Thanks for pointing out this error. I've updated the article. For everyone who's reading this, Panic didn't say Github was being used -- I misread the blog post.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Source Code for Several Panic Apps Stolen via HandBrake Malware Attack
- Thread starter MacRumors
- Start date
- Sort by reaction score
Thanks for pointing out this error. I've updated the article. For everyone who's reading this, Panic didn't say Github was being used -- I misread the blog post.
AppStore isn't bullet proof. There have been cases about infected Xcode distributing malware - an apple wasn't aware for a long time
I love how everyone gets high and mighty when someone else gets hacked.
It's like programmers who like to point to bad documentation-- the reason there's so much to point to is because it's a pain to do and literally nobody does it perfectly, including you.
Use this opportunity to review your personal security measures to minimize the chance that you're next and be thankful that Panic has been so open about this so that it's less likely that the next article we read is someone getting hacked because they were using a "free" version of Transmit.
It's like programmers who like to point to bad documentation-- the reason there's so much to point to is because it's a pain to do and literally nobody does it perfectly, including you.
Use this opportunity to review your personal security measures to minimize the chance that you're next and be thankful that Panic has been so open about this so that it's less likely that the next article we read is someone getting hacked because they were using a "free" version of Transmit.
I would guess that Panic Sync will arrive in the next release. Give me that and touch bar support and I'm all in.
So many other devs I know use FileZilla and I just don't get it. Transmit is a fantastic program. I'd really like to try Coda on my iPad Pro. Anyone use it?
Only in some countries. I have been using Handbrake to work with my own files. Coda could use it for finishing some demo/promo videos or AppStore app previews (for their iOS apps).
[doublepost=1495088805][/doublepost]
I am not a web developer and use it only for occasional edits of my S3 based site. I think it's a great app and you won't be disappointed.
I'm not that much worried about receiving a malware infected version of the panic apps. I’m sure Panic will do anything they can to prevent that. But since the source-code got out of hand I'm more worried that bad people could now use discovered security holes in the apps to attack or hack me. Therefore I’m now going to switch from Transmit and Coda to different apps. Can’t take any risk.
Just deleted all my Panic apps. Why? Because I'm afraid the hackers will be pushing malware version of Panic apps thru normal update channels. Regarding Panics data protection procedures, they seem to suck hard. Why on earth are they not running something like Bitdefender?!? It's probably the fastest anti virus program with awesome detection rate. No proper firewall either for outgoing traffic. Idiots! Even Little Snitch would have stopped the malware on its tracks. The one responsible for this mess should be hanged... not literally but severe action needs to be taken.
Are you saying they should just throw in the towel on these apps, on the chance that they won't make any more money on them? Should they also continue to work on maintaining and updating them, for free? Or should they just abandon the current versions, put them up on their website, and move on to something else?
[doublepost=1495095348][/doublepost]
How do you know that the apps you switch to haven't previously leaked and those developers simply haven't been as transparent about announcing that they were hacked? "Can't take any risk" doesn't work - there is always risk, the problem is recognizing and understanding all the risks.
So now I think the real question is, what's more likely, that Panic will finally get their heads out of their asses and update their UI-boondoggle-laiden Transmit app with Panic Sync support, which is sadly still the best bet those of us doing real web development work on Mac have at a fully featured standards compliant graphical SFTP/SSH client, or that some hackers will go ahead and take care of that for them?
I'd take that bet.
For piracy only *one* person has to rip the disk. Everybody else just conveniently downloads/streams it from the web. They don't even know what Handbrake is.
(a) It'll be last weeks version that might become available for free on the Internet. It's already missing one week of bug fixes and improvements and in a few months it will be missing even more and it gets only less valuable over time.
(b) You can already get cracked versions on the Internet for free (as with almost all applications).
(c) The risk that any copy compiled from stolen source code will contain malware might even be greater than for cracked copies of binaries.
[doublepost=1495107548][/doublepost]
You have not read the full description of the events that occurred. The code was all downloaded from a (Git) repository on a server, but the computer that was affected had the access credentials for this repository stored. Essentially a private computer by one of the founders of the company had been used at some point in the not-to-distant past to log onto the repository. But the attacker did not even get all source code because it had to guess the repository names (which indicates that this computer had not been used to actually download most of the repositories.
Sure, you can get on that high horse and say that a work computer should never be used for any private stuff or vice versa but tell me how strictly that is really adhered to outside of the NSA? And even then, there is no saying that a small company like Panic might not occasionally need Handbrake on their work computers to, eg, create instruction or promotional videos.
