were being spied on (they weren’t; I saw the Slack admin dashboard and management was too cheap to pay for the retention and spying features) maintained the use of an ancient Jabber based group chat for their own internal communications.
This was around 8 years ago, but there was no MDM installed on our cell phones, regardless of if BYOB or company paid for device.
The only restriction was if you went to China, you took a burner phone (one of the old company phones, usually) and weren’t supposed to ever use it again once you left. I think they just sold them to a liquidator.
I guess that's a fair point. It cuts both ways, but given that so many people use Slack as opposed to talking, the exact words people used and when are could be open to view. Whereas, before all of this, you may only just have the minutes of any official meetings. Any side chatter not in the meeting room and/or exact phrasings would be lost to time.
That does sound like it could be exploited, but with only as much exploitability as some random app that requires your password (for analogy consider a Linux binary that refuses to run unless being run as root). Ultimately it's a matter of deciding whether you trust the developer of the app and whether you trust this app is really from that developer. The day Apple prevents users from giving root access to a third-app app is when the Mac fully becomes a walled garden, and you can expect pages of HN complaints.
Overall I think it's good paranoia to not grant root permissions to apps that do not clearly need them such as Slack.
Being paranoid, would it be possible that another app already installed (but not trusted enough to give privilege, let’s say a shady mouse driver or screenshot app) detect when slack (more trustfully) does launch to open a dialog at that precise time and deceive the user? Let’s say the shady app is named « SIack » or something close enough to be missed - but brand itself as innocents « screenshotPro4000 » in the app itself graphics so you’re not suspicious.
> The day Apple prevents users from giving sudo access to a third-app app is when the Mac fully becomes a walled garden, and you can expect pages of HN complaints.
I can see this happening, but it probably won't anytime soon. macOS is still open enough, and with the assumption that sometimes processes need root (see third-party Launch Daemons).
It would probably break quite a lot. But I wouldn't be surprised if they eventually gradually move macOS in that direction.
And it so annoying because it steals focus so as you're writting a message it suddenly stops taking your input and "helpfully" continues typing your text into the password box.
These types of ‘security’ blockers are so dumb because they train people to act dumb. Even if they’re real, the next time they may not be.
It’s like how my bank often calls and wants me to give them my personal info for ‘data protection’ before we can speak. These are legit bank calls, training people to give out personal info to strangers.
As of the latest macOS update, every app is now asking every few days if it can have access to devices on your local network, or something to that tune. My theory right now is it's something in chromium that automatically asking for this and Electron apps will do this out of the box, but I can't remember which apps exactly have been doing this.
Regardless, yes it causes the exact issue you're talking about. I don't even read what the popups say anymore, I'm just blindly hitting an accept button.
When you make an iOS app and requested permission for something - photo library or location etc. you MUST write out a sentence of what you’ll use it for which is shown to the user.
I likewise refuse the bank’s call and they’re always really confused why I’d do such a thing - so clearly they have successfully trained all their other customers to be morons - and then they will no doubt blame them when they get conned.
And they somehow stack in time. So after a weekend it's popping up over and over until I give up and quit Slack. It's been like this for a year I'd say. There's no way to stop them and they always get focus, which is extremely annoying. How can I revoke this permission from Slack? Seems pretty abusive.
Not an os-x developer, but I've always wondered are there any OS guardrails against any (malicious) application showing a window styled the same way as that popup box and just stealing your password?
I mean, I don't know how there would be? Unless they were scanning the text of every pop-up for words convincing the user to enter their computer password. There would be no way to determine intention without some sort of language analysis.
I often wonder if this could also be exploited because it asks for a password and it keeps popping back up every time I click cancel.