
MacKeeper 0-day flaw more than 20M users affected - cekanoni
https://thehacktimes.com/mackeeper-0-day-flaw-more-than-20-million-users-affected/
======
wil421
Not sure if anyone knowingly installs MacKeeper but I accidentally accepted
the download for MacKeeper when I was trying to install a Camera app. Big
mistake and I tried to stop the installation.

MacKeeper is a nasty piece of malware. I couldn't quit the program, it would
immediately start back and putting it in the trash did nothing. Ended up
having to boot into safe mode and remove.

Well as soon as I got it off my computer in Safe mode and restarted I get a
prohibited sign. Mac will not boot. Ended up having to reinstall OS X.
Thankfully you are able to reinstall and keep your files. Now I stay up to
date on my backups!

I don't see why apple doesn't ban them. Obviously they are shady.

~~~
thirdsun
I once saw a coworker accidentially installing it and it surely is a nasty
piece of malware. The problem is that one can never be quite sure whether
every piece of the software was removed, which is why we ended up just
reinstalling OS X and avoid guessing.

Since then, a few of my friends, who aren't into tech, almost installed
MacKeeper. They all had a long history of using Windows and felt that
installing some Anti-Virus, Anti-Malware junk was the most natural thing. For
normal users it's really hard to distinguish between legitimate
applications/websites and shady stuff.

~~~
orf
Their website[1] looks awesome, I don't own a Mac (Windows user) but if I were
to buy one I would definitely consider buying and using it. It's good that
this site[2] is the second result on Google for "mac keeper" though.

1\. [http://mackeeper.com](http://mackeeper.com)

2\. [http://www.imore.com/avoid-mackeeper](http://www.imore.com/avoid-
mackeeper)

~~~
pbhjpbhj
Interestingly the toolkit shown is the Ikea toolkit "Fixa" \- I wonder if
there's not IP restrictions on their use of such an image.

Edit: I saw this quote on the Mackeeper website you linked (it is good design)
"MacKeeper was noticed at Macworld by a journalist from Cult of Mac". So I
chased that phrase and all I found was algorithmic page generators like this
[http://drgogek.com/is/is-mackeeper-really-a-scam-cult-of-
mac...](http://drgogek.com/is/is-mackeeper-really-a-scam-cult-of-mac.html).

Using a different tack CoM mention Mackeeper in a single page found from their
search box, an affiliate promotion page ... using Google unearths more
promotions,
[https://www.google.co.uk/search?q=site%3Acultofmac.com](https://www.google.co.uk/search?q=site%3Acultofmac.com)
mackeeper.

So, it looks like their quoted reviews are from people they're paying to sell
the product, that's a warning sign.

Didn't investigate further.

~~~
cekanoni
good find.

------
anonfunction
The person who found the 0-day set up a website that exploits the flaw by
uninstalling MacKeeper.

 _Mr. Thomas released a proof-of-concept (POC) demonstrating how visiting a
specially crafted webpage in Safari causes the affected system to execute
arbitrary commands – in this case, to uninstall MacKeeper._

Source:
[http://securemac.com/MacKeeper_Security_Advisory_Revised.php](http://securemac.com/MacKeeper_Security_Advisory_Revised.php)

~~~
themartorana
Proof of concept and solution, sounds like.

------
Sephiroth87
_make sure to run MacKeeper Update and install the latest version 3.4.1 or
latest_

Or, you know, don't use MacKeeper ever?

~~~
gchokov
Exactly. I wish someone comes up with a way to get rid of this thing f-o-r-e-
v-e-r

------
supercoder
The Proof of Concept is brilliant. Hopefully MacKeeper fails to patch the
issue and the PoC goes viral to rid the world of this spammy app.

~~~
cekanoni
I hope so also, really hate that spammy app specially when i open a popular
hub site we all know, and it opens it in background wtf ...

------
amencarini
Why am I not surprised that a software mainly famous because of its pop-up ads
is not the most reliable thing ever?

