Last week, “insane and plain weird” programmer Radek published an article on his blog that uncovered an oddly contained secret about the Mac OS X operating system. In his research, he discovered that the Sparkle update system used in a number of popular Mac applications, such as VLC media player, uTorrent, and Camtasia, fail to use the secure HTTPS protocol, instead opting for the much more vulnerable HTTP.
The unencrypted path makes it easy for hackers to take exploit traffic between the user and the server in both man in the middle and remote command execution attacks. Because of the way Sparkle allows for JavaScript execution by means of WebKit rendering, Radek says the attacks could leave users of both El Capitan and Yosemite at risk.
Related: MacPaw CleanMyMac 3 Free Trial
Moreover, if you’re wondering what an attack like this would look like it action, you’re in luck, as Radek took the time to shoot a video of exactly that:
Another researcher, Simone Margaritelli, expanded on to Radek’s discoveries by writing out some frighteningly easy-to-follow instructions as to how you, too, can perform an attack like this using the Metasploit exploit framework. The example he used was none other than the indisputably best media player in the universe, VLC.
While it’s presently unclear just how many apps this could affect, Radek went with the rough approximate count of “huge.” What we do know is that included in this list is Camtasia 2 v2.10.4, DuetDisplay v1.5.2.4, uTorrent v1.8.7, and Sketch v3.5.1. Computer forensics expert Jonathan Zdziarski added that the Hopper reverse engineering tool and DXO Optics Pro are also at risk, according to Ars Technica.
There’s even an extensive list of apps that utilize Sparkle, in case you were wondering, though not every single one of them operates over HTTP or take advantage of a susceptible framework.
To make things worse, Radek said that another Sparkle vulnerability also persist, albeit with less severity. By letting an assailant replace a standard update file with something a little more harmful, it can also be exploited in an aggression against the update servers.
While there is a solution to both vulnerabilities, neither is simple. In fact, Zdziarski reports that at least one developer is struggling to convert its app’s update servers to the more secure HTTPS channel configuration. Until every last one of them does, however, no one is safe.