Daily cyber threats and internet security news: network security, online safety and latest security alerts
January 7th, 2011

Mac App Store Hack Allows Applications To Run Without Paying

A recently disclosed method which allows people to pirate paid apps from the Mac App Store has security researchers worried about the prospect of using it to distribute malware.

The new Mac App Store was launched yesterday at the same time as Mac OS X 10.6.6. It allows people to download and buy desktop applications that passed through Apple’s strict vetting process.
The company hopes that this model will prove as successful for the Mac as it did for iPhones and iPads, however, it seems that it already started on the wrong foot. In virtually hours after the Mac App Store opened to users, someone figured out a way to run paid applications without paying.

If users attempt to install and run an app bought on another computer, they are normally prompted to sign in with the Apple ID and password used to buy it. This is the result of a protection mechanism called “Receipt Checking.” But apparently, all that’s required to bypass this check is copying some files and folders from a valid downloaded app to the one “borrowed” from someone else.

To do this, the .dmg installer of the paid app is needed, and this is where researchers believe the risk lies if the method becomes a common practice. The dmg can be obtained when the app is purchased or from other uncontrolled sources like file sharing websites.

“No doubt some Mac users, also too thrifty to pay, will succumb to the temptation of Googling to acquire these cool apps/games/utilities at no cost,” says Chester Wisniewski, a senior security advisor at Sophos.

“Unfortunately, […] some applications downloaded from the App Store can easily be modified to include any sort of executable code you wish. “It wouldn’t surprise me to see a surge in markets for pirated applications that might just be booby-trapped to include unexpected surprises,” he warns.

Credit: News

Share this item with others:

More on CyberInsecure:
  • Rogue Phishing App Spread Through Android Marketplace
  • Windows Phone Marketplace Protection, PlayStation3 Code Signing Cracked
  • Apple Plugs Java Hole After Flashback Trojan Creates 550,000 Strong Mac Botnet
  • Mozilla Store Closed After Vendor Security Breach At GatewayCDI
  • Drive-by Download Attack Hits Multiple Sites Running Vulnerable ColdFusion Application

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Mac App Store Hack Allows Applications To Run Without Paying

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.