Mac and Linux Users at Risk: Hackers Exploit Homebrew Update to Execute Code on Victims’ Machines

Homebrew users should take notice that a glaring RCE flaw in the Homebrew repository system could have allowed bad actors to use a fraudulent update to execute malicious code on the user’s machine.

What Happened?

As reported by The Hacker News, Japanese security researcher, RyotaK notified the Homebrew maintainer group on April 18 that “the way code changes in its GitHub repository were handled, resulting in a scenario where a malicious pull request — i.e., the proposed changes — could be automatically reviewed and approved. The flaw was fixed on April 19.”

After the fix, Markus Reiter of Homebrew said,

“The discovered vulnerability would allow an attacker to inject arbitrary code into a cask and have it be merged automatically. This is due to a flaw in the git_diff dependency of the review-cask-pr GitHub Action, which is used to parse a pull request’s diff for inspection. Due to this flaw, the parser can be spoofed into completely ignoring the offending lines, resulting in successfully approving a malicious pull request.”

In layman’s terms, what he is describing is that malicious code injected into legitimate files were merged without any review or approval. This poses a severe danger to Homebrew users.

RyotaK also included a proof-of-concept (POC) to illustrate his point. As a result, Homebrew removed the auto-merge feature and the “review-cask-pr” from all Git repositories. Now all pull requests require manual review and approval.

The researcher commented that “If this vulnerability was abused by a malicious actor, it could be used to compromise the machines that run brew before it gets reverted. So, I strongly feel that a security audit against the centralized ecosystem is required.”

What is Homebrew?

Homebrew is an open-source software package installer for Mac and Linux. It allows you to easily install and uninstall add-ons to the Mac system using “casks.” It runs on Git and Ruby and can easily be modified by knowledgeable coders. The Cask plugin extends the functionality of Homebrew allowing users to install command-line workflows, fonts, plugins, and other software. 

Homebrew works on the command line interface Terminal. Users can enter simple commands like $ brew install —cask firefox to install popular programs without having to use the built-in installer.

Homebrew calls itself “The Missing Package Manager for macOS (or Linux).”

How Can Users Stay Safe?

The difference between open-source and company-produced software is control. When Apple or Microsoft issues an update to its operating system, these updates are tightly controlled. Open-source software which can be modified by users can also be exploited by malicious hackers that affect anyone who downloads the tainted version.

Some tips to stay safe when using open-source software or third-part resources include:

• Always use good, strong passwords that cannot be hacked.
• Keep antivirus/anti-malware running on all your devices.
• Use a VPN to mask your IP and protect your online activities.
• Don’t rush to download the latest version of your open-source software. Wait a few days to see if there are reports of any issues first.
• Scan all new files with your antivirus software.
• Turn on two-factor authentication on all your accounts so that if your machine is compromised, your accounts may still stay safe.
• Invest in a password vault to keep all your passwords safe.
• Use common sense and never download files from untrusted sources.
• Be wary of third-party offerings. Many of them come with malware piggybacked on the software. 
• Never click links in email or text messages from untrusted sources.
• Keep all your devices updated with the latest security patches.