Your new post is loading...
Longstoryshort, Holmes was able to copy this API token, paste it into his own web requests, and get read-and-write access to much of Homebrew’s GitHub content.
As he explains in his post, he could have hacked pretty much any Homebrew package, thereby infecting any and every Mac user who installed or updated that package – or, of course, any other package that depended on it.
And, as Holmes wryly pointed out, the most downloaded package in the last 30 days at Homebrew is itself all about cybersecurity: openssl, with more than half-a-million installs last month.
That’s a lot of Brew users – and by implication a lot of developers who themselves build software for distribution to other people – whom he could have put on the spot.
What to do?
If you’re a Brew user, there’s no need for alarm and no immediate action you need to take.
Holmes disclosed this responsibly to the Homebrew crew, who fixed the issue right away – within a few hours, in fact – and published a short, frank and informative disclosure notice.
As in the case of Gentoo’s recent supply-chain breach, the disclosure notice is worth reading whether the incident directly affects you or not.
Howebrew included some security precautions that the team is planning to add, and why.
Learn more / En savoir plus / Mehr erfahren:
https://www.scoop.it/t/apple-mac-ios4-ipad-iphone-and-in-security/?&tag=Nobody+is+perfect
Longstoryshort, Holmes was able to copy this API token, paste it into his own web requests, and get read-and-write access to much of Homebrew’s GitHub content.
As he explains in his post, he could have hacked pretty much any Homebrew package, thereby infecting any and every Mac user who installed or updated that package – or, of course, any other package that depended on it.
And, as Holmes wryly pointed out, the most downloaded package in the last 30 days at Homebrew is itself all about cybersecurity: openssl, with more than half-a-million installs last month.
That’s a lot of Brew users – and by implication a lot of developers who themselves build software for distribution to other people – whom he could have put on the spot.
What to do?
If you’re a Brew user, there’s no need for alarm and no immediate action you need to take.
Holmes disclosed this responsibly to the Homebrew crew, who fixed the issue right away – within a few hours, in fact – and published a short, frank and informative disclosure notice.
As in the case of Gentoo’s recent supply-chain breach, the disclosure notice is worth reading whether the incident directly affects you or not.
Howebrew included some security precautions that the team is planning to add, and why.
Learn more / En savoir plus / Mehr erfahren:
https://www.scoop.it/t/apple-mac-ios4-ipad-iphone-and-in-security/?&tag=Nobody+is+perfect