Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > Researcher: MacKeeper software has critical security flaw

Researcher: MacKeeper software has critical security flaw
Thread Tools
NewsPoster
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
May 8, 2015, 03:02 PM
 
Controversial software package MacKeeper -- long a sore spot with veteran users due to its aggressive and fear-based advertising, reputation for causing more problems than it might solve, and deliberate difficulty and obfuscation when users want to remove it -- has often been labelled junkware, extortionware, trickware, or even a form of malware in its own right, despite the company's protestations. A security researcher has now found, however, that the program contains a critical security flaw that leaves users vulnerable to attack.

Earlier as well as the current versions of the software, now at v3.4, have a flaw caused by MacKeeper's ignoring of an Apple guideline regarding input validation for custom URLs -- the same technology that allows Mac and iOS users to tap on a phone number or date to launch a given application, or to create non-standard URLs such as direct iTunes links. Apple cautions developers that they must use input validation to be sure that the chosen URL is legit and not a specially-crafted malicious site, but MacKeeper's developers apparently disregarded that, creating a zero-day exploit that could wreak havoc if users accidentally click on a malicious URL.

Because MacKeeper, among other functions, sets itself up as a "security" package, it overrides normal controls and implements its own URL handler. As a result of the flaw, arbitrary code or commands could be executed with root privileges, opening the door to installing malware or essentially anything the attacker wished. Security researcher Braden Thomas, who discovered the flaw, has posted an amusing proof-of-concept that demonstrates how a crafted URL could take control of user's Mac without user interaction -- by creating a website which, if visited, will remotely uninstall MacKeeper.

It's not known if Thomas has notified the MacKeeper developers, ZeoBit, or its distributors Kromtech Alliance of the problem. ZeoBit claims that the software has been downloaded some 20 million times, though many of its ads trick users into unwillingly downloading the software in the hopes of being able to close the pop-up, which often blocks the main screen. How many paid users of the software there are is not known, but the software promises to remove "junk" and other items to "clean up" a user's Mac.

An investigation of the software by Mac-Forums found that it did do some of the advertised functions, but that everything the program did that was beneficial could also be done by a range of either built-in Mac utilities or free third-party programs that do not rely on "scareware" tactics. The analysis of the program found that while it was not itself malicious in nature, it was poorly executed even in its advertised functions, and when one added the extortionate fear-based advertising, poor product support, and deliberately-obtuse full removal difficulty, was a poor choice compared to excellent free third-party or Apple-included utility apps.

Instructions on how to fully remove MacKeeper can be found here, or users who have it installed can visit the proof-of-concept URL.
     
chimaera
Dedicated MacNNer
Join Date: Apr 2007
Status: Offline
Reply With Quote
May 8, 2015, 03:16 PM
 
For some reason, this story put a smile on my face. Cool.
     
donmontalvo
Fresh-Faced Recruit
Join Date: Oct 2009
Status: Offline
Reply With Quote
May 8, 2015, 03:57 PM
 
These developers should be cuffed and locked up for years.
     
OldMacGeek
Forum Regular
Join Date: Aug 2010
Status: Offline
Reply With Quote
May 8, 2015, 04:16 PM
 
A remote exploit that uninstalls the crapware, due to a flaw in the app itself? Genius!! It's too bad they'll probably fix it.
     
gskibum3
Fresh-Faced Recruit
Join Date: Nov 2006
Status: Offline
Reply With Quote
May 8, 2015, 05:50 PM
 
MacKeeper is itself a security flaw, regardless of this issue.
     
msuper69
Professional Poster
Join Date: Jan 2000
Location: Columbus, OH
Status: Offline
Reply With Quote
May 9, 2015, 02:16 AM
 
You don't need any crap like this on a Mac.
Unless you want to live the Windows experience.
     
Domtoren
Fresh-Faced Recruit
Join Date: May 2015
Status: Offline
Reply With Quote
May 9, 2015, 03:50 PM
 
Steer clear of MacKeeper.
     
Thorzdad
Moderator
Join Date: Aug 2001
Location: Nobletucky
Status: Offline
Reply With Quote
May 9, 2015, 05:41 PM
 
A security risk has a security risk? That's so meta.
     
drbroom
Fresh-Faced Recruit
Join Date: Dec 2006
Location: NY
Status: Offline
Reply With Quote
May 9, 2015, 09:14 PM
 
hahahahahahahahahahaha

MacKeeper IS MALWARE!!!!!! So this is just a redundant story!
     
Doc HM
Mac Elite
Join Date: Oct 2008
Location: UKland
Status: Offline
Reply With Quote
May 10, 2015, 06:35 AM
 
God I hate this app. see it on so many customer computers, especially the less computer savvy ones, I remove it least 1o times a week.
This space for Hire! Reasonable rates. Reach an audience of literally dozens!
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
May 10, 2015, 07:10 PM
 
Originally Posted by donmontalvo View Post
These developers should be cuffed and locked up for years.
Why the developers? They might not be the business owners.
     
CharlesS
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
May 10, 2015, 09:06 PM
 
That proof-of-concept app looks like an Objective-C method call, with the class name, selector name, and arguments. So basically, if I'm interpreting this right, they've been taking URLs from the Internet and converting them straight into Objective-C invocations. That's just... wow. That's really bad.

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 09:17 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,