Slashdot Mirror

← Back to Stories (view on slashdot.org)

App Maker's Code Stolen in Malware Attack (bbc.com)

Posted by msmash on from the security-woes dept.

Mac and iOS software developer Panic has had the source code for several of its apps stolen. An anonymous reader writes: Panic founder Steven Frank said in a blog post that it happened after he downloaded an infected copy of the video encoding tool Handbrake. He said there was no sign that any customer data was accessed and that Panic's web server was not affected. Users have been warned to download Panic's apps only from its website or the Apple App Store. Panic is the creator of web editing and file transfer apps Coda and Transmit, and the video game Firewatch. On May 2, Handbrake was hacked, with the Mac version of the app on one of the site's download servers replaced by a malicious copy. In what Mr Frank called "a case of extraordinarily bad luck", he downloaded the malicious version of Handbrake and launched it "without stopping to wonder why Handbrake would need admin privileges... when it hadn't before. And that was that, my Mac was completely, entirely compromised in three seconds or less."

73 comments

  1. company name is panic by ganjadude · · Score: 3, Funny

    seems to fit perfectly right now

    --
    have you seen my sig? there are many others like it but none that are the same
    1. Re:company name is panic by gregarican · · Score: 1

      Anyone remember the old game Apple Panic?

  2. That was a really good malware target.. by SuperKendall · · Score: 4, Insightful

    Although as he said you might wonder why a video encoder would need admin access to a computer, I have to admit that I myself would have been taken in by this from a lifetime of being conditioned that various video players always seem to need system access...

    That made Handbrake a really good target for malware as it was more likely people would not question admin access nearly as much.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:That was a really good malware target.. by Anonymous Coward · · Score: 0

      Yep -- as a very long time (and reasonably suspicious) mac user I think I might have bought this fraud.

      CAPTCHA: hoodwink

    2. Re: That was a really good malware target.. by Anonymous Coward · · Score: 0

      You mean a lifetime of being conditioned to believe that Macs are safe from virus, and that you're a more elite, fashionable, and intelligent person for using one.... Instead of a consumer whore duped by marketing.

    3. Re: That was a really good malware target.. by TWX · · Score: 1

      Eh. It's not really marketing to say that OSX is less at-risk to viruses, because there simply are less viruses and other malware for the platform since its marketshare is smaller. I've never seen marketing that actually states that it was safe from viruses, or marketing that really talks about viruses in any way really.

      The, "...more elite, fashionable, and intelligent person for using one..." part is all over the place though.

      --
      Do not look into laser with remaining eye.
    4. Re:That was a really good malware target.. by Anonymous Coward · · Score: 0

      I think the problem is the conditioning that many types of software supposedly need admin access. Users are conditioned to enter their password whenever prompted, without stopping to think about why (or in many cases, without being able to understand why, even if they thought about it first). Password prompt comes up? It's just in my way, enter the password and get it out of here!

      I think conditioning users to enter passwords is more dangerous than conditioning them to allow admin access. If the malware puts up a fake admin prompt, entering their password now gives it access to their keychain and quite possibly online passwords. This is the real breach. System access? Who cares. If malware is even executing at all, it already has access to all of my unprivileged user data, which is what is important. If the system gets compromised, I can just reinstall (unless it's particularly nasty malware that goes into the EFI or similar).

      I really don't know what the solution is, but there needs to be a better way of allows some software access to more than standard privileges when actually warranted, but without this blanket all-or-nothing access, and without a simple password entry to get past it. But it needs to work reliably well for users who shouldn't be expected to understand the complexities of said access. That's a tough problem to solve.

      Apparently the authors of this malware got access to his Github account, which is how they got the source code. So, did they get it because the malware got his password, which it then used to get into his keychain, which stored the Github password? Did he use the same password for Github as his Mac user account? In either case, shame on him. This is where I'd recommend using a third-party password manager. You may be conditioned to enter your Mac account password way too often, but anything asking for your 1Password/Lastpass/etc password should cause immediate alarm.

    5. Re: That was a really good malware target.. by Anonymous Coward · · Score: 1

      Then you never watched those "I'm a Mac, I'm a PC" commercials.

    6. Re: That was a really good malware target.. by Anonymous Coward · · Score: 0

      Yes, thst's the unix security model. Anything nasty that you are fooled into running can only destroy everything in your home directory and any other user data. The stuff that you can simply restore off the installer iso is protected.

  3. Whatever happened to by Anonymous Coward · · Score: 2, Funny

    Certain computers never getting hacked, malware, or virused up?

