New Mac Malware, and Stolen Session Cookies – Intego Mac Podcast Episode 285
Posted on
by
Kirk McElhearn
New Mac malware can exfiltrate various types of data from your Mac, and a Chrome extension can steal Facebook session cookies. We discuss how stolen session cookies can give attackers easy access to your accounts, and potential ways to thwart this.
- Apple releases macOS Ventura 13.3, iOS 16.4, and more, with security updates
- Apple Reveals How Many iPhones and iPads Are Running iOS 16 and iPadOS 16
- MacStealer: Mac Trojan malware steals passwords, wallets, and files
- FakeGPT: Trojanized ChatGPT Chrome extensions hijack Facebook accounts
- AmIUnique – My browser fingerprint
- What3Words
Transcript of Intego Mac Podcast episode 285
Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, March 30, 2023.
This week’s Intego Mac Podcast security headlines include: Details on Apple’s latest operating system updates, which were just released; MacStealer is a new strain of malware that can swipe your app support files; and web browser session cookie theft. Sounds innocent enough, but we discuss a number of user specific data points that are accessible to session cookie hackers. Now, here are the hosts of the Intego Mac Podcast, veteran Mac journalist, Kirk McElhearn, and Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 0:46
Good morning, Josh, how are you today?
Josh Long 0:48
I’m doing well. How are you, Kirk?
Apple’s latest security updates.
Kirk McElhearn 0:50
I’m doing fine. How long ago was it that we had our last security updates from Apple all of Apple’s operating systems? Wasn’t it just three weeks ago? Because we had some new ones on Monday, as usual for the Mac, iPhone, iPad, Apple TV watch HomePod. But didn’t we just have a few just three weeks ago?
Josh Long 1:08
Well, the one security update that we had relatively recently was the GarageBand. One that we mentioned that came out on March 7, the only other security updates that we’ve had recently, were back in mid February. And at that time, we had an actively exploited vulnerability that was patched in iOS 16.3.1. Well, we got a whole bunch of security updates this week. And the only actively exploited vulnerability out of all of these that was patched was in iOS and iPadOS 15.7.4. Guess what, it’s that same vulnerability that didn’t get patched. There were zero patches, none at all, for iOS 15, six weeks ago, on February 13. When we got those other patches, iOS 15 just got completely left out. Six weeks later. Now they finally released that patch for an actively exploited vulnerability. So that means for the past six weeks, Apple has knowingly been leaving iOS 15 people vulnerable. Why does Apple do this?
Kirk McElhearn 2:10
Objection, Your Honor, leading the witness? I understand your pain here, Josh. I understand. And whatever reasons there are, there are reasons but think of it this way. Not only did they patch an actively exploited vulnerability, but they pre patched vulnerabilities that aren’t yet actively exploited. In every security update. They’re patching things that we didn’t even know about. And it’s proactive security. So isn’t that a good thing?
Josh Long 2:41
Well, of course, that’s a good thing. Yeah, my concern is the false sense of security, that on the one hand, the false sense of security that Apple is giving to iOS 15 users by Here you go, you have a security update. Well. Guess how many vulnerabilities were patched in the 15 version there, there were 16 vulnerabilities patched. So this count covers two patch cycles, at least now, because we’ve got the February patches, and we’ve got the march patches, and of those iOS 15 gets 16 patches. Now, iOS 16.4, the one that just came out this week has 33 patches, not to mention that we got a bunch of patches in February. Now, I know I know, granted, not necessarily does all of these patches for iOS 16 relate to 15. They may not all apply to 15. But probably the majority of them do, or at least a significant number of them do apply to 15. But Apple’s choosing not to patch them for 15. So just don’t, just stop, right, like encourage people to upgrade to 16. And then we’re all good, right?
Kirk McElhearn 3:49
Well, in an article in MacRumors in February, they point out that Apple regularly gives out statistics of which device is using which operating system 81% of iPhones introduced in the last four years are running iOS 16. So only 15% are running iOS 15 and 4% earlier. Now, it’s interesting they say that because “introduced in the last four years”, anything that’s older than four years is certainly not running iOS 16. Right?
