Mac and Linux Users at Risk: Hackers Exploit Homebrew Update to Execute Code on Victims’ Machines

  • By Dawna M. Roberts
  • Published: Apr 29, 2021
  • Last Updated: Mar 18, 2022

Homebrew users should take notice that a glaring RCE flaw in the Homebrew repository system could have allowed bad actors to use a fraudulent update to execute malicious code on the user’s machine.

What Happened?

As reported by The Hacker News, Japanese security researcher, RyotaK notified the Homebrew maintainer group on April 18 that “the way code changes in its GitHub repository were handled, resulting in a scenario where a malicious pull request — i.e., the proposed changes — could be automatically reviewed and approved. The flaw was fixed on April 19.”

After the fix, Markus Reiter of Homebrew said,

“The discovered vulnerability would allow an attacker to inject arbitrary code into a cask and have it be merged automatically. This is due to a flaw in the git_diff dependency of the review-cask-pr GitHub Action, which is used to parse a pull request’s diff for inspection. Due to this flaw, the parser can be spoofed into completely ignoring the offending lines, resulting in successfully approving a malicious pull request.”

In layman’s terms, what he is describing is that malicious code injected into legitimate files were merged without any review or approval. This poses a severe danger to Homebrew users.

RyotaK also included a proof-of-concept (POC) to illustrate his point. As a result, Homebrew removed the auto-merge feature and the “review-cask-pr” from all Git repositories. Now all pull requests require manual review and approval.

The researcher commented that “If this vulnerability was abused by a malicious actor, it could be used to compromise the machines that run brew before it gets reverted. So, I strongly feel that a security audit against the centralized ecosystem is required.”

What is Homebrew?

Homebrew is an open-source software package installer for Mac and Linux. It allows you to easily install and uninstall add-ons to the Mac system using “casks.” It runs on Git and Ruby and can easily be modified by knowledgeable coders. The Cask plugin extends the functionality of Homebrew allowing users to install command-line workflows, fonts, plugins, and other software. 

Homebrew works on the command line interface Terminal. Users can enter simple commands like $ brew install —cask firefox to install popular programs without having to use the built-in installer.

Homebrew calls itself “The Missing Package Manager for macOS (or Linux).”

How Can Users Stay Safe?

The difference between open-source and company-produced software is control. When Apple or Microsoft issues an update to its operating system, these updates are tightly controlled. Open-source software which can be modified by users can also be exploited by malicious hackers that affect anyone who downloads the tainted version.

Some tips to stay safe when using open-source software or third-part resources include:

  • Always use good, strong passwords that cannot be hacked.
  • Keep antivirus/anti-malware running on all your devices.
  • Use a VPN to mask your IP and protect your online activities.
  • Don’t rush to download the latest version of your open-source software. Wait a few days to see if there are reports of any issues first.
  • Scan all new files with your antivirus software.
  • Turn on two-factor authentication on all your accounts so that if your machine is compromised, your accounts may still stay safe.
  • Invest in a password vault to keep all your passwords safe.
  • Use common sense and never download files from untrusted sources.
  • Be wary of third-party offerings. Many of them come with malware piggybacked on the software. 
  • Never click links in email or text messages from untrusted sources.
  • Keep all your devices updated with the latest security patches.

About the Author
IDStrong Logo

Related Articles

46,000 Veterans and 13 Community Care Providers Affected by a VA Data Breach

The Incident Early last week, the Department of Veteran Affairs (VA) was breached by an unknown c ... Read More

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagra ... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “A ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the co ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% ... Read More

Latest Articles

What You Need to Know about the PayPal Data Breach

What You Need to Know about the PayPal Data Breach

PayPal was established in 1998 by Peter Thiel, Luke Nosek, and Max Levchin. The application's goal was cybersecurity for handheld devices before pivoting to a digital wallet.

What You Need to Know about the UnitedHealth Group Data Breach

What You Need to Know about the UnitedHealth Group Data Breach

UnitedHealth was established as CharterMed Incorporated in 1974 in Minnesota by Richard Burke and a team of healthcare professionals.

What You Need to Know about the DaVita Data Breach

What You Need to Know about the DaVita Data Breach

DaVita is a healthcare provider based in Denver, Colorado, specializing in kidney dialysis. Founded in 2000, the company's name is based on an Italian phrase that translates to 'Giving Life'.

What You Need to Know about the Tea App Data Breach

What You Need to Know about the Tea App Data Breach

Sean Cook created the tea app in November 2022. As a former product manager at Salesforce and Shutterfly, Sean self-funded the project, inspired by his mother's negative experiences in the dating pool.

What You Need to Know about the Allianz Life Data Breach

What You Need to Know about the Allianz Life Data Breach

Allianz Life Insurance Company of North America is a large financial and retirement solutions provider. It specializes in investment items, annuities, and life insurance.

What You Need to Know about the Radiology Associates of Richmond Data Breach

What You Need to Know about the Radiology Associates of Richmond Data Breach

Founded by Dr. Daniel Talley in 1905, the Radiology Associates of Richmond is one of America's oldest private radiology practices.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Notice

By proceeding with this scan, you agree to let IDStrong run a Free Scan of supplied parameters of your personal information and provide free preliminary findings in compliance with our Terms of Use and Privacy Notice. You consent to us using your provided information to complete the Free Scan and compare it against our records and breach databases or sources to provide your Free preliminary findings report.

Rest assured: IDStrong will not share your information with third parties or store your information beyond what is required to perform your scan and share your results.

Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close