    1. Re:Whatever happened to by ilsaloving · · Score: 4, Informative

      Certain computers never getting hacked, malware, or virused up?

      Except that has never ever been true, except to the OS zealots who tie their personal identity to their chosen platform like some weird religious devotee.

      It's funny, I've gotten into arguments on slashdot for this exact thing, by people who were so offended when said that their favourite OS (no matter what it is) isn't a perfect panacea. They went so far as to accuse me that I "don't know security" because, for example, I disagreed that just using FreeBSD didn't make that automagically immune to security threats.

      What happened to Mr. Frank is a perfect example of what I was talking about. It doesn't matter how secure you think your OS is, because there is *always* a way to compromise it. Even if your OS isn't directly exploitable, an application you run on top of it may be. If not, the meatspace component certainly still is.

      All it takes is a single mistake, a single lapse in judgment for something potentially catastrophic to happen.

      There is no such thing as perfect security. All you can do is put up more barriers than a malicious actor has the patience to tear down. That includes appropriate training for people. Anyone who tells you different is either grossly misinformed, or is trying to sell you something.

    2. Re:Whatever happened to by Guybrush_T · · Score: 2

      Agreed in general. However, in that precise case, it is not true.

      Windows has always had a model of "download whatever you find on the internet and run it". So most people only know that model and that hurts (when you download handbrake).

      On Linux (and progressively MacOS), you would almost never download something from a website and execute it. You download software with yum or apt and that should make sure that (unless it is compromised, but it is much harder) :

      • - The software will work well with the rest of the OS / other software
      • - The software does not contain malware / viruses
      • - The software has not been modified by a man-in-the-middle.

      If you live in a windows world, those are things you don't even think about, and this is a huge security problem. You can say no-one is immune to security risks, but certain software management systems are certainly more dangerous than others.

    3. Re:Whatever happened to by DontBeAMoran · · Score: 1

      There is no such thing as perfect security.

      Well, there is - but you won't like it.

      Step 1. Disconnect computer power cable.
      Step 2. Physically destroy all storage devices.

      --
      #DeleteFacebook
    4. Re:Whatever happened to by nine-times · · Score: 2

      It doesn't matter how secure you think your OS is, because there is *always* a way to compromise it... There is no such thing as perfect security.

      I'm glad you put this. Although, my preferred way of saying it is, "security" is not the about making unauthorized access impossible. Short of completely and irrevocably destroying something, you can't make unauthorized access to it impossible. Security is about making unauthorized access difficult, dangerous, easily discovered, and otherwise unappealing.

      If you want to get more precise (and don't mind a little complication) it's about achieving a favorable balance between "making it difficult for unauthorized people to gain access," and "making it easy for authorized people to gain access", that balance being determined by the sensitivity of the compromise and the sophistication of the likely attackers.

      That is to say, if the information you're protecting is publicly available anyway, and the people likely to attack you are stupid, then you shouldn't devote a lot of resources to your security. It's not just "It's not worth the additional security", but rather, "tightening security would be a bad move". Tightening security unnecessarily almost inherently makes it more difficult for authorized users to gain access, which does a few bad things. First, it may create a false sense of security, which makes people more negligent toward security practices. On the other hand, your authorized users will be less likely to take security seriously, since they know that an inappropriate amount of security is being applied to something trivial. That, in turn, increases the likelihood that an authorized user will find a way to bypass your security entirely, in order to serve their own convenience (e.g. "They keep locking this door, which is annoying. I'll just prop the door open."). Bypassing security procedures in this way opens security holes that you won't be aware of.

      So yes, there's no such thing as perfect security, but I just want to point out that it's not just, "However many barriers I put up, someone could theoretically tear them down." It's also, "If I put up too many barriers in the wrong places, I might accidentally make it harder for me to see an attacker coming."

    5. Re:Whatever happened to by Anonymous Coward · · Score: 0

      This is also a reason why regular backups are important. I agree that no OS is immune from attacks, and due caution must be exercised by the user.

    6. Re:Whatever happened to by ilsaloving · · Score: 1

      You are absolutely correct. The attack footprint on various *NIX systems is definitely lower than it is for Windows.

      But there is a huge difference between "certain software are more dangerous than others" and "my favourite software is completely immune!"

      I just wanted people to understand that no matter what OS you use, you *still* need to be mindful of security. If a Linux system is running some version of httpd that turns out to have a zero day vulnerability, you're still at risk, for example. Maybe you didn't sleep well the night before and stupidly set your root password to 'root', or some other equally idiotic thing that you would normally never have done.

      Shit happens.

