They never responded with details of what they were doing to improve security after the last incident: <a href="https://forum.transmissionbt.com/viewtopic.php?f=1&t=17938" rel="nofollow">https://forum.transmissionbt.com/viewtopic.php?f=1&t=17938</a>. The outside appearance is that they didn't address the problem seriously enough.
Second time that this has happened to Transmission this year. Last time a ransomware got included. If you're a Transmission user then be <i>very</i> cautious when installing new versions.
So what happened with the codesigning? That's pretty much the only viable line of defense for the average user (nobody is going to be verifying SHA signatures, or the site is going to be compromised along with the download)<p>Was the malware version also signed with an official Apple Developer ID? The same ID? Is a change of ID verified with the auto-updater?<p>If there was a malicious Developer ID, has it been revoked by Apple?
It's nasty that a free software project has to deal with this, given their limited resources. This shows the importance of reproducible builds and using package managers with verification like APT or homebrew.
More info on the malware:<p>> The OSX/Keydnap backdoor is equipped with a mechanism to gather and exfiltrate passwords and keys stored in OS X’s keychain. The author simply took a proof-of-concept example available on Github called Keychaindump. It reads securityd’s memory and searches for the decryption key for the user’s keychain. This process is described in a paper by K. Lee and H. Koo. One of the reasons we think the source was taken directly from Github is that the function names in the source code are the same in the Keydnap malware.<p>Source: <a href="http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/" rel="nofollow">http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malw...</a>
I'm not a Transmission user, but this makes me wonder, as a sort of Ask HN question: How long do you wait before updating software?<p>If you always update as soon as possible, then you risk getting hit by a compromise like this one, or you could suffer other unintentional bad effects of a botched update.<p>But the longer you delay updating, the more you raise your risk of becoming a victim of a new vulnerability that's just been patched and is now in the wild.
That's not the first time this has happened... <a href="http://gizmodo.com/yes-ransomware-can-affect-macs-too-1763239644" rel="nofollow">http://gizmodo.com/yes-ransomware-can-affect-macs-too-176323...</a>
Service announcement: You were only at risk when you downloaded fresh copies from the website. As with the previous incident, updates within the app were safe and checked.
Kinda sucks, and I haven't followed Transmission for a while, but them transitioning more to Github is a good thing -- I trust Github more than a self hosted solution, in general. It sucks they've been compromised twice in a year, but hopefully this will help mitigate some of that.
I like Transmission, but this is the second serious security problem they've had this year. Once you can forgive, but twice and it's time to look for a new BitTorrent client.
You might want to install Objective-See's free BlockBlock tool to block these type of things:<p><a href="https://twitter.com/objective_see/status/771189100355264512" rel="nofollow">https://twitter.com/objective_see/status/771189100355264512</a><p>Also, their other (free, open source) tools are very good too, like KnockKnock and RansomWhere:<p><a href="https://objective-see.com/" rel="nofollow">https://objective-see.com/</a>
> Am I at risk?<p>Instead of "Blah-blah, less than a day, go check yourself", they could grep the logs for IPs (and session cookies if they log that) of lucky winners and explicitly inform them, when they hit any page on their site. Then show generic version to everyone else. This takes all but 5 minutes to set up.
They say that the infected file was only there for a day, but maybe it would behoove them to do some bash-fu w/ their logs and get an approximation of the number of users affected!
Wow, I downloaded a binary from the website in that exact timeframe.<p>Luckily, it was only the CLI version, which I was putting on an Ubuntu system...
According to the article, the title is wrong<p>"The infected file was available for download somewhere between a few hours and less than a day."