Mac Users Beware: A Bug in Sparkle Could Get You Hacked

Ads by Google

A lot of OS X applications use a framework called Sparkle to simplify automatic software updates for end users like you and me. Unfortunately, a recent vulnerability was spotted in Sparkle — one that could leave your system open to hackers.

The issue is that when an app checks for updates, it uses an unencrypted HTTP channel that can be hijacked. The vulnerability affects both OS X Yosemite and OS X El Capitan. Here’s a proof-of-concept in action:

Sparkle has already released a patch for their updater framework, but it’s still up to the individual app developers to update the versions of Sparkle used in their apps. In other words, the vulnerability only exists in apps using old versions of Sparkle.

So what should you do? First, check this list of apps using Sparkle and see if you have any of them installed on your system. If not, you’re clear and have nothing to worry about.

Otherwise, if you’re really paranoid, you should uninstall every Sparkle-based app you have until they release updated versions. The Sparkle security fix was released on February 4, so look for app updates that came out after that day.

If you aren’t so paranoid, then you can keep them installed but make sure you don’t connect to any unsecured Wi-Fi networks or public Wi-Fi networks as that’s how someone would take advantage of the vulnerability.

Do you have any Sparkle-based apps on your system? How often do you connect to unsecured or public Wi-Fi? Tell us about your wireless habits in the comments below!

Image Credit: MacBook by Marco Prati via Shutterstock

Join live MakeUseOf Groups on Grouvi App Join live Groups on Grouvi
Stay Invisible Online
Stay Invisible Online
1028 Members
Windows Tips
Windows Tips
603 Members
Web Security & Privacy
Web Security & Privacy
507 Members
Mac OSX Tips & Issues
Mac OSX Tips & Issues
250 Members
Mac Troubleshooting
Mac Troubleshooting
106 Members
Apple Hardware Discussion
Apple Hardware Discussion
86 Members
Affiliate Disclamer

This article may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.
New comment

Please login to avoid entering captcha

Log In