Handbrake Developers Issue Mac Security Warning After Mirror Download Server Hack

Discussion in 'Mac Blog Discussion' started by MacRumors, May 7, 2017.

  1. MacRumors macrumors bot


    Apr 12, 2001

    The developers of open source video transcoder app Handbrake have issued a security warning to Mac users after a mirror download server hosting the software was hacked.

    The alert was issued on Saturday after it was discovered that the original HandBrake-1.0.7.dmg installer file on mirror server download.handbrake.fr had been replaced by a malicious file.

    The affected server has been shut down for investigation, but developers are warning that users who downloaded the software from the server between 14:30 UTC May 2 and 11:00 UTC May 6 have a 50/50 chance of their system being infected by a trojan. "If you see a process called 'Activity_agent' in the OS X Activity Monitor application, you are infected," read the alert.

    To remove the malware from an infected computer, users need to open up the Terminal application and run the following commands:

    [*]launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist

    [*]rm -rf ~/Library/RenderFiles/activity_agent.app

    [*]if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
    Users should then remove any installs of the Handbrake.app they have on their system. As an extra security recommendation, users should also change all the passwords that may reside in their OSX KeyChain or in any browser password stores.

    The malware in question is a new variant of OSX.PROTON, a Mac-based remote access trojan that gives the attacker root-access privileges. Apple updated its macOS security software XProtect in February to defend against the original Proton malware. Apple initiated the process to update its XProtect definitions on Saturday and the update should already be rolling out to machines silently and automatically.

    Handbrake users should note that the primary download mirror and the Handbrake website were unaffected by the hack. Downloads via the application's built-in updater with 1.0 and later are also unaffected, since these are verified by a DSA Signature and won't install if they don't pass. However, users with Handbrake 0.10.5 and earlier who used the application's built-in updater should check their system, as these versions don't have the verification feature.

    For reference, HandBrake.dmg files with the following checksums are infected:
    SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274 / SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

    (Thanks, Alfonso!)

    Article Link: Handbrake Developers Issue Mac Security Warning After Mirror Download Server Hack
  2. Quu macrumors 68030


    Apr 2, 2007
    These developers really need to setup a deamon of sorts which tests the SHA1 hash of these binaries every few hours or release their wares on the App Store.
  3. MH01 Suspended


    Feb 11, 2008
    Point is, we are getting targeted and people should be vigilant . He usual crowd will put their heads in the sand and blame the end user.

    Be it a PC or a Mac , be careful and think.
  4. sudo1996 Suspended


    Aug 21, 2015
    Berkeley, CA, USA
    Isn't Apple's code signing supposed to protect against this? Or are they not signing their builds? Or did their key get stolen?
    --- Post Merged, May 7, 2017 ---
    No need for that exactly. Registered Mac developers can sign their code and distribute it anywhere. Most seem to do that.
  5. Quu macrumors 68030


    Apr 2, 2007
    That isn't secure enough because any developer can register for $99 (and the malware authors do too) then they just re-sign their new binary with the bought certificate and as-long as no one notices it will fly under the radar.

    The developers themselves need to maintain hashes are correct.
  6. T'hain Esh Kelch macrumors 601

    T'hain Esh Kelch

    Aug 5, 2001
    Fool me once, fool me twice... The Handbrake team really need to step up their game here!
  7. Shirasaki macrumors 604


    May 16, 2015
    Been not using this app for a long time. Maybe I need to keep not using it a bit longer.
  8. Markoth macrumors 6502


    Oct 1, 2015
    Behind You
    SHA1 has been shown to have weaknesses. As other have said, binary signing takes care of this. Some dev just don't want to have to shell out $99 a year for a dev membership just for the certificate, which I can understand.
    Apple bans any accounts that do these sort of things fairly quickly, but I suppose you do have a point.
  9. gnasher729 macrumors P6


    Nov 25, 2005
    You can do that as a malware developer, but Apple will have information about you. If my app had problems, Apple could send someone to my home if they felt that was the right thing to do. They have the name of my company, companyhouse in the UK who holds information about all UK companies has my company's address and my name and home address, they have delivered mail there so they know where I am. It's not just $99 to register, Apple checks and keeps information about the developer.
  10. Rigby, May 7, 2017
    Last edited: May 7, 2017

    Rigby macrumors 601

    Aug 5, 2008
    San Jose, CA
    The Mac binaries are not signed (see here). The Windows binaries are signed though. I guess they want to avoid the cost for yet another certificate (you can't use Microsoft authenticode certs to sign MacOS applications). Let's not forget that this is an open source project made by volunteers. Also note that they encourage people to verify their downloads via the checksums on the download page. This is generally a good practice.
  11. KALLT macrumors 601

    Sep 23, 2008
    It is GPL-licensed software. Apple likely won’t allow that. I am also not sure if Apple would allow such software in the first place.
  12. Larry The L Suspended

