We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Boycott CNET’s

Published October 29th, 2013 at 8:41 AM EDT , modified April 8th, 2015 at 11:43 AM EDT has been accused of unethical behavior in the past. In particular, they have been known to insert their own adware in downloaded installers, contrary to the wishes (and without the knowledge) of the developers whose software is being hijacked. This in particular angered Fyodor, the developer of the open source network mapping tool Nmap, so severely that he sent a strongly-worded e-mail to a security mailing list, leading to CNET being widely reviled by the developer community. Unfortunately, I have just found hard evidence that these practices are continuing, almost 2 years later, with Mac downloads.

This was first brought to my attention by a post on the Apple Support Communities, in which it was discovered that a number of new browser extensions were added following the install of a program that had been downloaded from Upon downloading that file and opening it in a test system, I found that it behaved exactly as I suspected.

CNET installerThe program that brought this issue to my attention is called X Lossless Decoder (aka XLD), an open-source app for dealing with a number of lossless audio file formats. If you download the app from, however, you will end up with a cryptically-named disk image file that does not seem to have any relation to the program in question. Opening the disk image shows nothing but an app named CNET-Installer.

Right away, this is something that I wouldn’t normally touch with a ten-foot pole. However, since it was a test system and I didn’t really have anything to fear, I opened it. The window that opened would have alleviated my concerns slightly, if I didn’t know better, since it did mention the app that I had gone looking for:

CNET installer 2


The next screen, though, should raise some serious red flags… assuming that you don’t do what most people do and simply click past the terms and conditions without reading them.

CNET installer 3


If you read those terms, you will notice that they ask you to agree to the install of a number of different undesirable programs, as well as changing of your search engine and home page.

After finishing with the installation, all that happens is that the XLD disk image is downloaded and opened.

CNET post-install


This, of course, could have been achieved in one simple step, without the nonsense of the junk-filled installer, by simply downloading the disk image straight from the XLD website. A legitimate download site would have simply provided a link to that disk image, or a mirrored (and unmodified) copy.

At this point, I opened Safari, and discovered that it had no less than four new extensions installed!

CNET Safari extensions


All four of these extensions – Searchme, the Amazon and Ebay shopping extensions, and Slick Savings – were installed by the CNET installer. None of them are included in the official XLD download.

After making this discovery, a little searching turned up the fact that I’m not the only one who has noticed, and XLD is not the only app being used for these nefarious purposes. Derek Currie has also documented the same behavior with a copy of A Better Finder Rename.

I have been hearing about these issues with for a couple years now, and had been told that Mac apps had been affected. However, this is the first time that I have actually located a sample – and, not just one but two! This suggests to me that CNET may be ramping up their efforts to earn dirty money using someone else’s software, just as Softonic has done recently.

I would strongly advise boycotting not only, but all CNET sites. Actually, boycott may be too light a word, since that usually implies a temporary action, taken until the behavior of the company being boycotted changes. However, CNET has shown a history, over several years, of repeatedly doing this kind of thing. They will stop inserting their adware into a particular download when people yell loudly enough, but they evidently aren’t learning any lessons from the repeated criticism. Given that failure to learn and change their behavior, I personally wouldn’t go back to any CNET sites, and will no longer recommend them to anyone. (Which is truly unfortunate, since I have a trusted friend who writes for CNET.)


October 29, 2013 @ 9:20 am: Less than an hour after I wrote this, I have learned that many other apps are being treated the same way on, including Sophos and ClamXav. Sounds like it may not be very difficult to find affected apps! If you know of other apps that have been affected, please post a comment to let folks know.

Tags: , , ,


  • Nicholas Ptacek says:

    It’s hard to go through any of the top lists for Mac apps on right now without tripping over ones that have been affected. Any app listed as “CNET Installer Enabled” will download the toolbar installer. It’s happening for a variety of top Mac apps including the recent Mac App Store Editor’s Choice award winner Capo, to Little Snitch, even to open source programs like, which CNET has gotten in trouble with in the past, as you noted above.

  • Nicholas Ptacek says:

    SecureMac has a guide to help users identify and remove the adware:

  • Charles Flezzey says:

    At last, now I understand why I have trusted Cnet for so long (15 years) and over last year or so, have been occasionally duped into downloading and installing crap. I thought maybe it was some other sites “stealing” or taking over URLs within Cnet.

    Then along comes the Cnet Download Installer for “safer downloads.” Another Dupe!
    Used it first time last week and it keeps popping up everytime I want to do something.

    Thanks guys, goodbye Cnet!

