TNW Conference 2022 will be bigger, bolder, and better! Get your tickets now >>

The heart of tech

This article was published on February 9, 2016

    ‘Huge’ number of Mac apps are vulnerable to man-in-the-middle attacks

    ‘Huge’ number of Mac apps are vulnerable to man-in-the-middle attacks
    Bryan Clark
    Story by

    Bryan Clark

    Former Managing Editor, TNW

    Bryan is a freelance journalist. Bryan is a freelance journalist.

    Many of OS X’s most popular apps were recently revealed to be vulnerable to man-in-the-middle (MiTM) attacks.

    The vulnerability specifically targets those that use Sparkle — a third-party software update framework — and unencrypted HTTP connections.

    A security engineer from Vulnsec, known as Radek, said the vulnerability works on both El Capitan and its predecessor, Yosemite.

    The total number of apps affected isn’t known, but Radek did estimate the number to be “huge.” Some of those confirmed as vulnerable are:

    • Camtasia 2 (v2.10.4)
    • DuetDisplay (v1.5.2.4)
    • uTorrent (v1.8.7)
    • Sketch (v3.5.1)

    Additionally, security researcher Jonathan Zdziarski told Ars Technica that the ‘Hopper’ reverse engineering tool and ‘DXO Optics Pro’ are also susceptible.

    If you want to see the full list of apps that could be vulnerable to MiTM attacks, there is a list of apps that use Sparkle, here. It’s important to note, however, that not all of these apps communicate over insecure HTTP networks, nor do they all use the same (vulnerable) version of Sparkle.

    The popular chat client Adium, for instance, uses Sparkle but communicates over HTTPS.

    If you’re running an app that could be vulnerable, the best thing to do is update it immediately. That said, end users have no real way of knowing what is vulnerable and the problem might not necessarily be solved with an update if the update still features HTTP communication and a vulnerable version of Sparkle.

    Good luck out there.

    “Huge” number of Mac apps vulnerable to hijacking, and a fix is elusive [Ars Technica]

    Get the Apple newsletter