Poor security leaves popular Mac apps open to attack


MacBook Pro
Protect your Mac.
Photo: Apple

When it comes to your Mac apps, there’s reason to fear a so-called man in the middle.

A security engineer is reporting several apps vulnerable to malicious coding through Sparkle, the third-party software framework apps use to receive updates. Some of the apps identified include versions of Camtasia, VLC, uTorrent, Sketch and DuetDisplay.

The weakness was first reported last month on a blog by the engineer who goes by the name Radek. It has since been verified by another researcher, Simone Margeritelli, and was reported Wednesday by the tech website, arstechnica.

The risk involves hyper text transfer protocol or HTTP. Some app developers used HTTP for information updates as opposed to HTTPS. The S is for secure, meaning apps that use HTTPS ensures data is encrypted. HTTP is essentially plain text and not secure.

Radek said apps with HTTP are open to MiTM, or man in the middle attacks, meaning code could be secretly manipulated as traffic passes between an end user and the server.ir

“The Sparkle Updater framework in its nature is safe and easy to use,” Radek said on his blog. “Developers who include Sparkle in their projects just broke one simple rule: they didn’t set HTTPS everywhere.”

The good news is the most recent version of Sparkle uses only HTTPS channels. The bad news is it’s a lot of work for developers to address the vulnerability and publish a new version of their apps.

“Now, this is the moment when people can check for the update and replace this particular app version on their computers with the newest ones,” according to an email Radek wrote to arstechnica. “It all depends on the complexity of an application, its size and maintainers. That’s the reason why some developers don’t want to update or can’t update Sparkle in their applications.”

Radek said it is hard to know how many Mac apps are affected, but suspects the number is rather high. His blog outlines the tests he ran on some apps.

Margeritelli ran an attack test of the VLC Media Player and did a short video, posted below, showing the vulnerability.

Source: arstechnica