search

rsms / fb-mac-messenger

⚡️ Mac app wrapping Facebook's Messenger for desktop
https://fbmacmessenger.rsms.me/
MIT License
2.86k stars 243 forks source link

31 GB changelog.xml.rss #445

Open ghazel opened 5 years ago

ghazel commented 5 years ago

Messenger created a 31 GB changelog.xml.rss file, full of private machine data. I noticed because my laptop was out of disk space.

I believe this to be malicious. You can read my reasons here: https://github.com/Homebrew/homebrew-cask/issues/64793

rsms commented 5 years ago

This is concerning. However, note that:

  1. The source code is available right here for you to inspect: https://github.com/rsms/fb-mac-messenger?files=1

  2. The distribution build is code signed with an official cert issued by Apple.

It’s possible this could be a bug in Sparkle, or some different software on your system created that file.

ghazel commented 5 years ago

I'm certain the file was written to by Messenger. fs_usage caught it.

rsms commented 5 years ago
Screen Shot 2019-06-20 at 08 16 27

This is a screenshot from the AWS S3 admin UI (the website and changelog file is served from S3 over HTTPS.)

Do you have any more information? Do you have the logs from fs_usage? Can you provide a snippet of the large file that was written for inspection? What version of macOS do you use? (pls also include result from uname -a if possible.) Thanks.

ghazel commented 5 years ago

10.14.5 (18F132) Darwin MacBook-Pro.local 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64 x86_64

ghazel commented 5 years ago

I did not keep the file. Running strings on it revealed lots of PDF related file format strings, including strings referencing my version of macOS.

ghazel commented 5 years ago

I can confirm that Messenger writes to a file called changelog.xml.rss, so that addition of .rss is normal:

15:03:10  setattrlist       /private/var/folders/zf/w4brt9f91jv2nwxf5h1kzqym0000gn/T/changelog.xml.rss       0.000039   Messenger   
15:03:10  fstat64                                                                                            0.000003   Messenger   
15:03:10    WrData[A]       /private/var/folders/zf/w4brt9f91jv2nwxf5h1kzqym0000gn/T/changelog.xml.rss       0.000119 W Messenger   
15:03:10  close                                                                                              0.000141   Messenger
ghazel commented 5 years ago

The very old version of Sparkle you're using did have a bug in this area. It would assume the filename even if NSUrlDownload could not guarantee it:

https://github.com/sparkle-project/Sparkle/blob/75551e8d0a0ee1fa3b39840fea504e01865ec81b/Sparkle/SUAppcast.m#L84