Josh Long 4:17
Well, so here’s the thing, the one benefit of Apple patching 15 is really for people who are still on older models that can’t be upgraded at 16. Right, so that that would include the 6s, the 7, 1st-gen iPhone SE, there’s also some iPad models in there as well, and of course the iPod Touch 7th generation which cannot be upgraded to iOS 16. That’s another one of those products that Apple basically killed operating system updates shortly after you could last buy that product from Apple. Not quite as bad as what they did with the watch series three recently where they kept selling it for eight months after they stopped doing security updates. But nevertheless.
Kirk McElhearn 4:58
You know, Josh, you’ve been repeating this every episode for months now. And they finally stopped selling it. So valid point. But let’s move on from this, Josh.
Josh Long 5:08
It’s hard for me to! So this is really frustrating for me right? So I wrote this article about this. We talked about this last week, and it got like zero press coverage. What do I have to do to… like how…I’m trying to shout from the rooftops and like, get anybody to pay attention. Apple has done something really egregiously terrible here by knowingly selling products that are insecure that have actively exploited vulnerabilities and nobody wants to pay attention, you can understand my frustration. I hope.
Kirk McElhearn 5:37
I understand. Now an interesting number here is iPads only 53% of devices introduced in the last four years are using iPadOS 16. I wonder why iPad users are much less likely to update.
Josh Long 5:51
I wonder if it has something to do with maybe people are, you know, people are holding the iPhone all day long. They’ve got it in their pocket, they’re always checking it. And maybe people just don’t necessarily check their iPads as often. Maybe they’re just using them, you know, in the evening to watch a show and they plug them in, and they don’t really pay as much attention to app updates or operating system updates. I imagine it has a little more to do with just the fact that like you’re carrying your phone on you all the time. And you’re probably not carrying your iPad on you all the time.
Apple compels iPad owners to automatically update.
Kirk McElhearn 6:23
So here’s something interesting that I saw when I updated my iPads this week. After the software update was done a screen displayed “Software update complete. Your iPad has been updated to iPadOS 16.4. Future software updates will be automatically downloaded and installed for you as they are released. You can manage this in software update settings.” So they’re trying to force people to have automatic updates because fewer people have automatic updates on the iPad. Now, I didn’t see this on an iPhone. But I did see this on an iPad.
Josh Long 6:54
Yeah, that is interesting. And it’s a good thing. I mean, I think, again, with iPadOS, and iOS, I think it’s okay to automatically update them, generally speaking, because if you’re not using them overnight, you know, most of the time, if you’re on a desktop computer, you’ve got a bunch of things that you may lose if your computer just restarts. And you’re less likely to lose things on a mobile device just because of the way the nature of the way those apps work, right. They sort of freeze themselves in a last used state so that when you’re switching apps, they can hide in the background and not really be using up any CPU, which allows you to save a lot of battery life. On the Mac, that doesn’t necessarily happen. If your computer restarts because of a system update, then you lose, for example, all of your private browsing tabs in third party browsers, interestingly, not in Safari. And I think maybe Apple does that on purpose for that reason. So that maybe at some point that we could get to the point where Apple will be automatically rebooting your Mac to install security updates and things like that.
Kirk McElhearn 8:03
It’s a good point about Safari. Anytime I install an app that has a Safari extension for the Mac App Store, you have to quit Safari. And I always hesitate to do it. Because Oh, I’ve got to quit Safari. But then I realized that you quit Safari and reopens all the tabs and windows and everything is just as it was before.
Josh Long 8:19
Including private browsing tabs. And I think so far is the only browser on the desktop that does that as far as I know.
New Mac Malware Named “MacStealer”.
Kirk McElhearn 8:25
Yeah. So it’s a painless operation. Anyway, we also want to talk about new Mac malware. And this is one of the coolest Mac malware names I’ve heard in years. MacStealer. I mean, come on guys. malware gets like fancy names and logos and theme songs and someone gets malware. And they call it MacStealer.
