How to find if your apps are affected by the Sparkle hijack

10 February 2016, 08:57

As reported by MacRumors and various other sources, Mac apps that use the Sparkle back-end software to auto-update are potentially vulnerable to a hack attack.

Says MacRumors:

Apps that use a vulnerable version of Sparkle and an unencrypted HTTP channel for server updates are at risk of being hijacked to transmit malicious code to end users. The Sparkle framework is used by apps outside of the Mac App Store to facilitate automatic software updates.

In other words, apps that use the Sparkle back-end over the secure HTTPS are NOT affected. Only those that use HTTP might be.

What it means is that malicious interests can essentially take-over the update routine, offering users hacked apps that might open their system to attack. The user will be unaware because the app will look legitimate. This hasn’t happened yet, and likely will never happen. But it remains a possibility.

You can find out what applications on your system use the Sparkle back-end by opening a Terminal window (you’ll find it in the Utilities folder in the Applications list) and pasting in the following single line command. Potentially affected apps will then be listed:

 find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'

This will not distinguish between those that use HTTP or HTTPS, though.

Alternatively, you can use the following command for a more precise scan. It will scan apps for their update server addresses and produce a list of those that use HTTP, and that therefore might be vulnerable. Because URLs are reported you might have to do some detective work to find out what the affected app name is, because the URL will probably be that of the developer rather than one dedicated to the app itself:

 for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done|grep -iv https

If any of the apps you discover using the above command flash-up an update message when you start them (see above for an example of how it might look), be safe and cancel the dialog box. Then head over to the app developer’s website and download the latest version of the app manually.

Leave a comment...

Both of the commands in the article have significant limitations, but this should show the apps anywhere in /Applications that use Sparkle insecurely (it’s slow, but it works eventually)

for app in /Applications/**/Sparkle.framework; do plist=${app/Frameworks\/Sparkle.framework/Info.plist}; url=`defaults read “$plist” SUFeedURL 2>/dev/null`; if [[ $url != “https”* ]]; then echo ${app/.app*/}; fi; done

— digicow · Feb 10, 11:38 AM · #

Bartender2 is the most popular of my apps that is affected

— Lazaruz · Feb 11, 04:51 AM · #

MarsEdit and the KVM software, Teleport were two on my list.

Teleport might be an issue as it’s not updated often.

Michael Quinn · Feb 11, 10:33 AM · #

Comment one from Digicow is an improvement but didn’t work for me (maybe ** doesn’t work anymore in the El Cap beta). The following works and prints out the plist if you want to double check. Wow lots of apps use Sparkle!

for app in /Applications/*/Contents/Frameworks/Sparkle.framework; do plist=${app/Frameworks\/Sparkle.framework/Info.plist}; url=`defaults read “$plist” SUFeedURL 2>/dev/null`; if [[ $url != “https”* ]]; then echo ${app/.app*/} “ and plist=$plist”; fi; done

— RussW · Feb 12, 09:31 AM · #

I don’t get what this Sparkle hijack is all about but can they hack the files?

Lindsay Stevens · Nov 10, 10:24 AM · #