Airo Security uncovered Man-in-Middle Software proxy spyware being distributed to macOS. It came via Comscore subsidiary firm VoiceFive. In a paper released this week, researchers explained the issue, which put sensitive data at risk.
This Comscore spyware installs a proxy on ports 8888, 8443 and 8254, where it captures all machine’s SSL/TLS traffic of the user. The spyware is being installed as a bundled application that is offered along with the installation flow of other software products. It installs a local system certificate which any application then automatically trusts. If that’s not enough, it imposes a severe security breach by not generating a unique certificate for each machine on which it is installed but rather installs the exact same root certificate for all machines. This is a known bad practice, to say the least, and was in the heart of the infamous “Lenovo Superfish” case of 2015 issued at the time by the US Department of Homeland Security.