App Maker's Code Stolen in Malware Attack

Mac and iOS software developer Panic has had the source code for several of its apps stolen. An anonymous reader writes: Panic founder Steven Frank said in a blog post that it happened after he downloaded an infected copy of the video encoding tool Handbrake. He said there was no sign that any customer data was accessed and that Panic's web server was not affected. Users have been warned to download Panic's apps only from its website or the Apple App Store. Panic is the creator of web editing and file transfer apps Coda and Transmit, and the video game Firewatch. On May 2, Handbrake was hacked, with the Mac version of the app on one of the site's download servers replaced by a malicious copy. In what Mr Frank called "a case of extraordinarily bad luck", he downloaded the malicious version of Handbrake and launched it "without stopping to wonder why Handbrake would need admin privileges... when it hadn't before. And that was that, my Mac was completely, entirely compromised in three seconds or less."

company name is panic

[ganjadude]

seems to fit perfectly right now

Don't Panic

[Daetrin]

"Users have been warned to download Panic's apps only from its website or the Apple App Store."

At this point i think the better advise is simply:
Don't [use] Panic

Re:

[TWX]

The problem is now it may not be that easy to identify legitimate releases from malicious distribution.

We had this problem back in the shareware day. Renegade BBS software got this treatment, and that plus Cott Lang's unusual versioning scheme based on month as the first couple of numbers made it difficult to determine if a downloaded copy of Renegade was actually Lang's software or if it was compromised and had backdoors that the malicious party had created to later exploit when calling into one's BBS.

Per

Re:

[Daetrin]

I didn't look into the details, maybe it actually is mostly harmless, but i'm not going to let reality get in the way of good joke!

Re:

[gregarican]

Anyone remember the old game Apple Panic?

That was a really good malware target..

[SuperKendall]

Although as he said you might wonder why a video encoder would need admin access to a computer, I have to admit that I myself would have been taken in by this from a lifetime of being conditioned that various video players always seem to need system access...

That made Handbrake a really good target for malware as it was more likely people would not question admin access nearly as much.

Re:

[TWX]

Eh. It's not really marketing to say that OSX is less at-risk to viruses, because there simply are less viruses and other malware for the platform since its marketshare is smaller. I've never seen marketing that actually states that it was safe from viruses, or marketing that really talks about viruses in any way really.

The, "...more elite, fashionable, and intelligent person for using one..." part is all over the place though.

Re: That was a really good malware target..

[Anonymous Coward]

Then you never watched those "I'm a Mac, I'm a PC" commercials.

Whatever happened to

[Anonymous Coward]

Certain computers never getting hacked, malware, or virused up?

Re:Whatever happened to

[ilsaloving]

Certain computers never getting hacked, malware, or virused up?

Except that has never ever been true, except to the OS zealots who tie their personal identity to their chosen platform like some weird religious devotee.

It's funny, I've gotten into arguments on slashdot for this exact thing, by people who were so offended when said that their favourite OS (no matter what it is) isn't a perfect panacea. They went so far as to accuse me that I "don't know security" because, for example, I disagreed that just using FreeBSD didn't make that automagically immune to security threats.

What happened to Mr. Frank is a perfect example of what I was talking about. It doesn't matter how secure you think your OS is, because there is *always* a way to compromise it. Even if your OS isn't directly exploitable, an application you run on top of it may be. If not, the meatspace component certainly still is.

All it takes is a single mistake, a single lapse in judgment for something potentially catastrophic to happen.

There is no such thing as perfect security. All you can do is put up more barriers than a malicious actor has the patience to tear down. That includes appropriate training for people. Anyone who tells you different is either grossly misinformed, or is trying to sell you something.

Re:

[Guybrush_T]

Agreed in general. However, in that precise case, it is not true.

Windows has always had a model of "download whatever you find on the internet and run it". So most people only know that model and that hurts (when you download handbrake).

On Linux (and progressively MacOS), you would almost never download something from a website and execute it. You download software with yum or apt and that should make sure that (unless it is compromised, but it is much harder) :

• - The software will work well with the re

Re:

[ilsaloving]

You are absolutely correct. The attack footprint on various *NIX systems is definitely lower than it is for Windows.

But there is a huge difference between "certain software are more dangerous than others" and "my favourite software is completely immune!"

I just wanted people to understand that no matter what OS you use, you *still* need to be mindful of security. If a Linux system is running some version of httpd that turns out to have a zero day vulnerability, you're still at risk, for example. Maybe you

Re: Whatever happened to

[Anonymous Coward]

We call those special repositorys thst you need to go to for software to install walled gardens. Unix and the Mac OS are special, in that there isn't as robust an ABI so much software won't run. You can call it a virtue or a weakness.

Years ago I remember being in the cashier's line at a CompUSA. There was a crying young boy behind me in the line. His mom was trying to explain that they had a mac and couldn't run the game that he wanted.