~~~
philfrasty
I have rarely seen someone advertise (any product) as aggressive as they do.

~~~
nsxwolf
They used to run this beautifully integrated ad on speedtest.net, where the
robot character was rendered in the same neon green motif. It looked like it
was just part of the site. That meant that Ookla must have had an incredibly
close working relationship with the ad people at MacKeeper. Feels so dirty.

------
aidos
MacKeeper will execute arbitrary base64 encoded commands on a custom url as
root.

I guess it's a "flaw" but whoever put that in knew that would come back to
bite. Haha, it's so insanely irresponsible that I don't even know where to
start.

We need something like a hippocratic oath, and probably a governing body (or
however grown up industries manage themselves), to stop people responsible for
this sort of code from having a license to practice.

------
al2o3cr
Please to consider cleaning your Mac from MacKeeper.

Seriously, given the intensely spammy nature of the product's ads I'm unclear
if this counts as a 0-day or a FEATURE.

------
technologia
Wait, MacKeeper is actual software? I just thought it was just another piece
of malware with a strangely good pop-up in comparison to other malware pop-
ups.

~~~
sjwright
You're not wrong, that's pretty much all it is.

(Oh, and it bundles a bunch of inferior versions of features already built-in
to Mac OS X, like backups, file searching, data encryption, secure delete,
login item disabling, default app selection, etc.)

------
threeseed
20M MacKeeper users seems like an extraordinary number.

~~~
cekanoni
not to mention over 700k paid subscribers ..

~~~
bontoJR
I was wondering from where this number is coming from...

~~~
cekanoni
Their compani is based in Ukraine so you would probably need russian language
to dig a bit in tho publicly available documents, but i found that number
somewhere on twitter, and am sure its correct. Another proof how much dumb
people are living on this wonderful planet..

~~~
bontoJR
I honestly thought it was an out of mind number, but thinking about how
aggressive is their advertising campaign, sometimes almost misleading and the
average knowledge of a user, well, I am not sure is out of mind anymore...

------
some1else
"Consider cleaning your Mac from junk"

\-- MacKeeper campaign, 2013

------
mahouse
The amount of things I miss by running ad blockers.

------
ceejayoz
Given their advertising methods, I always figured installing MacKeeper was a
good way to hose yourself.

------
koyote
"We found users in the US typically use more data and the alternative plans
start at around 500MB."

This is interesting considering that the UK providers generally provide more
data to users for less money than US providers (with quite a few offering
unlimited).

------
parandroid
I have a MacKeeper related question: are apps such as this (cleaners,
antivirus etc.) necessary for Mac computers? Judging by the number of users
affected by this, there are a lot of people thinking they do need it, I guess.

~~~
pidg
I don't feel they are necessary, even for less advanced users. Apple do a
reasonably good job of keeping things safe and up-to-date.

The number of users may also reflect their pushy "you need this!" marketing. I
installed MacKeeper a few days after switching from Windows to Mac, as I had
no idea what I was doing. Ended up uninstalling it, then reinstalling OS X
from scratch just in case.

~~~
parandroid
That's what I thought, thanks. I'm a newish Mac user, so I was a bit confused
by the whole situation, since other Mac I know told me not to install anything
of that kind.

------
kubbing
How does one block MacKeeper popups in Safari? Why isn't Safari blocking it?

~~~
joosters
uBlock - [https://chrismatic.io/ublock/](https://chrismatic.io/ublock/)

~~~
cekanoni
ublock over adblock for safari ?

------
unfamiliar
I really hope Apple uses this an excuse to add this crapware to their list of
malware that OS X blocks the installation of.

------
abebaap
how to view the hidden friend list of any facebook user

[http://haktuts.blogspot.in/2015/05/how-to-view-hidden-
friend...](http://haktuts.blogspot.in/2015/05/how-to-view-hidden-friend-list-
of-any.html)

