Mac App Store Hack Allows Applications To Run Without Paying
A recently disclosed method which allows people to pirate paid apps from the Mac App Store has security researchers worried about the prospect of using it to distribute malware.
The new Mac App Store was launched yesterday at the same time as Mac OS X 10.6.6. It allows people to download and buy desktop applications that passed through Apple’s strict vetting process.
The company hopes that this model will prove as successful for the Mac as it did for iPhones and iPads, however, it seems that it already started on the wrong foot. In virtually hours after the Mac App Store opened to users, someone figured out a way to run paid applications without paying.
If users attempt to install and run an app bought on another computer, they are normally prompted to sign in with the Apple ID and password used to buy it. This is the result of a protection mechanism called “Receipt Checking.” But apparently, all that’s required to bypass this check is copying some files and folders from a valid downloaded app to the one “borrowed” from someone else.
To do this, the .dmg installer of the paid app is needed, and this is where researchers believe the risk lies if the method becomes a common practice. The dmg can be obtained when the app is purchased or from other uncontrolled sources like file sharing websites.
“No doubt some Mac users, also too thrifty to pay, will succumb to the temptation of Googling to acquire these cool apps/games/utilities at no cost,” says Chester Wisniewski, a senior security advisor at Sophos.
“Unfortunately, […] some applications downloaded from the App Store can easily be modified to include any sort of executable code you wish. “It wouldn’t surprise me to see a surge in markets for pirated applications that might just be booby-trapped to include unexpected surprises,” he warns.
Credit: Softpedia.com News
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.