Re:

[DontBeAMoran]

There is no such thing as perfect security.

Well, there is - but you won't like it.

Step 1. Disconnect computer power cable.
Step 2. Physically destroy all storage devices.

Re:

[nine-times]

It doesn't matter how secure you think your OS is, because there is *always* a way to compromise it... There is no such thing as perfect security.

I'm glad you put this. Although, my preferred way of saying it is, "security" is not the about making unauthorized access impossible. Short of completely and irrevocably destroying something, you can't make unauthorized access to it impossible. Security is about making unauthorized access difficult, dangerous, easily discovered, and otherwise unappealing.

If you want to get more precise (and don't mind a little complication) it's about achieving a favorable balance between "making it difficult for unauth

But...

[msauve]

How can this happen? We're always being told there's no malware on Macintosh.

Re:

[DontBeAMoran]

And a trojan, whatever OS your computer may be running, is only possible because of the weakest link in the chain: the [voice="Tron Legacy:Jarvis"]user[/voice].

Re:

[DontBeAMoran]

That's the number for "Web Developer Survey Results 2016". Of course the results will be skewed compared to regular users.

If you look at the "Desktop/Laptop operating system browsing statistics", macOS is at 11.59% for all versions. The total number for Windows 7 and up is 78.87%.

Re:

[F.Ultra]

A credit card with high credit rating?

Re:

[ShanghaiBill]

MacOS is an inherently harder target. Windows originally had no security, and Microsoft has always emphasized backwards compatibility. Apple has, on several occasions, thrown away backwards compatibility and redesigned from a clean slate. For security, the biggest change was going from OS 9 to OS X in 2001.

Re:

[AHuxley]

https://objective-see.com/blog... [objective-see.com] has a good blog on that topic.

Re:

[Anubis IV]

This is the first compromise that I'm aware of Handbrake having this year, and they do sign their releases. They've done so for years, in fact. Updates that occur via the built in updater check that the signature matches what's expected. In this case, however, the user downloaded the file directly from the affected mirror without checking the signature, hence why it didn't matter.

Re:

[tlhIngan]

This is the first compromise that I'm aware of Handbrake having this year, and they do sign their releases. They've done so for years, in fact. Updates that occur via the built in updater check that the signature matches what's expected. In this case, however, the user downloaded the file directly from the affected mirror without checking the signature, hence why it didn't matter.

How can you not check the signature? If it's not signed, macOS already puts up an unknown application dialog and refuses to run i

Re:

[Anubis IV]

The problem is Handbrake isn't a signed app, period.

Actually, it is signed [github.com]. While they don't use an Apple Developer certificate, they still do cryptographically sign each release. All of that is in addition to providing SHA1 and SHA256 checksums [handbrake.fr].

As I said, the user didn't check the signature, and you're quite right that they blew by the warnings about the app being from an unidentified developer, given that those warnings already occur even with the official Handbrake releases. Even so, your claim that they don't sign their releases is entirely incorrect.

But ... BUtttttt ......

[dasgoober]

.... they told me that Macs are immune

Re:

[farble1670]

In windows you don't need to user to supply the admin password. Windows will do that for you.

That's not been true for quite some time. Time to upgrade. Or keep your posts relevant to 2001. Your choice.

Re:

[Anubis IV]

His dev box was infected. If you're using dev boxes as mission critical computers, you're the one with issues.

Re:

[thegarbz]

Yeah what an idiot. A video transcoder had no business on a Dev box. It's right up there with those idiots who install compilers and IDEs. Have some brains developers.

Re:

[angel'o'sphere]

How do you copy&paste code from stackoverflow when your evelopr machine is not connected to the internet?
Remote clipboard sharing?

The idea that developr machines are not attached to the internet is close to absurd, only super highh secure environments will do that. E.g. a friend of mine is working in a nuclear power plant on simple SQL stuff. They are not even alowed to bring cell phones inside.

So developer resources are limited to what is installed on the machines and paper manuals.

Why would one do tha

Re:

[theArtificial]

It's a joke that flew over your head.

Re:

[Anubis IV]

...you do realize that's how git works, right? Every dev box is its own repo, so of course he had a repo. That doesn't mean it's mission critical. Quite the opposite, it would suggest it's expendable.

Or perhaps you don't know what mission critical [wikipedia.org] means? It's not just things that are important to your business. It's the things that you can't operate without, like a cloud backend on which your SaaS [wikipedia.org] business operates, or a payment system without which you can't generate any income. Those are mission critical.

Same outcome for Linux users.

[bill_mcgonigle]

Reports are that all of Linus's code has also been posted to the Internet.

Re:

[account_deleted]

Comment removed based on user account deletion

Malware on Apple?

[farble1670]

Macs are susceptible to malware? My world view is shattered.

Re:

[Freischutz]

Macs are susceptible to malware? My world view is shattered.

Deliberately downloading malware infected software and installing it after being warned not to will compromise any system? My world view is shattered.