Mac app developer Steven Frank of Panic, Inc. announced on the company blog that, through an incredible run of bad luck, he managed to download an infected copy of Handbrake during the three day window it was hacked and infected by malware. Panic is the maker of Coda, Transmit, Prompt, and Firewatch.
Popular video transcoder Handbrake had posted a security warning that its program was hacked. Anyone that downloaded Handbrake between May 2 and May 6 were told to verify the app is not infected by a trojan. Unfortunately, Frank got that trojan.
Frank clarifies that no customer information was stolen, no sync data from Panic was accessed, and their web servers were not compromised. Additionally, Frank reminds us that Panic never stores credit card numbers and Panic Sync data is encrypted so that even the company can't access it.
Frank details the number of mistakes he made, which ultimately led to downloading the malware onto his computer.
Through the downloaded malware, the attackers were able to steal Panic's GitHub credentials and used them to clone sever of the company's source code repositories.
The attackers sent an email to Panic with a demand for a "large bitcoin ransom to prevent the release of the source code."
They didn't pay. Instead, Panic contacted the FBI and Apple directly. Apple helped the dev team and quickly dispatched a security team to address the issue.
Panic requests that, if anyone comes across an unofficial version of its apps to get in touch.
Frank reminds everyone to only download apps directly from the Mac app store or from official sources to avoid downloading malicious content. He also reminds us how important it is to be aware of our download activities.
○ How to use two-factor authentication
○ How to protect your data from being hacked
○ How to quickly temporarily disable Face ID
○ Best practices for staying safe on social media
○ Best VPN services
○ How to lock down your data on iPhone and iPad
○ Best ways to increase iPhone and iPad security
○ How to back up your iPhone, iPad, and Mac
○ Differential privacy — Everything you need to know!
Get the best of iMore in in your inbox, every day!
Lory is a renaissance woman, writing news, reviews, and how-to guides for iMore. She also fancies herself a bit of a rock star in her town and spends too much time reading comic books. If she's not typing away at her keyboard, you can probably find her at Disneyland or watching Star Wars (or both).
VLC Player I wish those apps were available in the official Mac App Store. You just can't only use apps that are from the store.
iMore have slightly fudged up the quotation. The one from the actual Panic blog is: "And as a reminder, never download one of our apps from a source that is not our website or the Mac App Store." Note the key word "our". He's only referring to Panic apps, as all Panic apps are available on the Mac App Store.
That wasn't a quote. Frank's sentiment is clear. You should never download any apps that aren't from official sources, either the web developer's official page or the Mac App Store. There are hundreds (thousands?) of questionable sites that have links to app downloads that are not official.
I totally agree. I have at least a dozen Mac apps that aren't available in the Mac App Store, including Handbrake. I wish more developers would, at least, have an option to download an app from the Mac App Store.
Hmmm… or have a verification program that could look at the file name and checksum of multiple popular programs… a program that *could* be on the Mac App Store.
Isn't that the idea of the "identified developers" restriction? When you download an app outside of the App Store, it has to be signed by an identified developer. I don't know how easy it can be exploited but it's designed for this kind of situation. The Panic developer said he bypassed this check, which was a bad mistake he made
Thank you for signing up to iMore. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.