Long-time software developer Panic alerted its customers on Wednesday via a blog post about the theft of a large portion of the source code to its Mac and iOS apps. The company maintains customer information and operates a sync service for passwords and accounts for some of its software, but its co-founder, Steven Frank, wrote in the post that private information wasn’t compromised. (We’ve asked Panic for comment, and will update this story if they have more to add.)

Frank fell afoul of a recent Trojan horse inserted into the popular Handbrake software that installed remote-control software on an infected Mac. The malware was used to exfiltrate Frank’s details to access the company’s code on its version-control server, although he writes that because the cracker had to guess at the names of code-storage groups, called repositories, they didn’t obtain everything.

Panic uses Stripe for its credit-card processing, and doesn’t pass through credit-card numbers nor retain the card details on its servers. Frank wrote that customer information and Panic Sync data wasn’t accessible, nor was Panic’s website compromised.

Panic Sync, used with its file-access software Transmit for iOS and three other apps, relies on end-point encryption that starts with a user-chosen master password, and the company never has access to encryption keys or unencrypted data. This is similar in mechanism to Apple’s iCloud Keychain, 1Password’s subscription service, and LastPass. As a result, even a full interception of the centrally stored sync data would be of no use to an attacker.

While this would appear to be a severe hack, in which a company’s most prized possession was stolen, Frank notes in his blog post that the key concern isn’t loss of business, but rather that a malicious party could create convincing versions of Panic apps that are either infested with malware or sold in an attempt to deprive Panic of revenue.

Frank expresses far less concern about its affect on Panic’s business. Not all the source code was stolen, and pirated versions already exist of its most-popular products. And while a competitor might use the code in their product, it would be hard to imagine a Mac or iOS developer making that dubious ethical or legal decision. If one did so, the odds of being discovered if used in a similar app would seem to be almost 100 percent. Further, its apps remain effectively in continuous development, meaning that any release derived from it would be out of date and potentially buggy.

As I’ve written on multiple occasions, the best way to immunize yourself from obtaining and installing malicious or pirated versions of software is to download releases only through an existing app’s internal update process, via a developers’ official website, or from the Mac App Store if the app is sold there. Avoid third-party update sites, which also often wrap downloads in adware.


Handbrake software isn’t signed, which indicates you should use more diligence. But even signed software can be compromised through stolen develop certificates.

Of course, there’s a bit of irony there: Frank had his Mac compromised through a download from the Handbrake site, albeit one of the two mirrors operated for downloads. But he noted that the internal update failed, leading him to the website. Handbrake isn’t signed by an Apple certificate, as the makers don’t go through the Apple developer program, requiring a bypass of Apple’s Gatekeeper system. Finally, the malware asked for an administrative password to install, which Handbrake doesn’t need.

Source link