• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: File association using file magic
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: File association using file magic

  • Subject: Re: File association using file magic
  • From: Charles Srstka <email@hidden>
  • Date: Sat, 25 Jan 2014 00:40:35 -0600
On Jan 24, 2014, at 9:02 PM, Kyle Sluder <email@hidden> wrote:

>> On Jan 24, 2014, at 5:27 PM, Charles Srstka <email@hidden> wrote:
>>
>> Well, that's for a good reason, you see. If your app were able to change users' preferences, it might be able to... erm... take over... uh... file associations.
>>
>> Hrm.
>
> You don’t see that as a problem?
>
> Install SuperFunGame from the App Store. It associates itself with the com.intuit.QuickBooks UTI. Next time you double-click your QuickBooks file in Finder, SuperFunGame gets the `open` event, and takes the liberty of sending home all your employees’ Social Security numbers before re-opening the file in QuickBooks.
>
> Seem far-fetched? Well, the Internet Security 2003 malware for Windows does the exact same thing, except for *all executables* on the system: http://malwaretips.com/blogs/internet-security-2013-virus/
>
> --Kyle Sluder

Of course it's a problem; I was being more than a little facetious there. If you read the thread, you'll see that we've been talking about a way to take over file associations that's so easy to do, you can do it by accident — even if sandboxed.

I don't use QuickBooks, but given how horribly out of date certain other Intuit products tend to be on the Mac, I wouldn't be one bit surprised if it were registering its document types via extension instead of UTI, and even if it doesn't, there's probably some older version that some users have that does, or perhaps there's some other application on the hard drive that's using filename extensions somewhere that's also in charge of some data you wouldn't want to leak out. All HappyFunGame has to do is register for a UTI for that type (defining one if it doesn't already exist for that extension) and LaunchServices will go "Oh, LegitApp registers for the extension, HappyFunGame registers for the UTI — better give it to HappyFunGame!"

The thing that's disturbing is that you can do this; the thing that's irritating is that if you do this accidentally, you're prevented from undoing it by the very mechanism that was supposed to stop you from doing it in the first place.

Charles


_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >File association using file magic (From: Remco Poelstra <email@hidden>)
 >Re: File association using file magic (From: Remco Poelstra <email@hidden>)
 >Re: File association using file magic (From: Sean McBride <email@hidden>)
 >Re: File association using file magic (From: Jerry Krinock <email@hidden>)
 >Re: File association using file magic (From: Charles Srstka <email@hidden>)
 >Re: File association using file magic (From: Charles Srstka <email@hidden>)
 >Re: File association using file magic (From: Kyle Sluder <email@hidden>)

  • Prev by Date: Re: FlagsChanged while NSMenu is displayed
  • Next by Date: Re: Non-breaking hyphen in UILabel?
  • Previous by thread: Re: File association using file magic
  • Next by thread: Re: File association using file magic
  • Index(es):
    • Date
    • Thread