Long-time software developer Panic alerted its customers on Wednesday via a blog post about the theft of a large portion of the source code to its Mac and iOS apps. The company maintains customer information and operates a sync service for passwords and accounts for some of its software, but its co-founder, Steven Frank, wrote in the post that private information wasn’t compromised. (We’ve asked Panic for comment, and will update this story if they have more to add.)
Frank fell afoul of a recent Trojan horse inserted into the popular Handbrake software that installed remote-control software on an infected Mac. The malware was used to exfiltrate Frank’s details to access the company’s code on its version-control server, although he writes that because the cracker had to guess at the names of code-storage groups, called repositories, they didn’t obtain everything.
Panic uses Stripe for its credit-card processing, and doesn’t pass through credit-card numbers nor retain the card details on its servers. Frank wrote that customer information and Panic Sync data wasn’t accessible, nor was Panic’s website compromised.
Panic Sync, used with its file-access software Transmit for iOS and three other apps, relies on end-point encryption that starts with a user-chosen master password, and the company never has access to encryption keys or unencrypted data. This is similar in mechanism to Apple’s iCloud Keychain, 1Password’s subscription service, and LastPass. As a result, even a full interception of the centrally stored sync data would be of no use to an attacker.
While this would appear to be a severe hack, in which a company’s most prized possession was stolen, Frank notes in his blog post that the key concern isn’t loss of business, but rather that a malicious party could create convincing versions of Panic apps that are either infested with malware or sold in an attempt to deprive Panic of revenue.
Frank expresses far less concern about its affect on Panic’s business. Not all the source code was stolen, and pirated versions already exist of its most-popular products. And while a competitor might use the code in their product, it would be hard to imagine a Mac or iOS developer making that dubious ethical or legal decision. If one did so, the odds of being discovered if used in a similar app would seem to be almost 100 percent. Further, its apps remain effectively in continuous development, meaning that any release derived from it would be out of date and potentially buggy.
As I’ve written on multiple occasions, the best way to immunize yourself from obtaining and installing malicious or pirated versions of software is to download releases only through an existing app’s internal update process, via a developers’ official website, or from the Mac App Store if the app is sold there. Avoid third-party update sites, which also often wrap downloads in adware.
IDG Handbrake software isn’t signed, which indicates you should use more diligence. But even signed software can be compromised through stolen develop certificates.
Of course, there’s a bit of irony there: Frank had his Mac compromised through a download from the Handbrake site, albeit one of the two mirrors operated for downloads. But he noted that the internal update failed, leading him to the website. Handbrake isn’t signed by an Apple certificate, as the makers don’t go through the Apple developer program, requiring a bypass of Apple’s Gatekeeper system. Finally, the malware asked for an administrative password to install, which Handbrake doesn’t need.
None of Frank’s decisions are unusual, and no obvious red flags leapt out. However, you can avoid a similar pitfall by taking more caution with apps developed by a single individual or small teams, especially if they’re distributed at no cost.
The vast majority of Mac apps developed by one or a few people, especially for free distribution, are perfectly fine. However, the only examples of compromised software in recent years are Transmission and Handbrake. Thus, any deviation from what you expect, like a failure of in-app download or additional privileges requested, should lead you to halt and contact the developers directly or via a support forum. You might be the canary in the coalmine that prevents a widespread impact from compromised software.
A signed app isn’t necessary a safe one. Transmission had its September 2017 subverted release signed by a developer—just not by the makers. A stolen certificate was used, which was repeated with a recent phishing attack that delivered a signed, but malicious package.
Whether such apps are signed or not, you should use extra protection. Patrick Wardle’s free (in beta) Block Block notifies you about launch-time daemons and other software installed. F-Secure’s (in beta and free for now) Xfence, formerly Little Flocker, prevents apps from reading, writing, and deleting files for the first time (or on subsequent occasions) without first gaining your permission. This can prevent ransomware, but it also alerts you to any odd activities, as with this remote-control malware installation.