    7. Re: Whatever happened to by Anonymous Coward · · Score: 1

      We call those special repositorys thst you need to go to for software to install walled gardens. Unix and the Mac OS are special, in that there isn't as robust an ABI so much software won't run. You can call it a virtue or a weakness.

      Years ago I remember being in the cashier's line at a CompUSA. There was a crying young boy behind me in the line. His mom was trying to explain that they had a mac and couldn't run the game that he wanted.

  4. Don't Panic by Daetrin · · Score: 1, Troll

    "Users have been warned to download Panic's apps only from its website or the Apple App Store."

    At this point i think the better advise is simply:
    Don't [use] Panic

    --
    This Space Intentionally Left Blank
    1. Re:Don't Panic by Anonymous Coward · · Score: 0

      I think that's unfair. This was a dev box that got compromised, not production.

    2. Re:Don't Panic by TWX · · Score: 2

      The problem is now it may not be that easy to identify legitimate releases from malicious distribution.

      We had this problem back in the shareware day. Renegade BBS software got this treatment, and that plus Cott Lang's unusual versioning scheme based on month as the first couple of numbers made it difficult to determine if a downloaded copy of Renegade was actually Lang's software or if it was compromised and had backdoors that the malicious party had created to later exploit when calling into one's BBS.

      Perhaps this kind of thing can serve as a warning to developers, don't use your dev boxes as general purpose computers. Sure it means having to either have more than one computer or else having to use virtual machines or chroot environments etc, but if one's important work is compromised like this it can have far reaching implications. Just easier to not use the same equipment for both functions.

      --
      Do not look into laser with remaining eye.
    3. Re:Don't Panic by Daetrin · · Score: 1

      I didn't look into the details, maybe it actually is mostly harmless, but i'm not going to let reality get in the way of good joke!

      --
      This Space Intentionally Left Blank
  5. But... by msauve · · Score: 1, Flamebait

    How can this happen? We're always being told there's no malware on Macintosh.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:But... by Anonymous Coward · · Score: 0, Insightful

      How can this happen? We're always being told there's no viruses on Macintosh.

      Fixed that for you. What you were told remains true.

    2. Re:But... by Anonymous Coward · · Score: 0

      How can this happen? We're always being told there's no malware on Macintosh.

      Malware developers didn't target OS X for a while because there weren't as many computers running that OS, it was not as valuable to exploit.

    3. Re:But... by Anonymous Coward · · Score: 0

      Anyone could write "Malware" of sorts for any OS in a few seconds. So naturally, there's Malware for every system out there. rm -rf * Save as a bash file. - There, I just wrote some Malware for MacOS, and it will work on Linux too! Not the same as getting a virus, or having WannaCry injected into your windows system while connected to the internet without a router in seconds.

    4. Re:But... by Anonymous Coward · · Score: 0

      (P1): Information wants to be free.

      (P2): The internet treats censorship as damage and routes around it.

      (P3): Many eyes make all bugs shallow.

      (P1) + (P2) + (P3) -> If you connect your machine to the internet, get ready for hacktivists to open-source you in the $^#&@.

    5. Re:But... by Anonymous Coward · · Score: 0

      This is nonsense; little more than a talking point.

    6. Re:But... by Anonymous Coward · · Score: 0

      https://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Desktop_and_laptop_computers

      Mac OS, not including iOS, as of 2016 had an estimated 26% of the desktop and laptop market. They are hardly used in an enterprise environment on top of that.

    7. Re:But... by DontBeAMoran · · Score: 1

      That's the number for "Web Developer Survey Results 2016". Of course the results will be skewed compared to regular users.

      If you look at the "Desktop/Laptop operating system browsing statistics", macOS is at 11.59% for all versions. The total number for Windows 7 and up is 78.87%.

      --
      #DeleteFacebook
    8. Re:But... by Anonymous Coward · · Score: 0

      This does not address my point.

    9. Re:But... by DontBeAMoran · · Score: 1

      And a trojan, whatever OS your computer may be running, is only possible because of the weakest link in the chain: the [voice="Tron Legacy:Jarvis"]user[/voice].

      --
      #DeleteFacebook
    10. Re:But... by ShanghaiBill · · Score: 1

      MacOS is an inherently harder target. Windows originally had no security, and Microsoft has always emphasized backwards compatibility. Apple has, on several occasions, thrown away backwards compatibility and redesigned from a clean slate. For security, the biggest change was going from OS 9 to OS X in 2001.

    11. Re:But... by Anonymous Coward · · Score: 0

      Exactly. What are you gonna steal off an apple computer. Some hipsters screenplay about a pluck hipster that makes it big in Hollywood?