    Jun 9, 2016
    good idea. even if the problem has been found, is being addressed, and the problem is being resolved and you need the program, don't use it. And don't use any other app as it also might be infected and you don't know about it.
  13. xbjllb macrumors 65816


    Jan 4, 2008
  14. folp02 macrumors newbie

    Feb 28, 2008
    Are you infected if the "activity agent" is not running? My checksum matches SHA1. I haven't used handbrake in years, so I do and get this!

    cheers all,
  15. Quu, May 7, 2017
    Last edited: May 7, 2017

    Quu macrumors 68030


    Apr 2, 2007
    That's nice and all but these criminals do find ways to get businesses registered fraudulently. Remember that the app store is accessible worldwide which makes it easy for criminals to make up details about being somewhere that Apple is not familiar with.

    And it does and has happened, malware has been found on Windows and macOS both with official certificates. https://www.infosecurity-magazine.com/news/apple-revokes-cert-for-mac-trojan/

    Am I advocating against certs? hell no, they're useful. But it's not a silver bullet. Developers need to check their own binaries and often.
  16. Michaelgtrusa macrumors 604

    Oct 13, 2008
    I did post this in the Mac app section on saturday.
  17. sudo1996, May 7, 2017
    Last edited: May 7, 2017

    sudo1996 Suspended


    Aug 21, 2015
    Berkeley, CA, USA
    Yes, that is a problem. App Store would fix that for the most part. Unfortunately, as much as I'd like to use the App Store, it's so glitched that I avoid it at all costs.
    --- Post Merged, May 7, 2017 ---
    TBH, I've never manually verified binary checksums, and I know that I should, but I'm lazy. There needs to be a nicer way of doing this because people either don't know or don't care enough to bother opening up a shell or something to compute the hash. Also, using checksums on the download page relies on their site not being hacked.
    --- Post Merged, May 7, 2017 ---
    Interesting. Looking around online, it seems that Apple doesn't allow it, and the GPL likely doesn't either.
    --- Post Merged, May 7, 2017 ---
    Plenty of devs do sketchy stuff. They used to keep releasing those Nintendo emulators for iOS, not on the App Store but through a website. I'm sure they have ways to remain anonymous. Probably registered to some random company in Russia.
  18. groovyd macrumors 65816


    Jun 24, 2013
    what a non-sensical name and even more confused icon for a tool that transcodes video. why can't people name and iconify things anymore that actually indicates what they do in some small part?
  19. zooby, May 7, 2017
    Last edited: Jul 10, 2017
  20. flyinmac macrumors 68040


    Sep 2, 2006
    United States
    They can't publish GPL / Open Source titles in the Mac App Store as Apple's terms and conditions violate open source rules.

    Apple would need to provide a separate open source section that doesn't require the downloaded to agree to any of Apple's terms and conditions.

    A good brief explanation can be read here:

  21. Gannet macrumors newbie

    Dec 20, 2009
    Handbrake is an excellent program that has served me well over the years and I have great respect for the developers. Security slip-ups can happen to anyone and I'm sure they will take the necessary measures to improve this for future.

    That said, I'm posting because I nearly got caught by this. I download Handbrake last week and was surprised to see a dialog on launch asking me to enter my password to "install additional codecs". As a longtime Handbrake user I was certain that this was *not* normal, so I declined. Shortly afterword I was shown another dialog, independent from Handbrake, purporting to be from the system "Network Configuration" which needed my password to "update DHCP settings". As this was also something I was unfamiliar with, I again declined but the dialog immediately reappeared upon clicking cancel and I had to restart the computer to make it go away. So yeah, if you see any suspicious password dialogs, do NOT enter your password.

    Attached Files:

  22. cashinstinct macrumors newbie

    Jun 16, 2011
    Many developpers would have simply not said anything.

    I applaud them for telling it like it is, and finding solutions.

    Pretty sure many apps are affected by such issues, but either they don't find out / don't say to their users.
  23. unixkid macrumors regular

    Jan 25, 2004
    It's pretty sad to see history repeat it self again... Much like the inept developers of Transmission BitTorrent. These devs likely reject the best practice of cryptographically signing their releases because they either don't care or don't even know how to use PGP. It's pretty clear how useful Gatekeeper is when used outside the Mac Appstore, based on the number of times Transmission BitTorrent got hacked... Source
  24. UL2RA Suspended

    May 7, 2017
    You'd think they would've learned from Transmission's mishap. I guess not.
  25. IJ Reilly macrumors P6

    IJ Reilly

    Jul 16, 2002
    If you rely on the suspicion system of security it is only a matter of time before you get hosed. These hackers are good at looking not suspicious, and the meaning of these dialog boxes is far from clear, making it close to impossible for most users to tell one that's legitimate from one that is not.

Share This Page