Skip to main content
  1. Home
  2. Computing
  3. News

Digital Trends may earn a commission when you buy through links on our site. Why trust us?

A bunch of Mac apps are reportedly easy to hack, and the solution is taxing

Gabe Carey
By

apple macbook 2016 news rumors version 1454155228 header
Szefei/123RF
Last week, “insane and plain weird” programmer Radek published an article on his blog that uncovered an oddly contained secret about the Mac OS X operating system. In his research, he discovered that the Sparkle update system used in a number of popular Mac applications, such as VLC media player, uTorrent, and Camtasia, fail to use the secure HTTPS protocol, instead opting for the much more vulnerable HTTP.

The unencrypted path makes it easy for hackers to take exploit traffic between the user and the server in both man in the middle and remote command execution attacks. Because of the way Sparkle allows for JavaScript execution by means of WebKit rendering, Radek says the attacks could leave users of both El Capitan and Yosemite at risk.

Related: MacPaw CleanMyMac 3 Free Trial

Recommended Videos

Moreover, if you’re wondering what an attack like this would look like it action, you’re in luck, as Radek took the time to shoot a video of exactly that:

Related

Another researcher, Simone Margaritelli, expanded on to Radek’s discoveries by writing out some frighteningly easy-to-follow instructions as to how you, too, can perform an attack like this using the Metasploit exploit framework. The example he used was none other than the indisputably best media player in the universe, VLC.

While it’s presently unclear just how many apps this could affect, Radek went with the rough approximate count of “huge.” What we do know is that included in this list is Camtasia 2 v2.10.4, DuetDisplay v1.5.2.4, uTorrent v1.8.7, and Sketch v3.5.1. Computer forensics expert Jonathan Zdziarski added that the Hopper reverse engineering tool and DXO Optics Pro are also at risk, according to Ars Technica.

There’s even an extensive list of apps that utilize Sparkle, in case you were wondering, though not every single one of them operates over HTTP or take advantage of a susceptible framework.

To make things worse, Radek said that another Sparkle vulnerability also persist, albeit with less severity. By letting an assailant replace a standard update file with something a little more harmful, it can also be exploited in an aggression against the update servers.

While there is a solution to both vulnerabilities, neither is simple. In fact, Zdziarski reports that at least one developer is struggling to convert its app’s update servers to the more secure HTTPS channel configuration. Until every last one of them does, however, no one is safe.

Editors' Recommendations

Topics
Gabe Carey
Gabe Carey
Former Digital Trends Contributor
A freelancer for Digital Trends, Gabe Carey has been covering the intersection of video games and technology since he was 16…
The XPS 16 is fighting an uphill battle against the MacBook Pro
Dell XPS 16 sitting on desktop with flowers.

It took a few years, but Dell finally updated the design of its two largest XPS laptops. The XPS 15 gave way to the XPS 14, while the XPS 17 was replaced by the XPS 16. The latter gained the ultramodern look of the XPS 13 Plus, complete with a glass palm rest, a hidden haptic touchpad, and a row of LED function keys.

It's a significant update but places the XPS 16 in direct competition with the Apple MacBook Pro 16. That's an excellent matchup with proven performance and battery life and an elegant design that's solid, if a lot more conservative.
Specs and configurations

Read more
These 4K monitors are discounted at Best Buy — from $200
The Sony InZone M9 sitting next to a PlayStation 5.

A 4K monitor is a great way of enjoying an enhanced image as you work with more pixels, higher resolutions, and often better colors too. Over at Best Buy, there are some great monitor deals squarely focused on all things 4K. There are dozens of 4K monitors in the sale so the smart move is to hit the button below to see what’s there for yourself. If you want some help though, we’re here. We’ve picked out a few highlights in the sale so take a look for yourself.

What to shop for in the Best Buy 4K monitor sale
Samsung makes some of the best monitors around so why not start with the ? It’s currently reduced by $150 so it costs just $200. Its IPS panel looks great with AMD FreeSync support effectively eliminating screen tears and stutters. There’s also HDR support which brings with it some great looking colors while wide viewing angles mean it looks great from any perspective.

Read more
9 best processors for PC gaming: tested and reviewed
The AMD Ryzen 9 7950X3D installed in a motherboard.

It's tough to find the right gaming CPU for your next PC. We've benchmarked dozens of processors to find the best CPU for gaming, and there's a clear winner right now: AMD's Ryzen 7 7800X3D. Although the latest chip from Team Red claims the crown, there are still several other great options on the market.

Whatever your needs and budgets, though, we have options from AMD and Intel that will be great performers. We're focused on gaming here, but if you want a processor that can game and get work done, make sure to check out our list of the best processors.

Read more