Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/7/2018
05:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Apple (Finally) Removes MacOS App Caught Stealing User Browser Histories

The fact that the app likely has been exfiltrating data for years is "rather f#@&'d" up, says the security researcher who reported the issue to Apple one month ago.

Apple has removed a top-rated ad blocker from its official Mac App Store after a security researcher discovered it to be quietly collecting and sending detailed user-browsing histories to a domain based in China.

The $4.99 Adware Doctor was until Friday morning listed as the fourth highest-selling app and top-grossing software product in the category of "paid utilities" in the Mac App store.

Its stated purpose is to protect users from malware and having adware served on their browsers. But the app has also been silently exfiltrating browser histories and other sensitive data from systems on which it is installed, says Patrick Wardle, founder and chief research officer of Digita Security and creator of Objective-See, a website for Mac security tools. 

"It also collects system info, a list of the user's currently running processes, and also certain types of files that users have downloaded. It tries to access the user's App Store history — but I believe a bug causes this to fail," he says.

In a blog post Friday, Wardle said he had contacted Apple about the issue one month ago and informed the company about the app's behavior. Even two years ago, in 2016, another security researcher had raised concerns about the same application trying to trick users into granting it administrative privileges on their devices, he said. But until Friday morning, Apple had not removed the app despite promising to investigate, Wardle said.

"There is rather a MASSIVE privacy issue here," Wardle wrote. "The fact that [the] application has been surreptitiously exfiltrating users' browsing history, possibly for years, is, to put it mildly, rather f#@&'d up!"

Apple did not offer any explanation for why it might have waited so long to act. But according to the company, the app has been removed and the issue, which allowed Adware Doctor to access and exfiltrate privacy-sensitive content like browser history and cookies, has been mitigated in Mojave, the next version of the macOS.

A quick check by Dark Reading shows that the app is indeed no longer available for download from the app store for US users, at least.

Wardle, a macOS security veteran and frequent presenter at major security conferences like Black Hat, said he decided to investigate Adware Doctor after another security researcher tweeted an alert about the application stealing private user files last month.

After purchasing a copy of Adware Doctor, Wardle said he used a combination of static and dynamic analysis and quickly found the application to be behaving in a manner completely inconsistent with its stated purpose. Wardle discovered that when a user gives the application permission — by clicking OK — to remove extensions, cookies, and caches from his or her browser, the app ends up surreptitiously stealing the user's browser history.

Apple apps downloaded from the company's official Mac application stores typically are sandboxed, meaning that it is constrained in the kinds of files and user information it can access, Wardle said.

But since Adware Doctor is a malware detection and removal tool, it needs access to user data and files not normally available to other applications. When the application is first launched, it asks the user for permission to access files in his or her home directory and all files and directories under it so the files can be inspected for malware. Once a user has granted that permission, the tool — like any anti-malware product — has free access to files on the devices.

In Adware Doctor's case, however, the app has been using the access to collect and exfiltrate data. "While some (such as a process list), perhaps have a legitimate reason for being collected by an anti-malware or anti-adware product, others such as the user's browsing history seem to be a blatant violation of the user's privacy," Wardle noted.

According to Apple, the issue has been mitigated in the next release of macOS via a sandboxing mechanism that ensures an app won't be able to access privacy-sensitive content after a user grants it permission to the home directory.

The fact that an app like this was allowed on Apple's official app store — supposedly the most secure source for Mac software — should be a wake-up call for the company, says Matt Lock, director of sales engineering at Varonis.

"This isn't the first time an app has collected data for questionable reasons, and it will not be the last," he says. "The irony is that consumers downloaded the app to reduce adware, but got stuck with spyware in the process."

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sopiabrown
50%
50%
sopiabrown,
User Rank: Apprentice
9/25/2018 | 12:38:33 PM
Mac OS based systems
It is really great that in very recent Apple has been removed Mac OS application's history from the browser. It is undoubtedly very fruitful features must be utilized by all the users. They take other details from Apple customer support number to know in advance.
TeroH
50%
50%
TeroH,
User Rank: Apprentice
9/8/2018 | 5:34:04 PM
Still there...
Adware Doctor v1.2 by Li Wenhui is available in Europe. Is this the same app? If it is, then perhaps the other 5 apps from the same vendor should be examined also.
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "SpearPhish! Everyone out of the office!"
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13584
PUBLISHED: 2019-07-17
The remote admin webserver on FANUC Robotics Virtual Robot Controller 8.23 allows Directory Traversal via a forged HTTP request.
CVE-2019-13585
PUBLISHED: 2019-07-17
The remote admin webserver on FANUC Robotics Virtual Robot Controller 8.23 has a Buffer Overflow via a forged HTTP request.
CVE-2019-13631
PUBLISHED: 2019-07-17
In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages.
CVE-2019-13614
PUBLISHED: 2019-07-17
CMD_SET_CONFIG_COUNTRY in the TP-Link Device Debug protocol in TP-Link Archer C1200 1.0.0 Build 20180502 rel.45702 and earlier is prone to a stack-based buffer overflow, which allows a remote attacker to achieve code execution or denial of service by sending a crafted payload to the listening server...
CVE-2019-10100
PUBLISHED: 2019-07-17
tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.