Skip to main content
  1. Home
  2. Computing
  3. News

Digital Trends may earn a commission when you buy through links on our site. Why trust us?

A bunch of Mac apps are reportedly easy to hack, and the solution is taxing

Gabe Carey
By

apple macbook 2016 news rumors version 1454155228 header
Szefei/123RF
Last week, “insane and plain weird” programmer Radek published an article on his blog that uncovered an oddly contained secret about the Mac OS X operating system. In his research, he discovered that the Sparkle update system used in a number of popular Mac applications, such as VLC media player, uTorrent, and Camtasia, fail to use the secure HTTPS protocol, instead opting for the much more vulnerable HTTP.

The unencrypted path makes it easy for hackers to take exploit traffic between the user and the server in both man in the middle and remote command execution attacks. Because of the way Sparkle allows for JavaScript execution by means of WebKit rendering, Radek says the attacks could leave users of both El Capitan and Yosemite at risk.

Related: MacPaw CleanMyMac 3 Free Trial

Recommended Videos

Moreover, if you’re wondering what an attack like this would look like it action, you’re in luck, as Radek took the time to shoot a video of exactly that:

Related

Another researcher, Simone Margaritelli, expanded on to Radek’s discoveries by writing out some frighteningly easy-to-follow instructions as to how you, too, can perform an attack like this using the Metasploit exploit framework. The example he used was none other than the indisputably best media player in the universe, VLC.

While it’s presently unclear just how many apps this could affect, Radek went with the rough approximate count of “huge.” What we do know is that included in this list is Camtasia 2 v2.10.4, DuetDisplay v1.5.2.4, uTorrent v1.8.7, and Sketch v3.5.1. Computer forensics expert Jonathan Zdziarski added that the Hopper reverse engineering tool and DXO Optics Pro are also at risk, according to Ars Technica.

There’s even an extensive list of apps that utilize Sparkle, in case you were wondering, though not every single one of them operates over HTTP or take advantage of a susceptible framework.

To make things worse, Radek said that another Sparkle vulnerability also persist, albeit with less severity. By letting an assailant replace a standard update file with something a little more harmful, it can also be exploited in an aggression against the update servers.

While there is a solution to both vulnerabilities, neither is simple. In fact, Zdziarski reports that at least one developer is struggling to convert its app’s update servers to the more secure HTTPS channel configuration. Until every last one of them does, however, no one is safe.

Editors' Recommendations

Topics
Gabe Carey
Gabe Carey
Former Digital Trends Contributor
A freelancer for Digital Trends, Gabe Carey has been covering the intersection of video games and technology since he was 16…
4 CPUs you should buy instead of the Ryzen 7 7800X3D
AMD Ryzen 7 7800X3D sitting on a motherboard.

The Ryzen 7 7800X3D is one of the best gaming processors you can buy, and it's easy to see why. It's easily the fastest gaming CPU on the market, it's reasonably priced, and it's available on a platform that AMD says it will support for several years. But it's not the right chip for everyone.

Although the Ryzen 7 7800X3D ticks all the right boxes, there are several alternatives available. Some are cheaper while still offering great performance, while others are more powerful in applications outside of gaming. The Ryzen 7 7800X3D is a great CPU, but if you want to do a little more shopping, these are the other processors you should consider.
AMD Ryzen 7 5800X3D

Read more
Even the new mid-tier Snapdragon X Plus beats Apple’s M3
A photo of the Snapdragon X Plus CPU in the die

You might have already heard of the Snapdragon X Elite, the upcoming chips from Qualcomm that everyone's excited about. They're not out yet, but Qualcomm is already announcing another configuration to live alongside it: the Snapdragon X Plus.

The Snapdragon X Plus is pretty similar to the flagship Snapdragon X Elite in terms of everyday performance but, as a new chip tier, aims to bring AI capabilities to a wider portfolio of ARM-powered laptops. To be clear, though, this one is a step down from the flagship Snapdragon X Elite, in the same way that an Intel Core Ultra 7 is a step down from Core Ultra 9.

Read more
Gigabyte just confirmed AMD’s Ryzen 9000 CPUs
Pads on the AMD Ryzen 7 7800X3D.

Gigabyte spoiled AMD's surprise a bit by confirming the company's next-gen CPUs. In a press release announcing a new BIOS for X670, B650, and A620 motherboards, Gigabyte not only confirmed that support has been added for next-gen AMD CPUs, but specifically referred to them as "AMD Ryzen 9000 series processors."

We've already seen MSI and Asus add support for next-gen AMD CPUs through BIOS updates, but neither of them called the CPUs Ryzen 9000. They didn't put out a dedicated press release for the updates, either. It should go without saying, but we don't often see a press release for new BIOS versions, suggesting Gigabyte wanted to make a splash with its support.

Read more