HandBrake hack affects Mac app developer Panic

Mac app developer Steven Frank of Panic, Inc. announced on the company blog that, through an incredible run of bad luck, he managed to download an infected copy of Handbrake during the three day window it was hacked and infected by malware. Panic is the maker of Coda, Transmit, Prompt, and Firewatch.

Popular video transcoder Handbrake had posted a security warning that its program was hacked. Anyone that downloaded Handbrake between May 2 and May 6 were told to verify the app is not infected by a trojan. Unfortunately, Frank got that trojan.

In a case of extraordinarily bad luck, even for a guy that has a lot of bad computer luck, I happened to download HandBrake in that three day window, and my work Mac got pwned.

Frank clarifies that no customer information was stolen, no sync data from Panic was accessed, and their web servers were not compromised. Additionally, Frank reminds us that Panic never stores credit card numbers and Panic Sync data is encrypted so that even the company can't access it.

Frank details the number of mistakes he made, which ultimately led to downloading the malware onto his computer.

I managed to download ... an in-retrospect-sketchy authentication dialog, without stopping to wonder why HandBrake would need admin privileges, or why it would suddenly need them when it hadn't before. I also likely bypassed the Gatekeeper warning without even thinking about it, because I run a handful of apps that are still not signed by their developers. And that was that, my Mac was completely, entirely compromised in 3 seconds or less.

Through the downloaded malware, the attackers were able to steal Panic's GitHub credentials and used them to clone sever of the company's source code repositories.

The attackers sent an email to Panic with a demand for a "large bitcoin ransom to prevent the release of the source code."

They didn't pay. Instead, Panic contacted the FBI and Apple directly. Apple helped the dev team and quickly dispatched a security team to address the issue.

The right people at Apple are now standing by to quickly shut down any stolen/malware-infested versions of our apps that we may discover.

Panic requests that, if anyone comes across an unofficial version of its apps to get in touch.

Frank reminds everyone to only download apps directly from the Mac app store or from official sources to avoid downloading malicious content. He also reminds us how important it is to be aware of our download activities.

I kick myself every day for not paying attention to what I was doing; the tells were obvious in hindsight. It's a good reminder though — no matter how experienced you might be with computers, you're human, and mistakes are easily made. And even though this doesn't affect our customers directly, we want to apologize that we're even having to have this discussion with you.

Lory Gil

Lory is a renaissance woman, writing news, reviews, and how-to guides for iMore. She also fancies herself a bit of a rock star in her town and spends too much time reading comic books.  If she's not typing away at her keyboard, you can probably find her at Disneyland or watching Star Wars (or both).

  • Chrome
    VLC Player I wish those apps were available in the official Mac App Store. You just can't only use apps that are from the store.
  • iMore have slightly fudged up the quotation. The one from the actual Panic blog is: "And as a reminder, never download one of our apps from a source that is not our website or the Mac App Store." Note the key word "our". He's only referring to Panic apps, as all Panic apps are available on the Mac App Store.
  • That wasn't a quote. Frank's sentiment is clear. You should never download any apps that aren't from official sources, either the web developer's official page or the Mac App Store. There are hundreds (thousands?) of questionable sites that have links to app downloads that are not official.
  • I totally agree. I have at least a dozen Mac apps that aren't available in the Mac App Store, including Handbrake. I wish more developers would, at least, have an option to download an app from the Mac App Store.
  • Hmmm… or have a verification program that could look at the file name and checksum of multiple popular programs… a program that *could* be on the Mac App Store.
  • Isn't that the idea of the "identified developers" restriction? When you download an app outside of the App Store, it has to be signed by an identified developer. I don't know how easy it can be exploited but it's designed for this kind of situation. The Panic developer said he bypassed this check, which was a bad mistake he made