Mac apps using Sparkle vulnerable to MitM Attacks

A security specialist, has discovered a flaw in the third party application Sparkle, a framework that other apps use to receive updates. It appears that a man in the middle attack is possible on a Mac using Sparkle and unencrypted HTTP.

If the attacker has the ability to intercept the unencrypted data stream for example on a public Wi-Fi hotspot they could possibly inject malicious code.

The number of apps affected is unknown but researchers believe it be a huge quantity. Some of the known vulnerable apps are; Camtasia 2 v2.10.4, DuetDisplay v1.5.2.4, uTorrent v1.8.7, and Sketch v3.5.1. as well as Hopper reverse engineering tool and DXO Optics Pro, amongst many others. However, not all apps that use Sparkle are susceptible, only ones that use HTTP instead of HTTPS and use a vulnerable version of Sparkle are at risk.

Sparkle has issued an update, however the security specialist, Radek, who originally discovered the flaws warns in an email, that it is not a trivial process.

This process requires [a developer] to:

  • Download the newest version of Sparkle Updater
  • Check if new version of Sparkle is compatible with the app
  • Create some test cases, verify update and so on
  • Address this vulnerability and publish new version of the app

Now, this is the moment when people can check for the update and replace this particular app version on their computers with the newest one.

It all depends on the complexity of an application, its size and maintainers. That's the reason why some developers don't want to update or can't update Sparkle in their applications.