Apple used to be a bastion of computer security, its products seemingly invincible in the face of malware. But a recent security discovery might change that perception.
Security researcher Chris Vickery blew the whistle on the 13 million MacKeeper user credentials, including usernames and passwords, that were leaked online via the search engine Shodan, which works to index devices and servers that are linked to the Web. It is hard to categorize the incident as a data breach since the leak did not require any hacking tactic.
MacKeeper helps Mac users operate their computers smoothly. But on top of keeping a smooth Mac experience, Vickery also found that it is possible to gain access to MacKeeper user data by just downloading in order to view the millions of usernames and passwords stored in a database with no protection whatsoever.
It is a sort of internal flaw on the part of the MacKeeper software. What happens here is that MacKeeper’s own database becomes virtually open to hackers via the Internet, thus enabling anyone to view and, perhaps in more dire circumstances, steal user credentials. Anybody who surfs through the Shodan search engine would be able to gain access to the insecure MacKeeper database. As simple as that!
This is not the first time, however, that MacKeeper was involved in a major user data leak. Other security researchers criticized the software in recent memory because it had engaged in a scareware technique of forcing users into subscribing to the premium version of the software after the free trial use. Otherwise, they would be exposed to attacks in the absence of the necessary security features that came with the paid version.
That was in the 2014, during which the company that previously owned the software faced a class-action suit. Zeobit, the owner then, settled the lawsuit with $2 million. The software is now being developed and maintained by Kromtech, which boasts of an anti-theft tracking feature in the product, in all irony.
Kromtech acknowledged Vickery’s findings, adding that the needed fixes have been rolled out before any untoward incident could befall the software product such as malicious attacks. The company also assured users that no sensitive data were leaked to hackers, and that the software’s database was accessed only once, which indicates only Vickery has so far been the one able to gain access to the data.
For his part, the security researcher confirmed that the data he accessed were never used inappropriately, only for the sole purpose of his research.