A “huge” number of Mac apps, including the popular torrent software uTorrent, are vulnerable to man-in-the-middle cyberattacks, according to new research published Tuesday by Ars Technica. The vulnerability exists because of a security flaw in Sparkle, the open-source software that issues the updates to myriad apps.
Mac versions of Camtasia 2 v2.10.4, uTorrent v1.8.7, DuetDisplay v184.108.40.206 and Sketch v3.5.1 are confirmed to have a vulnerability that would make it possible for an attacker to intercept, and possibly redirect, the web connection between a user and the program.
Each of the apps rely on an outdated version of Sparkle and use an unencrypted HTTP connection to input new data from servers. All it would take for a hacker to infect a victim with malicious code would be for them to attack their Wi-Fi network, security researchers told Ars Technica Tuesday.
The attack is feasible on the current El Capitan Mac operating system as well as Yosemite, which came before El Capitan. Researchers told Ars Technica developers need to patch the vulnerability by updating the Sparkle framework in their app, an arduous process that also includes creating test cases to run the attack against.
Researchers said it's not clear exactly how many apps are affected, but a multitude rely on the same vulnerable software.
“It all depends on the complexity of an application, its size and maintainers,” one researcher, known as Radek, told Ars Tuesday. “That's the reason why some developers don't want to update or can't update Sparkle in their applications.”
That complexity could explain why uTorrent, the software used by millions of people to download torrent files, is vulnerable. But it's just the latest security issue uncovered about the free program, after previous disclosures indicated the app was distributing malicious advertisements, that it could be used as part of distributed denial-of-service operations and covertly hijacked user computers to mine for cryptocurrency.