Josh Long 8:43
Yes, it’s not the most original name. But you know, “up ticks”, I guess is how you pronounce the name of this company that found it. U-P-T-Y-C-S. They came across this, this malware that has some capabilities that we’ve seen before. But this is a new strain of malware that does a lot of the typical things that you would expect from a piece of malware called MacStealer. It steals stuff from your computer. One of the things that it does, and probably the most interesting, it does try to extract data from your keychain, it will try to exfiltrate certain types of files that it’s looking for. But I think the most interesting thing here is that it collects the passwords, cookies and credit card data from three particular browsers Firefox, Google, Chrome, and Brave. Now you’ll notice that Safari is not on that list, right?
Kirk McElhearn 9:36
Isn’t this data supposed to be encrypted? How can it copy this data if it’s encrypted? Well,
Josh Long 9:40
interestingly enough, it’s pretty easy actually, to export this and exfiltrate this kind of data because all you really have to do is bundle up all of the stuff in the “Application Support” folder. So basically, every Mac app has in the user’s Home directory. There’s a hidden folder called “Library”. And within that is Application Support. And then pretty much all your apps have some folder inside of Application Support that holds data related to that app. It’s more than just like the, the settings and things. And in particular with browsers, it includes all of your cookies and caches and your extensions and all those kinds of things as well. So if you copy that folder from Application Support, and put it on another computer, now you’ve got that entire browser setup on another computer. So all you really need to do at it to steal people’s Google Chrome passwords, for example, is just to grab that folder, put it on another computer. That’s it.
Kirk McElhearn 10:46
So basically, on the other computer, you’re acting as if that’s your Application Support folder, and it’s giving you all the data. (Exactly. Yep.) You don’t have to log in to Google Chrome.
Josh Long 10:57
Correct, right. All of your all of your data is just there.
Kirk McElhearn 11:00
Because the cookie shows that you’re logged in.
Josh Long 11:03
Yeah. So this is kind of a problem, right?
Kirk McElhearn 11:07
It sounds like more than a problem. This sounds like a very serious problem.
Josh Long 11:11
Yeah.And in fact, Google has said this in the past, and I’m trying to remember whether this ever actually changed with Google. But their policy for years has been that Google Chrome assumes that if you are logged into your computer, then you shouldn’t have to re authenticate in order to see your passwords. In any case, if you have one of those three browsers, it’s it’s got all the all of your cookies now. And anything else that you have done in those browsing sessions, it’s so it’s got your history, it’s got, potentially they have access now to your passwords and credit card data as well.
Kirk McElhearn 11:51
Okay, we’re gonna take a break. When we come back, we’re gonna talk about a Chrome extension that steals Facebook session cookies, and it may not sound like much, but this can be a very serious problem.
Voice Over 12:03
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego Mac Premium Bundle X9 includes VirusBarrier, the world’s best Mac anti-malware protection, NetBarrier, powerful inbound and outbound firewall security, Personal Backup, to keep your important files safe from ransomware, and much more to help protect, secure, and organize your Mac. Best of all, it’s compatible with macOS Ventura and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today, when you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode show notes at podcast.intego.com. That’s podcast.intego.com, and click on this episode to find the special discount link exclusively for Intego Mac podcast listeners. Intego, world-class protection and utility software for Mac users made by the Mac security experts.
FakeGPT malware. And why are session cookies such a big problem?
Kirk McElhearn 13:18
So before we went to the break, we were talking about cookies and Chrome. And there’s a story about a fake GPT Chrome extension that steals Facebook session cookies, and breaks into accounts. Now. Chrome extensions — all browsers have extensions now. And there’s plenty of fake extensions. And there’s been malware in Chrome extensions, probably a lot less in Safari Extensions. But what stands out in this is that if this extension can steal a Facebook session cookie, so this is the file that’s written on your computer by Facebook with information about you, that says you are logged into your account. So when you load a new page in Facebook, or click on something, it doesn’t make you log in again, if someone steals that file, and puts it on another computer, it’s as if they were you. It’s as if they’re putting on a disguise, a Josh Long mask, and being Josh Long on a different computer. Now, we were discussing this before we started recording. And what I find interesting is that it’s relatively banal, to steal this sort of cookie. And it’s relatively simple to, as you were saying before the break, just put that Application Support folder or a cookie file onto another computer. And that means you could be logged into all sorts of accounts of someone else’s computer.
Josh Long 14:34
Right. So this this particular Chrome extension was in the Chrome Web Store. This was called “ChatGPT for Google”, it actually has nothing to do with ChatGPT. It does not belong to open AI. But somehow this got into the Chrome Web Store, and it had ulterior motives. Now, this shouldn’t happen, right? There should be a better vetting process that should never allow this kind of thing to happen. But unfortunately, this does happen from time to time. More often, with Chrome extensions, in particular, what often will happen is that a developer kind of stops working on a Chrome extension, and they just kind of let it stagnate. And then somebody else some other, supposed company comes along and says, and offers a bunch of money to the developer of this extension and says, hey, we’ll take over this extension for you. And so the new developer that takes over that extension, they’ll maliciously modify it. So now it does some other things that it never was supposed to have done. And, and now we can do things like stealing session cookies, and other things like that. So why is session cookies such a big problem? We did talk about Firesheep, a couple of episodes ago, and how back when that extension came out at that time, websites were not using HTTPS for the entire browsing session, meaning from the moment that you landed on the website, and throughout every page that you accessed on the site, they typically would not use HTTPS, except for the pages that required you to log in. And then once you logged in, it would kick you back to HTTP. Well, most websites are HTTPS across the board, specifically, because of things like Firesheep and the awareness that it gave the industry of how easy it was to steal session cookies. Well, we still have a problem with session cookies, it’s just not as obvious anymore. Because you know, if you go to a cafe or someplace with public WiFi, somebody who’s using Firesheep is probably not going to be able to get into a lot of accounts, because most major accounts anyway, Facebook and Twitter and banks and other such sites are using HTTPS for the entire browsing session. And so you won’t be able to steal those websites’ cookies, using something like Firesheep. However, we still have an issue with cookies, because of things like this. Malware that can steal a session cookie from your computer, and put that cookie onto another machine. Now that other machine behaves exactly like it is you. So now whoever stole your cookies is able to log in as you. Well they don’t have to even log in. So they’re not typing in a password, they don’t have to know your password, because you’ve already put it in in your browser. And now your browser has that session cookie that basically is authenticating on your behalf, it’s telling the site, hey, this is still me. And the site is trusting that cookie.
Kirk McElhearn 17:38
Even if you have two factor authentication enabled for the account.
Josh Long 17:42
Exactly. Right. So this is a real problem. And we’re seeing more of this where malware is doing things like this, they’re stealing your session cookies. Now this malware that we mentioned before the break, this new Mac malware, MacStealer, that is doing other things as well. So it’s also exporting your keychain. And it’s at least exporting the databases from your browsers that hold on to your passwords. So even if you have a master password set in Firefox, and even if you’ve got a newer version of Chrome that prompts you for your operating system password in order to be able to unlock and get access to the passwords, there’s still things like offline attacks, where somebody could eventually break in, they could guess what your special password is, your Master Password in Firefox. And once they guess that master password, now they’ve got access to all other passwords that you’ve saved in Firefox.
Kirk McElhearn 18:42
So the session cookies thing is interesting. Why isn’t the server or the browser or someone checking to see that it is the same user? Isn’t there something to indicate that it’s not the same person?
