One Hacker Could Have Taken Control of Macs Used by IT Professionals
Underneath all the shiny gloss of High Sierra and Mojave, macOS is Unix. One of the reasons sysadmins, developers, and even security experts use macOS is they get access to Unix tools and utilities along with the polish of Apple. However, unlike its cousin Linux, macOS doesn’t come with a massive library of Unix tools. You can fire up the terminal and do things like rsync, dd, or cron. But if you want support for more languages and packages, you need to install third party package managers. Homebrew is one of the most popular package managers for macOS. It’s fully open source and puts a huge range of packages at the disposal of macOS users. However, a minor flaw in Homebrew could have given a bad actor complete control of all those shiny MacBooks.
A hacker named Eric Holmes discovered that Homebrew published their GitHub API token key in plaintext.
“This is essentially an access key that, when inserted into web requests made to Homebrew’s GitHub account, tells the server what access rights to grant to those requests,” said Paul Ducklin,Senior Security Advisor, Sophos.
Once he had the token, Holmes used it to gain read-and-write access to Homebrew’s GitHub content. He could have hacked almost every single package on Homebrew infecting all users running Homebrew on their systems. What’s more worrisome is that the most downloaded Homebrew package in the last 30 days was ‘openssl’, a package for securely connecting to computers on a network. Holmes informed the Homebrew crew and they fixed it within a matter of hours.
The moral is, just because it’s open source does not mean that it’s safe. Open source projects still need to follow some best practices and take extra precautions.