'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability - MacRumors
Skip to Content

'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability

by

A pair of vulnerabilities in the framework that some Mac apps use to receive automatic updates leaves them open to man-in-the-middle attacks, according to a report from Ars Technica covering a security flaw that was first discovered by a security researcher named Radek in late January.

Apps that use a vulnerable version of Sparkle and an unencrypted HTTP channel for server updates are at risk of being hijacked to transmit malicious code to end users. The Sparkle framework is used by apps outside of the Mac App Store to facilitate automatic software updates.

Some of the affected apps are widely downloaded titles like Camtasia, Duet Display, uTorrent, and Sketch. A proof of concept attack was shared by Simone Margaritelli using an older version of VLC, which was recently updated to patch the flaw. The vulnerabilities were tested on both OS X Yosemite and the most recent version of OS X El Capitan.

sparklevulnerability

Image via EvilSocket

A "huge" number of apps are said to be at risk, but as Ars Technica points out, it is difficult to tell exactly which apps that use Sparkle are open to attack. GitHub users have compiled a list of apps that use Sparkle, but not all use the vulnerable version and not all transfer data over non-secured HTTP channels.

Apps downloaded through the Mac App Store are not affected as OS X's built in software update mechanism does not use Sparkle.

Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework. Ars Technica recommends concerned users with potentially vulnerable apps installed avoid using unsecured Wi-Fi networks or do so only via a VPN.

Tag: Sparkle

Popular Stories

iOS 27 on iPhone 17 1

iOS 27 Will Add These New Features to Your iPhone

Saturday May 2, 2026 8:43 am PDT by
Apple is expected to unveil iOS 27 during its WWDC 2026 keynote on June 8, and there are already many rumored features and changes for iPhones. The first developer beta of iOS 27 will likely be available immediately following the keynote, and a public beta typically follows in July. Following beta testing, the software update should be released to all users with a compatible iPhone in...
Read Full Article90 comments
Apple MacBook Pro M4 hero

Why You Might Want to Wait to Buy a MacBook Pro

Friday May 1, 2026 3:43 pm PDT by
Apple refreshed the 14-inch and 16-inch MacBook Pro with M5 Pro and M5 Max models in March 2026, but depending on your needs and interests, you might want to skip this generation because there's something better in the works. The M5 Pro and M5 Max MacBook Pro models have faster chips, but the same design that Apple has used since 2021. An updated design with new display technology and faster ...
Read Full Article175 comments
macOS 27 on MacBook Pro

Apple to Unveil macOS 27 Next Month With These New Features

Friday May 1, 2026 1:21 pm PDT by
Apple will unveil its latest software platforms during its WWDC 2026 keynote on Monday, June 8, and one of them will be macOS 27 for the Mac. The first developer beta of macOS 27 will likely be available immediately following the keynote, and a public beta typically follows in July. Following beta testing, the software update should be released to all users in September. macOS 26 is known ...
Read Full Article129 comments

Top Rated Comments

E
engram
134 months ago
This will give you a list of what is on your system.
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
Score: 24 Votes (Like | Disagree)
J
jdillings
134 months ago
This is why the app store was a good thing
Score: 23 Votes (Like | Disagree)
K
KALLT
134 months ago
@engram ('https://forums.macrumors.com/threads/huge-number-of-mac-apps-open-to-hijacking-from-sparkle-updater-vulnerability.1955488/members/engram.513277/'): This does not work if you have applications in sub-folders. Use this one instead, it also prints the Sparkle version (credit to an Ars commenter):
find /Applications/ -path '*Sparkle.framework*/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString

Anything below version 1.13.1 is potentially affected.


Edit:

Apparently, this one is even better, because it shows which applications actually connect via HTTP instead of HTTPS. This should narrow it down further:
for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done
Score: 10 Votes (Like | Disagree)
jclo Avatar
jclo
134 months ago
This will give you a list of what is on your system.
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
Not all of these are going to be affected -- only those using a version of Sparkle prior to 1.13.1 have the potential to be vulnerable. And of those, some may be using an encrypted HTTP channel to receive updates from the server, meaning they're not affected.
Score: 7 Votes (Like | Disagree)
M
Michaelgtrusa
134 months ago
Nothing surprises me anymore.
Score: 7 Votes (Like | Disagree)
C
C DM
134 months ago
OS X isn't safe no more. Another day, another victim on news. It's 187 murder on Apps....RIP apps.
(pours out little liquor on their apps.)
Not really an OS exploit, but an app/service exploit.
Score: 5 Votes (Like | Disagree)
Read All Comments