MacKeeper Leaks 13 Million Mac Owners’ Data
MacKeeper Leaks 13 Million Mac Owners’ Data, Leaves Passwords Open To Easy Cracking (As posted by Forbes.com)
“Anti-virus provider MacKeeper is known for pushing the message Apple ngIf: ticker AAPL -1.80% ngIf: show_card end ngIf: ticker Mac owners need protection. It needed some extra protection of its own today, after a white hat hacker discovered a database containing 13 million customer records was accessible by just visiting a selection of IP addresses, no username or password required.
Researcher Chris Vickery said he uncovered four IP addresses that took him straight to a MongoDB database, containing a range of personal information, including names, email addresses, usernames, password hashes, phone numbers, IP addresses, system information, as well as software licenses and activation codes. All Vickery had to do was look for openly accessible MongoDB databases on the Shodan search tool.
There’s another apparent security issue: the passwords were protected with a know-to-be-broken “hashing” algorithm. These algorithms take the plain text password and turn it into garbled letters and digits, using a one-way mathematical formula. If it’s easy to guess how they did so, passwords can be recovered. According to Vickery, it appeared MacKeeper was using MD5 – long-known to be weak. There are a large number of MD5 cracking tools, all of which can figure out the weaker passwords (e.g. ’123456′ or ‘password1′) in seconds. He said there was no “salt” either, which would add random characters to the password before it’s garbled by the hash algorithm, making cracking more difficult.
The company admitted to FORBES it was using MD5 but was in the process of upgrading to SHA512 . It will be resetting passwords too, but said the decision wasn’t connected to the leak, though it has spurred the company on to make changes.
Vickery said he attempted to disclose the problem to Kromtech, the owner of MacKeeper, over the phone yesterday evening, but was initially unable to get through. After he posted about the issues on Reddit, the company responded, dealing with the disclosure over email in an amicable manner. Within hours of learning of its error, MacKeeper said it had fixed the problem, thanking Vickery.”