[doublepost=1495107984][/doublepost]
If you get your Panic apps through proper channels (their website, App Store), having had source code stolen can in no way affect the apps. The only thing it might do is to make hiding malware in 'pirated' copies easier.
Any attacker would still need to make contact with the Transmit or Coda binaries, eg, by sending you a file that is then opened in Coda. But if somebody can trick you into opening a malicious file, you have essentially already lost.
True, but I would imagine Apple wouldn't allow Handbrake on the App Store even if Panic made the application because of the nature of what that software does. Also do we really want to see Mac apps go the way of iOS where Apple heavily dictates what software can and cannot do? Freedom comes with dangers. Precautions must be taken to the extent they can, but I also do not want to be coddled by another who decides what I need or want and don't need or want. I think this is a demonstration of maybe lax security precautions on Panic's part. This could have been prevented even if it wasn't on the Mac App Store. One should never assume downloaded s/w is clean in today's climate. IIRC even some iOS s/w on the iOS App Store in China was infected within the last year. So even Apple is not completely immune.
The App Store doesn't allow a lot of the cross-application integration and system level access that you need... for web stack development apps that work with system setting files.
This might work for more tech savvy users, but do you really expect the average user to understand the difference between sandboxed and non-sandboxed apps?
Unfortunately, Apple is forced to limit its store to sandboxed apps in order to avoid confusion because of consumer ignorance.
It's kept unlocked by default. When's the last time you entered your password to allow access to your Keychain?
I don't believe in root permissions. Things need to be sandboxed properly in this day and age...
Any suggestions for better user security?
I just started online banking and use 1Password with unique, long, randomly generated passwords for every account and website, but I still feel uneasy.
Not a single anti-malware program spotted this malware on time. The passwords were stolen before anyone even knew what was going on. That is how malware and malware detection works in the real world.
Properly using a “firewall” for outgoing traffic is hard and cumbersome. I know, because I am using Little Snitch myself. The chance that I will notice if a trusted program starts connecting to malicious servers is far too low. I’d wager for most people this would not provide reasonable protection.
The problem could have been avoided differently: it seems that the developer put all eggs in one basket, i.e. used a single Mac and a single user account (admin account). They made themselves vulnerable to pretty much any kind of attack. They ought to have used separate user accounts as a minimum, even a separate administrator account to restrict root access.
This is why I try to buy straight from the manufacturer, both software & hardware. Too many people have been screwed by buying from cheaper 3rd party vendors.
You shouldn't then use macOS in the first place. After all, Apple publishes sources of Darwin and XNU, foundations of macOS. You shouldn't use Safari neither (nor Firefox nor Chrome), as source code of their engines, Webkit, Gecko and Blink are freely available.
The GPL covers way more than ‘distributing an app for free’. You should have a look at this article that explains the issue in more detail: https://www.engadget.com/2011/01/09/the-gpl-the-app-store-and-you/.
No, it is App Store terms of use and GPL being at odds with each other. They have mutually-exclusive requirements; you cannot comply with both at the same time.
Apparently I may not have had an understanding of their setup. And I still don't.
However, I was not on my high horse. I was not being an ass. I was on a common sense horse. Sorry if my rudimentary understanding of the situation offended your Holmesian sensibilities.
What is there to not understand?
1) A personal computer with Handbrake installed got affected.
2) This computer had login credentials for a Git repository on a server on which the source code was stored.
3) The attacker used those credentials to download the source code directly from the Git server.
4) The names of the individual repositories was not obtained from the infected computer but by guessing, strongly implying that they had not been checked out to the infected computer at the time of the infection.
That is how it is described in plain English in the blog post.
[doublepost=1495120682][/doublepost]
Define 'on time'. Technically, 'on time' would mean before a single computer is infected. Or rather before a single computer outside of the pool of test computers got attacked. But how could an anti-malware author ensure that his or her computers get attacked before anybody elses? You can run honeytraps, but in this case that wouldn't have helped.
I think the real yardstick is whether anti-malware apps detect something before the general media (like Macrumors) report about it. Or before X computers get infected.
What should one do if, eg, Handbrake, asks to connect to something called edge-analytics.com? You could clamp down on anything that is not the domain of the software vendor. But who remembers all domains for all their applications. Adobe products still frequently phone home to macromedia.com, refusing all such other domain requests could easily block things like software update checks.
The only consolation is that lots of malware selects to stay inactive when it detects an installation of LittleSnitch. Probably to reduce the risk that somebody would see a LittleSnitch request and report it to the relevant authorities.
The attacker tricked the developer into entering their admin password. Once that is done, it doesn't really matter what account is launching the infected app.
Last edited: