Don’t Panic: Breach at software developer shouldn’t affect its customers or its future

Long-time software developer Panic alerted its
customers on Wednesday via a blog post
about the theft of a
large portion of the source code to its Mac and iOS apps. The
company maintains customer information and operates a sync
service for passwords and accounts for some of its software,
but its co-founder, Steven Frank, wrote in the post that
private information wasn’t compromised. (We’ve asked Panic for
comment, and will update this story if they have more to add.)

Frank fell afoul of a recent
Trojan horse
inserted into the popular Handbrake software
installed remote-control software on an infected Mac
. The
malware was used to exfiltrate Frank’s details to access the
company’s code on its version-control server, although he
writes that because the cracker had to guess at the names of
code-storage groups, called repositories, they didn’t obtain

Panic uses Stripe for its credit-card processing, and doesn’t
pass through credit-card numbers nor retain the card details on
its servers. Frank wrote that customer information and Panic
Sync data wasn’t accessible, nor was Panic’s website

Panic Sync, used with its
file-access software Transmit for iOS and three other apps,
relies on end-point encryption that starts with a user-chosen
master password, and the company never has access to encryption
keys or unencrypted data. This is similar in mechanism to
Apple’s iCloud Keychain, 1Password’s subscription service, and
LastPass. As a result, even a full interception of the
centrally stored sync data would be of no use to an attacker.

While this would appear to be a severe hack, in which a
company’s most prized possession was stolen, Frank notes in his
blog post that the key concern isn’t loss of business, but
rather that a malicious party could create convincing versions
of Panic apps that are either infested with malware or sold in
an attempt to deprive Panic of revenue.

Frank expresses far less concern about its affect on Panic’s
business. Not all the source code was stolen, and pirated
versions already exist of its most-popular products. And while
a competitor might use the code in their product, it would be
hard to imagine a Mac or iOS developer making that dubious
ethical or legal decision. If one did so, the odds of being
discovered if used in a similar app would seem to be almost 100
percent. Further, its apps remain effectively in continuous
development, meaning that any release derived from it would be
out of date and potentially buggy.

As I’ve written on multiple occasions, the best way to immunize
yourself from obtaining and installing malicious or pirated
versions of software is to download releases only through an
existing app’s internal update process,
via a developers’ official website
, or from the Mac App
Store if the app is sold there. Avoid third-party update sites,
which also often wrap downloads in adware.

panic software hack unsigned handbrakeIDG

Handbrake software isn’t signed, which indicates you should use
more diligence. But even signed software can be compromised
through stolen develop certificates.

Of course, there’s a bit of irony there: Frank had his Mac
compromised through a download from the Handbrake site, albeit
one of the two mirrors operated for downloads. But he noted
that the internal update failed, leading him to the website.
Handbrake isn’t signed by an Apple certificate, as the makers
don’t go through the Apple developer program, requiring a
bypass of Apple’s Gatekeeper system. Finally, the malware asked
for an administrative password to install, which Handbrake
doesn’t need.

None of Frank’s decisions are unusual, and no obvious red flags
leapt out. However, you can avoid a similar pitfall by taking
more caution with apps developed by a single individual or
small teams, especially if they’re distributed at no cost.

The vast majority of Mac apps developed by one or a few people,
especially for free distribution, are perfectly fine. However,
the only examples of compromised software in recent years are
Transmission and Handbrake. Thus, any deviation from what you
expect, like a failure of in-app download or additional
privileges requested, should lead you to halt and contact the
developers directly or via a support forum. You might be the
canary in the coalmine that prevents a widespread impact from
compromised software.

A signed app isn’t necessary a safe one. Transmission had its
September 2017 subverted release signed by a developer—just not
by the makers. A stolen certificate was used, which was
repeated with a recent phishing attack that
delivered a signed, but malicious package

Whether such apps are signed or not, you should use extra
protection. Patrick Wardle’s free (in beta) Block
notifies you about launch-time daemons and other
software installed. F-Secure’s (in beta and free for now)
formerly Little Flocker, prevents apps from reading, writing,
and deleting files for the first time (or on subsequent
occasions) without first gaining your permission. This can
prevent ransomware, but it also alerts you to any odd
activities, as with this remote-control malware installation.

To comment on this article and other Macworld content, visit
our Facebook page or our Twitter
%d bloggers like this: