[okket]

Simple file check if you are infected:

  if [ -f "/Applications/Transmission.app/Contents/Resources/License.rtf" ] || 
     [ -f "/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf" ] || 
     [ -f "$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd" ] || 
     [ -f "$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id" ] || 
     [ -f "$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist" ] || 
     [ -d "/Library/Application Support/com.apple.iCloud.sync.daemon/" ] || 
     [ -f "$HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist" ]; 
  then echo "OSX/Keydnap detected.";
  else echo "You're good.";
  fi

Source: https://gist.github.com/kaizensoze/ca96d039b295db220951d42ca...

[harperlee]

Thanks! Reducing friction for these kinds of things is good for everyone.

I didn't bother checking after I read that the autoupdate wasn't compromised, but never hurts to check - and I was not really going to do it until I saw your post.

[toxik]

And to run it from the clipboard:

    pbpaste | sh -

[IanCal]

If anyone wonders why this is taking too long, you may have done the same daft thing I just did, which was to copy the first command and then copy pbpaste | sh -. The latter will of course create an infinite loop.

[raldi]

Why would copying two strings to the clipboard lead to an infinite loop?

[stable-point]

If you have `pbpaste | sh -` on your clipboard and then paste it into a terminal, it'll continually execute itself.

(`pbpaste | sh - | pbpaste | sh - | pbpaste | sh - | ... | pbpaste | sh -`)

[IanCal]

It won't, but running

    pbpaste | sh -

Means it's taking whatever is in my clipboard and executing it.

I had replaced what I wanted to execute with just "pbpaste | sh -"

So it passed "pbpaste | sh -" to the sh to run. Which would have then taken "pbpaste | sh -" and passed it to sh to run, which ...

[Hates_]

I believe it would the same as this I think?

  pbpaste | sh - | sh - ...

[clishem]

Or just copy and paste the above?

[labster]

Why not this?

    curl https://gist.githubusercontent.com/kaizensoze/ca96d039b295db220951d42ca7c83d89/raw/ | bash

[okket]

Your line downloads and executes the latest version of the gist, it could have changed from a file check to a virus installer by the author (unlikely, but I have to point it out). To be a bit more safe (while trusting that GitHub is not compromised) pin a known, verified version:

  curl https://gist.githubusercontent.com/kaizensoze/ca96d039b295db220951d42ca7c83d89/raw/a26e5a025ea21d3a0af536eeca49619272d0068f/quick-osx-keydnap-check | bash

(sorry for the overlong line)

[heeen2]

this pattern is just as dangerous (maybe less for github if you trust them) because you can detect curl and deliver malicious code: https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-b...

[okket]

> this pattern is just as dangerous

As a general pattern, please do not do this. In this specific case I think most people trust the service (GitHub) and their DNS recursor + SSL library. Attacking these is not on the level of "random drive-by phishing", more like "targeted high value state sponsored".

To avoid this discussion I did not include the curl version in my original posting.

[theandrewbailey]

Yeah, let's download and blindly run stuff directly from the internet (that may have changed since we last saw it) without saving and trying to read what it does first.

If you can copy/paste the curl | bash, is it really more difficult to copy/paste the original snippet into a text editor[0], and from there, into bash?

[0] https://thejh.net/misc/website-terminal-copy-paste

[andrepd]

So you would run code by pasting it from the internet just fine, but doing so via a pastebin is a security risk?

[JadeNB]

If you C&P it, at least you see what's being C&P'd (although it's up to you to take the trouble to understand it). `| bash`ing it runs it automatically, without even giving you a chance to see it.

EDIT: This comment was based on the assumption that my parent hadn't read carefully. My facile point ignores both the specific vulnerability pointed out by [czinck](https://news.ycombinator.com/item?id=12406080) below, and the general vulnerability that you just can't trust anything pulled in from an external source. I think that re-directing to a file, and viewing the file with something like `:set list` set in `vim`, will work, at least in the sense of showing you the code that will actually be executed (although nothing can save you from not understanding the code), as long as you can trust your own stack. However, it is a near-certainty that this edit will prompt someone to explain how to exploit that. (That may sound like whingeing, but it's just a (happy) acknowledgement of the hacker mentality; unexpected exploitations, as PsoC rather than attacks, are pretty neat, too!)

[czinck]

C&P is not really more secure than curl as with some javascript you can easily mislead users as to what they're copying. Check https://thejh.net/misc/website-terminal-copy-paste and similar PoCs.

[ahoka]

It would be kind of ironic to do this.

[varcharlie]

Let us execute random things from the internet directly on our machines without first checking their sanity.

[JadeNB]

Is this robust against locating `Transmission.app` somewhere other than `/Applications`? (I put my applications in `~/Applications`, but I don't know the specifics of Keynap; maybe it ignores applications not in the usual location.)

Might it be better to replace the first two tests with something like `-f /[star][star]/Transmission.app/Contents/Resources/License.rtf`?