“The Mac and iOS software developer Panic has had the source code for several of its apps stolen,” BBC News reports. “Panic founder Steven Frank admitted in a blog post that it happened after he downloaded an infected copy of the video encoding tool Handbrake.”
“He said there was no sign that any customer data was accessed and that Panic’s web server was not affected,” The Beeb reports. “Users have been warned to download Panic’s apps only from its website or the Apple App Store.”
“On 2 May Handbrake was hacked, with the Mac version of the app on one of the site’s download servers replaced by a malicious copy,” The Beeb reports. “The FBI is investigating the incident and Panic has been working with Apple to make sure that no malicious or fake versions of the apps get into the App Store.”
Read more in the full article here.
“In a case of extraordinarily bad luck, even for a guy that has a lot of bad computer luck, I happened to download HandBrake in that three day window, and my work Mac got pwned,” Frank writes on Panic’s blog. “Long story short, somebody, somewhere, now has quite a bit of source code to several of our apps… I feel like a monumental idiot for having fallen for this.”
“I managed to download within the three day window during which the infection was unknown, managed to hit the one download mirror that was compromised, managed to run it and breeze right through an in-retrospect-sketchy authentication dialog, without stopping to wonder why HandBrake would need admin privileges, or why it would suddenly need them when it hadn’t before,” Frank writes. “I also likely bypassed the Gatekeeper warning without even thinking about it, because I run a handful of apps that are still not signed by their developers. And that was that, my Mac was completely, entirely compromised in 3 seconds or less.”
Read more in the full article here.
MacDailyNews Take: Yikes, that’s extraordinarily bad luck indeed!
Never download a copy of one Panic’s apps from a source that is not Panic’s website or Apple’s Mac App Store.
SEE ALSO:
Mac HandBrake Virus: How to check if your Mac is infected – May 10, 2017
Handbrake warns Mac users after mirror download server hack – May 7, 2017
Far, far too many Mac apps not from the app store require admin rights to install, when all the installer does is copy the app into the Applications folder.
That’s a terrible and lazy habit carried over from the Windows world, where exes and libraries are dropped all over the place through some install “wizard”. Most Mac apps don’t need this and should never have been put in an installer.
Good point mossman. Maybe we should determine which apps that are already installed on our Mac need the admin rights to install and put them on some kind of “watch list”. And pressure the developers to change this by making a new version that doesn’t require this
All apps reqiuire admin accfess. App Store authenticates for you.
Unix 101
You miss the point entirely. Apps from the Mac app store are not the issue. Apps from non-Apple sites, even trusted ones, do NOT need admin access if they can be run right off the disk image. You only need to authenticate if you drag and drop that app to the Applications folder, but with THAT action, you know *exactly* what’s going on: the Mac is moving it to a protected folder.
With a .pkg file, non-technical end users have NO way of knowing what else the package is telling the Installer to do with the admin rights you just gave it. I just looked at a few .pkg files on my system using the “Suspicious Package” app (found via MacObserver), and almost all just dropped the app into the Applications folder as I expected, with no additional scripts run… but that just proves that they never needed the installer in the first place.
Oops.
“I feel like a monumental idiot for having fallen for this.”
Not a “feeling”. You ARE…
” Yikes, that’s extraordinarily bad luck indeed!”
Nothing to do with luck.
Installation of applications on Macs has always been less than consistent, compared to Windows. Since practically its first day, Windows applications were always installed by running setup.exe, which would then proceed to copy all the needed files in all the myriad various Windows locations where they were supposed to go. While the underlying process was a colossal mess (DLLs go into one folder, CFGs go into another, icons go into the Start menu, etc), for Windows user, this process was intuitive, simple and straightforward: double-click setup.exe, then “next”, “next”, “next”, “next” (as many times as asked) until “Finish”.
On the Mac, there were almost always three ways to do this:
Installation package (similar to Windows), which you run and it essentially puts your Application into the Application folder;
The application itself — when user downloads the app, they essentially get what looks like a single file in their download folder (actually a package), which they can run directly from the Downloads folder, but should really manually move into the Applications folder;
Disk Image (.DMG file), where user has to double-click the image to mount it, then find the app inside, then manually copy the app into the Applications folder. Once the app is copied, the disk image should normally be unmounted, and then the original disk image file deleted.
The least intuitive is this last one. I can’t remember how many people really have no clue how do do this, so what they do every time when they need this app is go to Downloads, mount the DMG file, launch the app from the disk image. Very often I see a bunch of mounted disk images on the desktop, for various applications.
Apple’s Mac App Store has certainly managed to eliminate all this hassle, but that’s only for apps that are in the store. Many more, and important ones, are still downloaded as DMG disks, or PKG installers, or simply as APP packages. And the confusion persists…