I don’t think I’ve hidden my dislike for MacKeeper.
The software, which claims to help Mac users stop security threats and clean-up duplicate files on your Mac, leaves an unpleasant taste in my mouth because of its aggressive promotion through pop-up ads and the difficulty that many users have experienced in uninstalling it.
Some have even described MacKeeper as being disturbingly close to scareware.
Nonetheless, in my experience, plenty of Mac users do run MacKeeper (I guess those constant pop-up ads do achieve their goal).
But those MacKeeper customers have good reason to feel miffed, as it has been revealed that Kromtech – the company which produces MacKeeper – has been reckless with their data, leaving it exposed to anybody who has an internet connection. No password required.
Researcher Chris Vickery stumbled across over 13 million sensitive account details related to MacKeeper, after using the Shodan search engine to hunt for database servers left open to the internet, that required no authentication.
Sure enough, Vickery’s search found four different IP addresses of servers belonging to Kromtech.
And on those servers, Vickery found over 20GB of MacKeeper user data – including names, email addresses, phone numbers, IP addresses, software licenses, system information and users’ hashed passwords.
To make matters worse, the passwords appeared to be hashed using the weak MD5 algorithm, with no salt added, potentially opening opportunities for hackers to crack some of the passwords with ease.
In other words, if you were using the same passwords with Kromtech/MacKeeper as you were using elsewhere on the web, you really should change your passwords.
As Forbes reports, Vickery struggled to find someone at Kromtech who would respond to the security issue:
Vickery said he attempted to disclose the problem to Kromtech, the owner of MacKeeper, over the phone yesterday evening, but was initially unable to get through. After he posted about the issues on Reddit, the company responded, dealing with the disclosure over email in an amicable manner. Within hours of learning of its error, MacKeeper said it had fixed the problem, thanking Vickery.
You can read Kromtech’s security advisory to customers here, where the company says it is reviewing its security measures.
But come on. Let’s be serious. MacKeeper is supposed to be a security product – and yet it stores passwords that weakly? Its users’ details are left on servers open to anyone on the internet, capable of being accessed without any form of authentication?
Not good. Not good at all.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.