    12. Re:But... by F.Ultra · · Score: 1

      A credit card with high credit rating?

    13. Re:But... by AHuxley · · Score: 1

      https://objective-see.com/blog... has a good blog on that topic.

      --
      Domestic spying is now "Benign Information Gathering"
    14. Re: But... by Anonymous Coward · · Score: 0

      A credit card with a nearly maxed balance.

      Those yearly 'refreshes' add up.

  6. What is wrong with Handbrake by Anonymous Coward · · Score: 0

    Isn't this the second compromise of Handbrake's servers this year? And they still don't digitally sign their releases.

    1. Re:What is wrong with Handbrake by Anubis+IV · · Score: 1

      This is the first compromise that I'm aware of Handbrake having this year, and they do sign their releases. They've done so for years, in fact. Updates that occur via the built in updater check that the signature matches what's expected. In this case, however, the user downloaded the file directly from the affected mirror without checking the signature, hence why it didn't matter.

    2. Re:What is wrong with Handbrake by tlhIngan · · Score: 1

      This is the first compromise that I'm aware of Handbrake having this year, and they do sign their releases. They've done so for years, in fact. Updates that occur via the built in updater check that the signature matches what's expected. In this case, however, the user downloaded the file directly from the affected mirror without checking the signature, hence why it didn't matter.

      How can you not check the signature? If it's not signed, macOS already puts up an unknown application dialog and refuses to run it unless you force it to. (And recent macOS even disabled the option to disable the check).

      Unless you mean by sign they "put up a SHA hash" which is no where near a signature.

      The problem is Handbrake isn't a signed app, period. (Developers can pay Apple $99 for a code signing certificate which will bypass Gatekeeper even though the app was not approved by Apple or sold in the Mac App Store).

      Granted, there are probably some logistical reasons why they can't get a certificate from Apple, but still, the app was not signed, and you have to force Gatekeeper to ignore the unsigned nature of it in order to run it.

      All in all, what really happened is the developer was too smart for his own good

    3. Re:What is wrong with Handbrake by Anubis+IV · · Score: 1

      The problem is Handbrake isn't a signed app, period.

      Actually, it is signed. While they don't use an Apple Developer certificate, they still do cryptographically sign each release. All of that is in addition to providing SHA1 and SHA256 checksums.

      As I said, the user didn't check the signature, and you're quite right that they blew by the warnings about the app being from an unidentified developer, given that those warnings already occur even with the official Handbrake releases. Even so, your claim that they don't sign their releases is entirely incorrect.

  7. You know what they say... by Anonymous Coward · · Score: 0

    Apps that app other apps get apped!

    Apps!

  8. But ... BUtttttt ...... by dasgoober · · Score: 1

    .... they told me that Macs are immune

    1. Re:But ... BUtttttt ...... by Anonymous Coward · · Score: 0

      Bite off. So OSX got hacked because the *user* supplied the root password. In windows you don't need to user to supply the admin password. Windows will do that for you.

    2. Re:But ... BUtttttt ...... by farble1670 · · Score: 1

      In windows you don't need to user to supply the admin password. Windows will do that for you.

      That's not been true for quite some time. Time to upgrade. Or keep your posts relevant to 2001. Your choice.

    3. Re:But ... BUtttttt ...... by Anonymous Coward · · Score: 0

      And with "quite some time" you mean 3 days? https://tech.slashdot.org/stor... ;-)

  9. Why Handbrake on a mission critical computer? by Anonymous Coward · · Score: 0

    This is a depiction of why you don't conflate your business side with your R&D or personal stuff.

    Now he's damaged his reputation. Not smart.

    1. Re:Why Handbrake on a mission critical computer? by Anubis+IV · · Score: 1

      His dev box was infected. If you're using dev boxes as mission critical computers, you're the one with issues.

    2. Re:Why Handbrake on a mission critical computer? by thegarbz · · Score: 1

      Yeah what an idiot. A video transcoder had no business on a Dev box. It's right up there with those idiots who install compilers and IDEs. Have some brains developers.

    3. Re:Why Handbrake on a mission critical computer? by Anonymous Coward · · Score: 0

      What should and should not be on a dev box depends quite a lot on what you are developing though, I guess.

    4. Re:Why Handbrake on a mission critical computer? by angel'o'sphere · · Score: 1

      How do you copy&paste code from stackoverflow when your evelopr machine is not connected to the internet?
      Remote clipboard sharing?

      The idea that developr machines are not attached to the internet is close to absurd, only super highh secure environments will do that. E.g. a friend of mine is working in a nuclear power plant on simple SQL stuff. They are not even alowed to bring cell phones inside.