Josh Long 18:58
Well, we were talking about this before we started recording today. And we came up with some ideas on how websites could be doing a better job of verifying that that cookie actually belongs to that user and hasn’t been stolen by a hacker for example. One thing that they could potentially do is they could look at your IP address. Because if an attacker is now using your cookie from across the world, somewhere, they’re going to have a different IP address, of course, and that could be one indicator. However, maybe IP addresses aren’t the best way to approach this. For example, if you are on a mobile device and you’re logged into a website in your browser, your IP address is going to be changing a lot more often, especially if you’re not at home or, you know, on the same Wi-Fi network at all times. If you’re just out in public and not connected to Wi-Fi, your IP address may change anytime that you’re, you know, moving to a different cell tower for example. It all kind of depends on your particular mobile provider and how they choose to distribute their IP addresses, but your IP address may be changing much more regularly in cases like that. Also, if you’re using a VPN, anytime you reconnect to the VPN, you may be getting a different IP address. Anytime you connect to a new Wi-Fi network… again, with mobile devices, this is a lot more complicated to deal with that from just purely looking at your IP address.
Kirk McElhearn 20:22
But if you’re using a VPN, VPNs have a limited range of addresses. So someone could steal session cookies, and try them out on different IP addresses that they know are used by the VPN, right? Like they could log in with VPNs that people use and see if the session cookies work.
Josh Long 20:41
They could, but I mean, you’re talking about thousands and thousands of servers, it would it would be very difficult, it would be like, you know, you would be really lucky, I mean, to happen to come across an IP address that somebody happened to have. Maybe you, you could kind of figure that out. I mean, you could at least see whether someone is using a VPN on the on the computer that you’ve stolen cookies from. And you could kind of figure out what VPN server they’re connected to maybe based on the IP address, their public IP address. And then from there, you could kind of try to keep retrying, you know, to see if you can eventually get that same IP address. It’s a lot of work.
Kirk McElhearn 21:22
Right, but Tom Cruise could do it. Or if I may change our reference, Kiefer Sutherland, because he’s in this new TV series with all sorts of computer stuff and conspiracies, he’d figure out a way to do it.
Josh Long 21:33
Yeah, he might be able to figure out a way to do it. Okay.
Kirk McElhearn 21:36
So what other solutions can we have? I mean, this isn’t very processor intensive, right, for a server to check every time a new page is loaded, to make sure that you’re the right person. There are ways that they can identify you, aren’t there?
Josh Long 21:51
Well, so one thing that could be done, and you mentioned this, when we were kind of just back and forth talking about this, I mentioned IP addresses and how that’s probably not very practical. And you said, ‘What about browser fingerprinting?’ And I said, ‘Oh, you mean like user agent strings,’ which is one way that a website can know who you are. And depending on what browser you’re using, on what platform, and whether you’re using a developer or you know, one of those like bleeding edge versions, like I use Edge Canary, for example, there’s not that many people using Edge Canary on a Mac. And if you go to a webpage like amiunique.org, they have a whole series of things that they show you that basically any website can do to fingerprint you. One of the things is the user agent string, which includes things like your browser, your platform, and a couple of other details. But there’s more that a browser can do to fingerprint you. They they can also see your timezone. They can also see things like your language. They can also see whether you have Do Not Track enabled. They can also see a whole bunch of other things, including your screen size, which is kind of interesting.
Kirk McElhearn 23:02
Well, screen size is actually important. It’s called the viewport in website design, and it determines whether a page is displaying all of its content or a narrower version of the content. If you go to the Intego Mac Security Blog in a desktop browser, and you make the window narrower, you’ll see how it changes when it gets to certain sizes.
Josh Long 23:19
So all of these things together, will give a pretty good profile. Again, if you go to amiunique.org, and you click on “View my browser fingerprint,” in about a second, the page will load. And it’ll give you a giant list of all sorts of information that any website is able to get about you. And they’ll tell you whether your particular browser fingerprint is unique. Almost anytime that I go to this page, I’m told that yes, I’m unique among the, you know, 1.5 million fingerprints in their entire data set. And again, that’s partly because I’m using unusual browsers. I’m not using Safari, for example.
