homebrew-cask: Messenger misbehavior

I believe the Messenger app in cask ( https://github.com/Homebrew/homebrew-cask/blob/master/Casks/messenger.rb ) to be malicious. At the very best it has a horrible bug.

Today I found a 31 GB file called changelog.xml.rss in my /private/var/folders, which was full of content certainly not XML or RSS. It appeared to be a binary file, and had a lot of PDF strings. fs_usage revealed that Messenger accessed it.

This is not a bug report for Messenger. This is a request that Homebrew remove the app.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 18 (18 by maintainers)

Most upvoted comments

Homebrew links to this app.

And from the start we’ve been adamant that the last line of defence is the user. This has been pointed out ad nauseam in the tracker and the FAQ.

If you think you should keep doing so, feel free to.

Quite frankly, by this point I’m more suspicious of the fact you’re refusing to open a bug report with them. In the time and words you’ve spent arguing against opening one, you could’ve done so three timer over.

You don’t lose anything by making the bug report. If they reply, we have more information; if they don’t, we’re in the same position.

Either you make the bug report, or there’s no point to continuing this conversation.

+2
vitorgalvao on Jun 13, 2019

I raised the concern with the closest upstream channel that should be concerned.

We are not the closest channel which should be concerned, https://github.com/rsms/fb-mac-messenger is, so please open an issue there first and then link to it.

And then, like @vitorgalvao said:

If they don’t respond, we can think about next steps then.

Their sever being hacked is not something we can expect them to understand, diagnose, or solve.

Their server being hacked is solely resolvable by them. How do you know what to expect from them if you don’t even try to contact them?

+2
reitermarkus on Jun 13, 2019

Well, I disagree that reporting it to them would have any affect.

Yet, you haven’t tried. So what you’re saying is you don’t know. Again, they’re an open-source app. If they’re doing something malicious, the community needs to know. Silently removing it from Homebrew Cask won’t do a thing to stop the behaviour. It’s not an insanely popular cask

messenger (added 1526 days ago)
30 days: 130 (#534)
90 days: 297 (#601)
365 days: 910 (#615)

But it seems to be a popular app (2863 stars at the time of writing). Also, its last update was two years ago, so if it is malicious it might be doing shady things from at least then.

scanning their binary is pointless.

Again, you don’t know!

@ghazel Would you mind sharing a few details from your analysis to back up your claim?

I reinforce that request. You can’t just say “oh, I’ve checked” and have us take your word. You’re not a regular user here, so we don’t know you.

The file name of the temporary file is (basically) the same as the file for their Sparkle update url

So it’s not even the same name. changelog is a common name for a feed.

they (or someone in control of their server)

You’re suggesting they might have been hacked, and still you think making that point in their bug tracker is pointless? If they have been compromised, they need to know!

None of your claims is definitive. Up until now, they’re just guesses. That would be fine if you were just suggesting the app might be malicious and were asking for help to confirm it, but you’re outright asking for its removal. Your claims require proof. Open an issue with them.

+2
vitorgalvao on Jun 13, 2019
Read more comments on GitHub
← homebrew-cask: LibreOffice won't upgrade
homebrew-cask: No file found - failure to upgrade (multiple casks affected) →