Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday September 10 2018, @12:14AM   Printer-friendly
from the powned-again dept.

Submitted via IRC for SoyCow0245

A top-grossing Apple App Store program called Adware Doctor is capable of sidestepping macOS security controls and surreptitiously copying a user's entire browser history. It then sends it to a China-based domain.

According to Patrick Wardle, chief research officer at Digita Security and founder of Mac security company Objective-See, Apple was informed of Adware Doctor's suspicious functionality last month, but has failed to take action.

[...] In a technical breakdown of the app Wardle points out that, as is with similar "security" tools, Adware Doctor needs legitimate access to user's files and directories in order to scan for malicious code.

"Once the user has clicked 'allow,' since Adware Doctor requested permission to the user's home directory, it will have carte blanche access to all the user's files," he wrote. This allows the app to detect and clean adware, but to "also collect and exfiltrate any user file it so chooses."

The scope of data collected by the app, such as the aforementioned browser histories, is beyond what's required for the app to work as advertised, he said. He also said that collecting "the user's browsing history seem[s] to be a blatant violation of the user's privacy (and of course Apple's strict Mac App Store rules)."

Source: https://threatpost.com/top-macos-app-exfiltrates-browser-histories-behind-users-backs/137247/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by c0lo on Tuesday September 11 2018, @05:15AM (4 children)

    by c0lo (156) Subscriber Badge on Tuesday September 11 2018, @05:15AM (#733060) Journal

    Not sure who you're calling bullshit on - but Apple clearly do get to it eventually.

    Eventually - while hundred of thousands of users (at least) get their browsing history exfiltrated and sent to China, each day everyday
    The super-hyper-jiga behemoth siting on a quarter of $1T in cash [cnbc.com] can't afford to pay extra personnel to sift those security notification quicker, even when the damn'd reports have a proof-of-concept attached.

    No siree, Applestore's customers don't deserve a quick notification, they need to be milked even if only for a couple of weeks longer.
    Because that quarter of a trillion dollars? They don't pile up if you kick "best-sellers" from your store, even if those best-sellers are poison "vetted as safe".

    Again, they may not be timely enough for the millennials and snowflakes here

    That's the icing on the top of the bullshit - calling names the guys that earn nothing for the vulnerability they discovered, but siding with the owner of the "walled garden" who makes the bullshit promise of "You are safe with the Apps you find here, we checked them".

    The same el reg article also mentioned that Adware Doctor, the topic of this thread, have been pulled.

    Not a moment too soon, actually a bit on the contrary.

    Newer versions of IOS, in preview, will actually prevent this kinda stuff.

    At least one can hope Apple learns from past mistakes.

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by arslan on Tuesday September 11 2018, @07:23AM (3 children)

    by arslan (3462) on Tuesday September 11 2018, @07:23AM (#733071)

    You seem to have a very absolute and binary view of the world. First off you see this as 1 event that Apple has to respond to, my point here is they may have hundreds of these reports with lots of false positives. They are a working within the capitalism economics here, there's an upper bound and balance on how much they should spend here. 1 month turnaround to me seems pretty good _relative_ to others.

    They are also not perfect, you seem to think corporates that makes so much money cannot make mistakes which is quite absurb. Just because the vet stuff doesn't mean nothing will get missed. In this case it did. In fact their response is to not proclaim "We'll do better vetting" which to me would just be a token gesture, instead they are actually building preventative controls in their next IOS which again relative to other capitalistic corporates, showing that they are indeed trying to do the right thing.

    I'm not keen of the Apple walled garden, and in fact I find their product expensive, but it seem like that expense does getting better customer focus given what they're doing. They don't just sell out their customer's privacy and hide behind a bunch of propaganda and pretend that business model is something else here - like Zucks "promise" to safeguard data or Google's AMP is about accelerating the web.

    If you think you can do better, please go ahead - put your money where your mouth is. Criticizing from the armchair without real world economic constraints is easy.

    • (Score: 2) by c0lo on Tuesday September 11 2018, @10:06AM (2 children)

      by c0lo (156) Subscriber Badge on Tuesday September 11 2018, @10:06AM (#733089) Journal

      First off you see this as 1 event that Apple has to respond to, my point here is they may have hundreds of these reports with lots of false positives.

      And me who was thinking they may have one or two per year, due to a high quality vetting upfront . That's what you imply about me?

      They are a working within the capitalism economics here, there's an upper bound and balance on how much they should spend here.

      Yes, and the researcher works within what? The communist paradise?
      Why does he worth your derogatory 'millenial snowflake'?

      Look, if you want capitalism, then you have to accept that the researcher should have broadcasted the "Adware Doctor is malware" from the very first day. It's not a vulnerability of Apple products, they work as design, there's no 'responsible disclosure' issue at play here.
      In addition, the malware is a fraudulent product - a free market approach requires the immediate disclosure of fraud, otherwise the interests of the paying customers and the principle of fair competition are hurt.

      From this perspective, the capitalistic way of calling names towards the researcher would be 'you fucking lazy bum, why did you wait almost one month to say something?'

      Criticizing from the armchair without real world economic constraints is easy.

      I can say the same about your 'critique' towards the researcher.
      Even easier for you, the financial barrier for entry into the IT security industry is much lower than competing with Apple.

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
      • (Score: 2) by arslan on Wednesday September 12 2018, @02:38AM (1 child)

        by arslan (3462) on Wednesday September 12 2018, @02:38AM (#733452)

        My criticism of the researcher is the lack of patience. I'll put my money where my mouth is and be patient about waiting on corporations to work on my requests next time I find an issue and disclose to them before crying foul and accusing them of not doing anything about it. Yes, it is very millennial snowflake like because by very definition millennial snowflakes are pampered to want their requests met in a fashion suitable to them.

        Your criticism seems to be that 1 month is unacceptable for a global company with potentially many requests and false positives in their queue. I don't work at Apple but I do work in a global org and I can see lots of false positives customer requests, lots of them just venting frustration because they can't handle that they are not the center of the universe. So why don't you put your money where your mouth is and go run up a company that can satisfy every single requests per the requester's own yardstick of what is acceptable. Even thinking through that logically doesn't make sense.

        So I'll call bullshit on you calling me bullshit on my calling those "tech expert" millennial snowflakes a load of shit just sensationalizing their article. They did themselves the discredit by not sticking to just facts but sprinkling it with their own whinging because they feel crossed by their lack of response towards them and generalizing that Apple doesn't care. You know what, kinda like me generalizing about you being absolute and binary, don't like it do you?

        • (Score: 2) by c0lo on Wednesday September 12 2018, @03:53AM

          by c0lo (156) Subscriber Badge on Wednesday September 12 2018, @03:53AM (#733474) Journal

          Your criticism seems to be that 1 month is unacceptable for a global company with potentially many requests and false positives in their queue.

          My criticism is that a malware (not a vulnerability) needs to be at least warned to the users in any software ecosystem in the shortest time.**
          Any attempt to reinterpret this one is just a slide on a strawman argument path.

          What happens after the warning is another topic.
          If Apple needs more time to take make their mind in regards with their decision, their choice and and their responsibility to their paying customers.

          My criticism of the researcher is the lack of patience.

          "Snowflake millenial" doesn't sound to me as criticism. But again maybe it's only me.

          ---
          ** Imagine how the world would be if the latest WannaCrypt was subject to "Well, hey, let's see. How about we fiddle our fingers perform the due analysis for about a month and will get back to you. In the mean time, shush, don't say a word"

          --
          https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford