Skip to main content

Digital Trends may earn a commission when you buy through links on our site. Why trust us?

A bunch of Mac apps are reportedly easy to hack, and the solution is taxing

Last week, “insane and plain weird” programmer Radek published an article on his blog that uncovered an oddly contained secret about the Mac OS X operating system. In his research, he discovered that the Sparkle update system used in a number of popular Mac applications, such as VLC media player, uTorrent, and Camtasia, fail to use the secure HTTPS protocol, instead opting for the much more vulnerable HTTP.

The unencrypted path makes it easy for hackers to take exploit traffic between the user and the server in both man in the middle and remote command execution attacks. Because of the way Sparkle allows for JavaScript execution by means of WebKit rendering, Radek says the attacks could leave users of both El Capitan and Yosemite at risk.

Related: MacPaw CleanMyMac 3 Free Trial

Recommended Videos

Moreover, if you’re wondering what an attack like this would look like it action, you’re in luck, as Radek took the time to shoot a video of exactly that:

Another researcher, Simone Margaritelli, expanded on to Radek’s discoveries by writing out some frighteningly easy-to-follow instructions as to how you, too, can perform an attack like this using the Metasploit exploit framework. The example he used was none other than the indisputably best media player in the universe, VLC.

While it’s presently unclear just how many apps this could affect, Radek went with the rough approximate count of “huge.” What we do know is that included in this list is Camtasia 2 v2.10.4, DuetDisplay v1.5.2.4, uTorrent v1.8.7, and Sketch v3.5.1. Computer forensics expert Jonathan Zdziarski added that the Hopper reverse engineering tool and DXO Optics Pro are also at risk, according to Ars Technica.

There’s even an extensive list of apps that utilize Sparkle, in case you were wondering, though not every single one of them operates over HTTP or take advantage of a susceptible framework.

To make things worse, Radek said that another Sparkle vulnerability also persist, albeit with less severity. By letting an assailant replace a standard update file with something a little more harmful, it can also be exploited in an aggression against the update servers.

While there is a solution to both vulnerabilities, neither is simple. In fact, Zdziarski reports that at least one developer is struggling to convert its app’s update servers to the more secure HTTPS channel configuration. Until every last one of them does, however, no one is safe.

Gabe Carey
A freelancer for Digital Trends, Gabe Carey has been covering the intersection of video games and technology since he was 16…
If you’re itching for an HP OMEN MAX gaming laptop, this deal will save you $500
The HP Omen Max gaming laptop with Valorant on the screen.

We've recently published a stunningly positive review of the HP OMEN Max 16. It's got a list of "Pros" a mile long. The single, obligatory con is "Thick and heavy." Considering that it's a gaming laptop, that's practically the equivalent of saying a flashlight is too bright to look at. Thick, and a bit heavy, just comes with the territory. All of this is to say that the review was great and we're fans of the HP OMEN Max 16. As a deal hunter it made me want to go and see if I could find a deal on the HP OMEN Max 16 and I did, sort of. Right now you can get a customizable HP OMEN Max 16t — a laptop that, if it didn't have a separate store page, I would think is identical to the one we reviewed — with a $500 discount, no matter what settings you choose. With the base settings of the laptop, that discount brings it from $2,100 to just $1,600, but you're free to upgrade to your heart's content. Tap the button below to start customizing to your whimsy or keep reading for some advice on how to do so and what to expect from the 16t.

Buy Now

Read more
Google’s AI agent ‘Big Sleep’ just stopped a cyberattack before it started
Sundar Pichai

Google's AI agent, dubbed Big Sleep, has achieved a cybersecurity milestone by detecting and blocking an imminent exploit in the wild—marking the first time an AI has proactively foiled a cyber threat. Developed by Google DeepMind and Project Zero, Big Sleep identified a critical vulnerability in SQLite (CVE-2025-6965), an open-source database engine, that was on the verge of being exploited by malicious actors, allowing Google to patch it before damage occurred. “We believe this is the first time an AI agent has been used to directly foil efforts to exploit a vulnerability in the wild,” the company said.

Why it matters: As cyberattacks surge—costing businesses trillions annually—this breakthrough shifts defense from reactive patching to AI-driven prediction and prevention. It gives security teams a powerful new tool to stay ahead of hackers, potentially saving devices and data worldwide. CEO Sundar Pichai called it "a first for an AI agent—definitely not the last" according to Live Mint.

Read more
Google confirms merging Chrome OS and Android into one platform
Google Chrome app on s8 screen.

Why it matters: Google's push to blend Chrome OS and Android could supercharge affordable laptops like Chromebooks, making them more versatile for work and play. This move echoes Apple's seamless ecosystem across iPadOS and macOS, potentially shaking up the PC market where Windows dominates but innovation lags.

What's happening: In a bombshell interview, Google's Android ecosystem president Sameer Samat outright confirmed the company is "combining Chrome OS and Android into a single platform. This follows months of rumors and aligns with Android 16's new desktop-friendly features, like proper windowing and external display support. But then Samat later clarified on X that it's not a full-on merger killing Chrome OS; instead, it's about weaving Android's tech stack deeper into Chrome for better app compatibility and hardware efficiency.

Read more