Kirk McElhearn 24:00
Well I am using Safari, and I’m still unique. And when I look at some of the properties, for example, the user agent that you were discussing before, and this is what a browser sends to a server so the server knows how to respond to certain things. It says that it is less than 0.01%. Now this could be because I updated to the latest version of macOS a couple of days ago. And there’s not that many people who go to this website, and they’re mostly security people. But there are other things like the list of fonts. 0.27% of people have the same fonts as me, only 0.03% of the same screen width and screen height. That’s surprising. I have a 21 and a half inch iMac. I think a lot of people do. But again, the people who go to this site are probably Windows users, they have 16:9 screens, whatever. But what’s important to say is that this is just the basic information that a browser sends as soon as you go to the website if the browser requests it. So any website, any server could use this to ensure that your session cookie is still the same user that logged in and created that cookie.
Josh Long 25:06
So this is something to be aware of just in general from a privacy perspective. But bringing this back to what could websites be doing better to make sure that, you know, that cookie actually belongs to you? I mean, we know Facebook is already fingerprinting us, right? I mean, there’s, obviously they’re doing that. So why not compare that browser fingerprint with the cookie, with the session ID that is being sent to the site from the browser based on this cookie, right. So if somebody steals your cookie, and now, their unique browser fingerprint is different in any way, that should be a sign to the website that they need to require you to put in your password again for that website before you can do anything else, before you can post, before you can see anything that anyone else has posted, see private messages, anything like that. I’m certainly going to be advocating that websites start doing this, because it’s a simple step. And it solves the problem of stealing people’s session cookies completely. Sure, there are maybe ways that you could spoof that browser fingerprint, but they’re very, it would be very hard to do relative to just stealing somebody’s cookie, for example. That’s, that’s easy to do. Anyone can do this right now. It is a problem.
Can I use Apple AirTags to help people locate my house?
Kirk McElhearn 26:30
Okay, before we finish, I want to reply to some listener feedback from William who said, “Can I use an AirTag to help people locate our house, we’re in a new housing development, where the streets and addresses are not on Google Maps.” And we had to think about this. And this brings up some interesting points. Because in order to do this, the person using the AirTag has to link that Air Tag to their phone. So you can set up an AirTag and give it to someone else, right. This isn’t the solution. But there are several solutions that we would like to share. The Find My app allows you to share your location, you can share it till the end of the day, you can share it permanently. A lot of people, I don’t know about you, but I’ve got location sharing with a couple people. You can share GPS coordinates using a drop pin from Google Maps. I’m pretty sure Apple Maps has this too. It’s a little bit gnarly for me because all those you know long decimal points and all that. And I suggested to Josh when we were discussing this, and he had never heard of “what3words”. So if you go to what3words.com (that’s “what” and then “3” digit, then “words”), you will be able to get a three-word “address” for want of a better term for any three meter square location in the entire world. So I’m just going on to the website and if I go to, let’s see, “pigs.sake.wooden”, this is someplace in the River Cherwell—I don’t know where this thing thinks I am; I believe that’s in Oxford. Go a mile away, “spirit.nest.army”. Go across to someplace else, “blast.shine.oath”. They’re easy to remember, they’re easy to write down. You can use the what3words website, they also have an app. And it’s a really practical way to precisely indicate where you are. It’s a three meter square. And the entire Earth is covered with three meter squares.
Josh Long 28:19
I’m just the old-school, “drop a pin on Google Maps and send somebody a link there.” But yeah, this is a great question. So if any listeners have questions like this, you can email us at [email protected] or you can fill out the contact form at podcast.intego.com.
Kirk McElhearn 28:35
Okay, that’s enough for this week. Until next week, Josh, stay secure.
Josh Long 28:39
All right, stay secure.
Voice Over 28:41
Thanks for listening to the Intego Mac Podcast, the voice of Mac security, with your hosts Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com The Intego website is also where to find details on the full line of Intego security and utility software: Intego.com.
If you like the Intego Mac Podcast, be sure to rate and review it on Apple Podcasts.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
