Sparkle updater vulnerability...

  • Quoting from various sources, '…third-party update service Sparkle, combined with insecure network protocols and parsing, leaves some OS X apps open to person-in-the-middle exploits….'

    There's a list on github ( of vulnerable OSX applications, and f.lux is on it.

    What's f.lux respond to this situation, and how does it plan to respond?

  • Since 2009, we have delivered updates via SSL, and so we are not vulnerable.

  • @UNOwen The list you linked to is not of vulnerable applications, it specifically says:

    this [list] has nothing to do with security. Applications are listed here just because they use Sparkle and we think they're cool.

    There's a script you can run to check all your applications for vulnerability. Here's what it says about f.lux:

    ok: Flux 36.6 uses HTTPS for updates - safe

Log in to reply