A white-hat security researcher known for exposing weak security setups at various companies reported yesterday that he was able to easily
access and obtain sensitive data on more than 13 million current and previous users of
notorious scamware app MacKeeper due to poor security practices by the previous and current developers, Zeobit/Kromtech. Though the company believes the servers and data in question are now secure, researcher "FoundtheStuff" (Chris Vickery) was able to obtain data including names, email addresses, phone number, poorly-hashed passwords, and details on users' computer hardware.
"I have recently downloaded over 13 million sensitive account details related to MacKeeper, Zeobit, and/or Kromtech," Vickery posted on an Apple-oriented Reddit group, and later noted that "six hours after making this post (and it being at the top of the Apple subreddit), the database is still completely unprotected." He was later able to reach officials at Kromtech, and they have since secured the initial server, though Vickery pointed out three other IP addresses that were also leaking that data (which have now been secured).
In response to a question about some of the details of the infiltration, Vickery noted that the server and database was completely unprotected, with "no log in required at all," with only user passwords being hashed, but that Kromtech had used only "MD5 with no salt, so very
weak hashing," meaning it would have been relatively simple for a malicious party to decrypt the password information, and put it together with the wide variety of user data that was unprotected, which included computer names, IP addresses, software license and activation codes, and computer serial numbers as well as more personal information.
Fourteen hours after the initial intrusion, Vickery reported that Kromtech now believes everything is secure. He has said he will provides details of how the data was obtained in the near future now that the system has been locked down. The original developer of MacKeeper, Zeobit, was recently
part of a settlement from a lawsuit launched by angry customers who charged the company with operating a "common deceptive scheme to trick consumers into purchasing and continuing to use its MacKeeper software, which ultimately fails to deliver the utility that ZeoBit promises."
It was also alleged MacKeeper was "intentionally designed" to "ominously report that a user's Mac needs repair, and is at-risk due to harmful (but fabricated) errors." The company was eventually forced to pay out over $2 million to refund the $40 purchase price to some 500,000 eligible customers, but admitted no fault.
MacNN routinely advises against "cleaner" programs of this nature.