      So developer resources are limited to what is installed on the machines and paper manuals.

      Why would one do that for video editing software?

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    5. Re:Why Handbrake on a mission critical computer? by theArtificial · · Score: 1

      It's a joke that flew over your head.

      --
      Man blir trött av att gå och göra ingenting.
  10. Same outcome for Linux users. by bill_mcgonigle · · Score: 1

    Reports are that all of Linus's code has also been posted to the Internet.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  11. Back to the future! by DigiShaman · · Score: 1

    That's what Time Machine backups are for dummy. Of course you make backups. Right??

    --
    Life is not for the lazy.
    1. Re:Back to the future! by Anonymous Coward · · Score: 0

      That's what Time Machine backups are for dummy. Of course you make backups. Right??

      This isn't an issue of lost data. Source code was stolen from his compromised laptop.

  12. He sure as hell was. It was his source code repo by Anonymous Coward · · Score: 0

    ...how smart is that?

  13. But what's the problem? by Anonymous Coward · · Score: 0

    Isn't copyright EVIL? Doesn't information WANT TO BE FREE?

    If it were Microsoft source code leaked, the entire Slashdot circlejerk would rejoice.

  14. Defense in depth by Anonymous Coward · · Score: 0

    According to a detailed discussion of the malware payload, if he had used Little Snitch (or certain other network monitors), the malware would have shut itself down and not infected him.

  15. Re:Good! Teach him how to be a decent developer! by Anonymous Coward · · Score: 0

    But if source code is free then how will the guy make the billions in money he deserves for coding an app?

  16. Re:He sure as hell was. It was his source code rep by Anonymous Coward · · Score: 0

    If he's using Git, and he surely is, then yes, he has an entire copy of his source code repository on his laptop.

    The only one? Probs not. But that is how Git works, is it not?

  17. Malware on Apple? by farble1670 · · Score: 1

    Macs are susceptible to malware? My world view is shattered.

    1. Re: Malware on Apple? by Anonymous Coward · · Score: 0

      /s/macs/computers

      I am shocked.

    2. Re:Malware on Apple? by Freischutz · · Score: 1

      Macs are susceptible to malware? My world view is shattered.

      Deliberately downloading malware infected software and installing it after being warned not to will compromise any system? My world view is shattered.

  18. Re:He sure as hell was. It was his source code rep by Anubis+IV · · Score: 1

    ...you do realize that's how git works, right? Every dev box is its own repo, so of course he had a repo. That doesn't mean it's mission critical. Quite the opposite, it would suggest it's expendable.

    Or perhaps you don't know what mission critical means? It's not just things that are important to your business. It's the things that you can't operate without, like a cloud backend on which your SaaS business operates, or a payment system without which you can't generate any income. Those are mission critical. Expendable repos? Decidedly NOT mission critical.

    Setting aside your cluelessness, however, it actually wasn't the repo on his dev box that was the problem. Rather, the credentials for their private github repo happened to be on his dev box, which is how the hacker gained access to it. That repo was the one that contained the source for all of their apps. So, again, it was NOT the one on his dev box that was compromised, though even if had it been, it wouldn't have been out of the ordinary in the least for him to have had it on his dev box, nor would it have made any of that stuff mission critical.

  19. Re:But Linux & OSX don't get viruses by Anonymous Coward · · Score: 0

    So you don't know the difference between malware and a virus?

  20. Re: But Linux & OSX don't get viruses by Anonymous Coward · · Score: 0

    They don't. This was malware. But go ahead and be smug. You just saw it was a Mac and wanted to look cool. You fucking piece of shit.

  21. Re: But Linux & OSX don't get viruses by Anonymous Coward · · Score: 0

    Why so angry, bro?

  22. Re:After Google EFast & this you ask why? by Anonymous Coward · · Score: 0

    It's not the virus that bothers people, it's the illegal domains in it. Blackmail is worse than ransomware.

  23. After Google EFast & this you ask why? by Anonymous Coward · · Score: 0

    See subject: You ask WHY I don't "openSORES" my code?? Please. Malicious dopplegangers abound & Efast + this article PROVE it!

    (.. & it'd give some of my 'naysayers' around here ammo vs. me to put out a BOGUS malicious copy of APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ )

    * There is NO F'ing WAY I'll do it after knowing about Google EFAST & this article... no way.

    (I'm NOT that dumb!)

    APK

    P.S.=> I like knowing Malwarebytes' hpHosts verified my code = Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/ along w/ Google's VirusTotal & ~60 antivirus programs verifying it's clean in the 2nd link... apk