  • Someone/bentkitty100 says:

    Simple work-around: download from official developer websites and the App Store.

  • Mike says:

    Yes – we have Banned CNET and in our Organization.

    So much for making our life easier!

  • noar says:

    We found trace of Spigot downloader up to october 14th, in official BitTorrent Installer disk image:

  • a brody says:

    I have written CBS interactive that they have seriously jeopardized their credibility as the best place to find info about old software compatibility. I so miss when it was Versiontracker!

    • Thomas says:

      Thanks for the assistance! I have little faith that it will work, but every voice counts. Perhaps if enough people complain, they’ll do something about it.

  • U.N. Owen says:

    I wanna thank you, SafeMac.

    I have owned Macs for…a VERY long time, and NEVER (EVER!) had a prob.

    I JUST LAST WEEK bought a new MacBookPro, and, I got this ‘Spigot’ crap a couple of times.

    Yeah – I’d remove it, but, I couldn’t figure out WHERE it was coming FROM.

    The article makes it seems like it’s a ‘rarity’ at CNET – I don’t know if the author did that on purpose, or didn’t know how RAMPANT it IS at CNET – but, I downloaded OTHER software from them and got it.

    What’s that saying; ‘fool me once, shame on me, fool me twice…I’ll never deal with CNET again…’ or, something like that.

    Thank you – AL Of you (Commenters included)!

    • Thomas says:

      Yes, since I wrote that article, I’ve discovered the insidious “CNET Installer” all over the place. It’s not hard to find at all at this point.

  • Kurt J. Meyer says:

    I have relied on for years and am now quite disappointed, too. Specially because CNET’s adware installer not only it installed those Safari extensions, it also changed my Safari start page settings (from my Top Sites to a Yahoo start page).

    But to be honest: When CNET uses this adware installer, on the detail page of the featured software there is a simple text link below the big green “Download Now (CNET installer enabled)” button that offers a “Direct Download”. This link downloads the original files directly without using the CNET installer.

    So my advice is not to click the Download buttons on the list page where you are not able to see if you are getting the adware installer. Use the “Direct Download” link from the detail page!

    • Thomas says:

      I cannot in good conscience recommend even using the Direct Download link. Even if the Direct Download link works perfectly and gives you an unmodified copy of the software in question, you’re still venturing into shark-infested waters when you could avoid that completely by downloading from the developer’s site instead.

  • Kurt J. Meyer says:

    Another advice: You can disable the CNET Installer completely in your CNET account preferences.

  • Brian says:

    I deleted extensions etc from Chrome, cleared cache, history etc and then tried going to the link above and got an Oops! – and in Safari, I can’t open anything but the Facebook page I always open. I think a class action suit is in order here – this is vicious malware.

  • Brian says:

    One more question: does the CNET Installer leave anything else – in the Library or elsewhere – that needs to be deleted?

  • Brian says:

    So has a nice page with full directions for getting rid of itself on 3 browsers. I went to their “Contact Us” page but the drop-down menu for “subject” did not include “Drive a stake through the heart of Spigot” so I didn’t bother contacting them.

  • Mac Lawyer says:

    downloaded CyberDuck and the same thing happened here.
    To uninstall it through the browsers extensions is one way, but not permanent.

    To uninstall permanently: user/username/library/application support/spigot [delete]

    (if you open that folder up you will see there are lots of extensions installed by the cnet downloader.

    • Thomas says:

      Removing the extensions is sufficient to disable the adware entirely. The items in Application Support are not active in any way, they’re merely there to support the activities of those extensions. I definitely recommend removing them, but not doing so won’t have any negative impact (other than taking up a small fraction of your hard drive space).

  • me says:

    Any way to get Google to quit putting CNet at the top of search results? Aren’t they aiding and abetting the deceptive crapware installers by advertising and promoting them?

    • Thomas says:

      You can always contact Google and make your feelings known. If enough people complain, they will probably do something… the trick would be getting enough people to complain.

  • Dan says:

    I learned about downloading from that site the hard way. But yesterday I clicked on a link that was supposed to just take me to the developer’s site, and even that link downloaded the adware as well. Also, direct download links appear to have disappeared altogether now. So this site really is highly toxic. It’s a shame.

  • Upset in Texas says:

    I used to trust CNET but no longer. I just spend a full day re-installing windows after an employee of mine chose to “express install” Gena Photostamper and got a boatload of malware alongwith it, including a nasty little program called Generic5. It’s a shame, too, because their website talks all about how they screen for malware. I think that the internet community should regard the CNET website as a hacker/scam/virus website.

This post is more than 90 days old and has been locked. No further comments are allowed.