Malicious Xcode could spread via download manager Xunlei
What’s at stake?
We reported last week that popular Chinese iOS apps were compromised in an unprecedented malware attack. We discovered that the source of the infection was compromised copies of Xcode hosted on Baidu Pan. Apple has published an article urging developers to download Xcode directly from the Mac App Store, or from the Apple Developer website and validate signatures. We’ve now discovered that even if a developer uses a download link seemingly from Apple, he might still be possible to obtain a compromised copy of Xcode.
Please note that we do not have evidence that such attacks has happened. But it is an easy attack that anyone can implement.
How does it work?
This compromise happened because of Xunlei. Xunlei is the most popular download manager in China. Much of its popularity is due to the fact they can accelerate download speeds by pulling resources from other Xunlei users as well as cached copies on the Xunlei server. All of this, however, is invisible to users. Users can simply enter a regular http download address into Xunlei download manager and the download will start. Chinese developers were using direct download addresses such as http://adcdownload.apple.com/Developer_Tools/Xcode_7/Xcode_7.dmg to download Xcode.
Because of Xunlei’s P2P and server cache, download speeds would be much faster than the Mac App Store. Downloading via Xunlei also means that developers do not need to be enrolled in the Apple developer program. Direct downloads of Xcode via the developer program cost $99. Because the URL belongs to Apple, users were tricked into thinking that the download link was authentic and hence the Xcode copy. But in actual fact, the file is not authentic because it comes from Xunlei’s P2P and server cache.
The way to “host” a compromised copy of Xcode on Apple’s server is to trick Xunlei locally and let the error propagate. For example, a malicious user can hijack adcdownload.apple.com locally via host file and download from a non-exsistant URL http://adcdownload.apple.com/xcode-fake-1.1.1.1.dmg. Xunlei will then correlate this URL with the file specified by the malicious user and provide this file to other innocent users.
This is what actually happens when you use Xunlei to download http://adcdownload.apple.com/xcode-fake-1.1.1.1.dmg
But if you look at the details of the download source, you can see that 0% of the download is from the original server (i.e adcdownload.apple.com) while the server cache accounts for 26% and P2P accounts for 3% of the download.
You can also see that attempts by Xunlei to connect to adcdownload.apple.com were redirected to https://developer.apple.com/unauthorized/ because Apple only allows users in the Apple developer program to access the page.
Malicious attackers can poison Xunlei with a URL similar to a real Apple Xcode URL and then post the fake URL on forums and download sites. Most Chinese users by default use Xunlei to download. In fact, they have to if they are not enrolled in the Apple developer program. Most will have a compromised copy of Xcode, seemingly downloaded from Apple.
What can developers do to prevent future attacks?
Our suggestions are exactly the same from our last blog post.
-
Always download Xcode from the official Mac App Store. For other developer tools, always download these from official sources.
-
Always check the digital signature of developer tools. It is irresponsible for developers to ignore signature warnings. Xcode clearly should have been signed by Apple; all other versions should have produced user warnings.
-
Separate your development system with your everyday system. Development systems should be used solely for development and not for browsing random sites. If physical separation presents too much of a problem for developers, at the very least, a dedicated user account for development should be used.
Xunlei users should be cautious
As demonstrated above, Xunlei cannot be trusted to download the correct file, even if the download link is HTTPS. Users should manually check hash after download or use the browser’s download function.
References:
- 带给您中国防火墙封锁的最新资讯
评论
Nice article thanks very much
http://bitly.com/rmvsbarcalive
thanks for http://www.aprilfoolsjokesschool.pw
Nice article.thanks for sharing
Android Games
JASA SEO
JASA SEO
http://www.yaredilaia.com
Thanks, you guys that is a great explanation. keep up the good work in your granite blog.
facebook lite |qr code generator |resignation letter
Nice post!..good information,it is really helpful..it really impressed me alot and i just loved it.Thanks for posting such an informative content:
http://packers-and-movers-delhi.in/
http://packers-and-movers-delhi.in/packers-and-movers-dwarka-delhi
http://packers-and-movers-delhi.in/packers-and-movers-gurgaon
nice article....with great info
http://westbengalelectionresults.com/
nice informasinya kawan.. kunjungi kami balik donk
info obat ginjal bocor dari ace maxs
Nice information for all Obat Ginjal Bocor | Obat Ginjal Bocor
nice informasinya kawan.. kunjungi kami balik donk
info obat ginjal bocor dari ace maxs
http://obatginjalbocor.9kes.com
http://obatginjalbocor.apotekgumilar.com
http://obatginjalbocorterampuh.blogspot.com
French Open 2016 Live Streaming: http://www.frenchopenlivestream.org/ is going to start on 16th may. We will provide you with roland garros 2016 and scores.
thank for share
http://obathernia.best-agaric.net/
It is one of the incident happened for Wikipedia last year. But now everything is going to fine. And i am really happy about the method of encryption and decryption technique Wikipedia added for the users.
http://sultanbusinesssetup.com/
Interesting topic for a blog. I have been searching the Internet for https://www.openstreetmap.org/user/makably Fabulous post. Thanks a ton for sharing your knowledge!
The only group with multiple Excellent http://www.superbowlcommercial.org/ appearances with no losses is the particular Baltimore Ravens, who in profitable XLVII beaten and replaced the 49ers for the reason that position.Super Bowl Commercials, Super Bowl Champions Winners, Videos Online Stream Free.
Here at http://www.superbowllivestream.org/ Amazing match going to happen.
Best Happy New Year 2017 Quotes : http://www.newyearquotes.org/ is only a few days away
good Words possesses been added in the Adjustments menu. shareitdownloadapp Each minor version pushed some bug fixes, and there were no new features introduced. nice.
Watch Barcelona Vs. Real Sociedad La Liga Game Online ... Third-place Barcelona (26 points) needs a victory in order to keep pace with league-leading Real Madrid
http://www.realmadridvsbarcelonalivestreamhd.com/
Another El Clásico approaches - Barcelona are sitting 1st in La Liga table, with a ten point
advantage over their historic rivals, who have collected four victories in a row. Games do not come bigger than El Classico between Barcelona and Real Madrid and this weekend we will have both teams taking on each other in what could be season deciding match in Spain on Saturday, 03 December 2016 at Camp Nou. Barcelona are the firm favourites as they host Real Madrid at Camp Nou for the second El Clascio this season.
It's the biggest rivalry in club soccer - El Clasico. League leaders Real Madrid travel away from to take on second-placed Barcelona in a crucial La Liga game week 14 encounter. Sergio Busquets was recently omitted from the Spain team due to a fracture of his finger but this is not expected to jeopardise his involvement in El Clasico.
Barcelona have scored in each of their last 21 games against Real, the best run of a side in the Clásico history, while 18 of the last 19 Clásicos have gone over the 2.5 goals line.
For Barcelona in particular, though, the rest of the team will be just as crucial. Barcelona have been producing outstanding performances at their Camp Nou this season and they are likely to extend their goal-scoring run in Saturday's El Clasico.
Real Madrid, on the other hand, are desperate to pick up all three points from El Clasico. There is no rivalry that can match the intensity of an El Clasico - epic encounters between FC Barcelona and Real Madrid that bring out the best and worst of players and supporters alike. Barcelona have won 16 penalties in La Liga 2015/16, the most for any side in a single season since 2005/06.
Watch Barcelona vs Real Madrid Live Stream Free ( El Clasico 2016 )
Football Live stream,
All Sports Live Stream
http://www.ngplays.com
http://www.ngplays.com
The Hollywood Foreign Press Association, Dick Clark Productions and Twitter partner to live stream The Globes Red Carpet Live pre-show for the 74th Annual Golden Globe Awards.
http://www.goldenglobes2017live.com/ Visit Here
The two-hour pre-show will stream live on Twitter from the red carpet at The Beverly Hilton on January 8, 2017, and will only be available in the US, for both Twitter account holders and all others. As part of the live stream, comprehensive advertising packages will be available via Twitter.
“Twitter is where the conversation about the Golden Globes happens. Viewers Tweet along before, during and after the award show,” said Anthony Noto, COO at Twitter.
“Our collaboration with The Hollywood Foreign Press Association and Dick Clark productions for this red carpet show will bring high-quality live content and commentary to the masses through Twitter.”
“The Hollywood Foreign Press Association is always searching for innovative ways and original tools to reach our audience wherever it is as Hollywood comes together on one night to celebrate the best in motion pictures and television – and Twitter is the recognised partner to help us expand our audience,” said HFPA president Lorenzo Soria.
“With the community that Twitter has built, together we will bring the magic of the Golden Globe Awards red carpet to the homes and eyes of aspiring storytellers across the country.”
“Twitter is critical to the live element of our shows by connecting audiences through real time conversation,” said Mike Mahan, president, Dick Clark Productions.
“Through this partnership we will create a unique live streaming pre-show experience that takes our audience closer to the Golden Globes.”
http://200ufclivestream.com
http://200ufclivestream.com/ufc207
http://200ufclivestream.com
http://ufc.livestreamhdq.com
https://orangebowl-livestream.com/
http://peachbowllive-stream.com
assemblyelectionsindia.com
i have downloaded lot of apps from store and xcode is helping to get our product without any struggle. The http://www.floralshop.ae/ will provide fresh flowers for you.
good You could make contact us to anyone in your IMO on PC call listing. IMO APK utilize its search tool to browse Imo for COMPUTER download nice.
good them then transfer them to your cell phone Showbox shows and films as well as collection to ensure best.
Every weekend i used to go to see this web page, because i wish for enjoyment,
as this this web site conations really good funny material too.
Feel free to visit my weblog; fifa coins zone coupon code (www.xix1110.com)
install and install the Lenovo SHAREit Currently Let me tell SHAREit Download high-end PC's can be easily enter into this SHAREit app.
The customer could activate texture scaling, Vsync, and anisotropic PPSSPP Gold Download this emulator downloaded on your Android device.
http://marium.net
Listed below I explained ways to download Mobdro for PC, imobdro offline as well as online on your gadget. Below I explained.
Thanksgiving 2017 images
www.thanksgiving-2017.com
You require to get the Apk of Appvn on your device you would all establish for that. appvnapkdownload over the original android play store for their phones.
australian open live 2018 thankx
you really did a good job
https://www.superbowlsunday.us/super-bowl-2018/
页面
添加新评论