Homebrew-cask: Messenger misbehavior

be malicious. At the very best it has a horrible bug.

Those are insanely different claims.

This is not a bug report for Messenger.

It very much is. Their app is open-source. At the very least this deserves to be asked about on their issue tracker.

This is a request that Homebrew remove the app.

Because of an unproven hunch from a random user? We know you as much as we know them. For all we know you have some beef with them and want them removed because of that.

Removing the cask and doing nothing else is a disservice. If the app is malicious, every user needs to know, just having HBC users suddenly not being able to download it with no justification won’t make a dent.

I’ve uploaded this to VirusTotal and it didn’t detect anything. Until your claim of it being malicious is proven, there’s no reason to delete this. If you want to prove it, open a bug report with them.

Still, I’ll ping people who may be interested in doing checks of their own: @core-code @claui @sandrodz.

Well, I disagree that reporting it to them would have any effect.

My analysis has shown it’s very likely coming from their auto update server, so scanning their binary is pointless.

My analysis has shown it’s very likely coming from their auto update server, so scanning their binary is pointless.

@ghazel Would you mind sharing a few details from your analysis to back up your claim?

My analysis has shown it’s very likely coming from their auto update server, so scanning their binary is pointless.

@ghazel Would you mind sharing a few details from your analysis to back up your claim?

The file name of the temporary file is (basically) the same as the file for their Sparkle update url (SUFeedURL in the Info.plist). It seems highly likely that they (or someone in control of their server) is attempting to abuse that channel. The contents of the abhorrent file indicate some of the PDF content was generated from the latest macOS (which I was running), so it’s at least possible my machine was triggered to generate it.

Well, I disagree that reporting it to them would have any affect.

Yet, you haven’t tried. So what you’re saying is you don’t know. Again, they’re an open-source app. If they’re doing something malicious, the community needs to know. Silently removing it from Homebrew Cask won’t do a thing to stop the behaviour. It’s not an insanely popular cask

messenger (added 1526 days ago)
30 days: 130 (#534)
90 days: 297 (#601)
365 days: 910 (#615)

But it seems to be a popular app (2863 stars at the time of writing). Also, its last update was two years ago, so if it is malicious it might be doing shady things from at least then.

scanning their binary is pointless.

Again, you don’t know!

@ghazel Would you mind sharing a few details from your analysis to back up your claim?

I reinforce that request. You can’t just say “oh, I’ve checked” and have us take your word. You’re not a regular user here, so we don’t know you.

The file name of the temporary file is (basically) the same as the file for their Sparkle update url

So it’s not even the same name. changelog is a common name for a feed.

they (or someone in control of their server)

You’re suggesting they might have been hacked, and still you think making that point in their bug tracker is pointless? If they have been compromised, they need to know!

None of your claims is definitive. Up until now, they’re just guesses. That would be fine if you were just suggesting the app might be malicious and were asking for help to confirm it, but you’re outright asking for its removal. Your claims require proof. Open an issue with them.

Your defensive arguments aren’t helping. I raised the concern with the closest upstream channel that should be concerned. Feel free to ignore it if you don’t care about the software you’re linking to.

@ghazel If further analysis shows the app is malicious, we’re going to remove the cask immediately. We do care about our users staying safe and secure. We just need more information to make an informed decision. I strongly recommend that you raise your concerns with the upstream project.

In the meantime, we’re happy to support your analysis but to do that, we really need to know more about your observations, not conclusions.

Your defensive arguments aren’t helping.

My arguments aren’t defensive. I have as much reason to defend them as I have to defend you. I don’t use messenger and have no concern for their app. If anything, I’m more on your side because I’m always glad to remove problematic casks (less maintenance burden) and my concern are the users of Homebrew Cask. My comments on this tracker prove that claim, as do my PRs.

But you haven’t proven your claims. Think about it from our point of view. Would you feel comfortable if we just took any request from any random user without verifying it?

I raised the concern with the closest upstream channel that should be concerned.

The closest upstream channel that should be concerned is them.

@claui’s last comment sums it up. We’re open to pursue this issue further, but we need more than the vague claims you’ve made so far.

In the meantime, we’re happy to support your analysis but to do that, we really need to know more about your observations, not conclusions.

My observations are necessarily post-hoc, so they seem a lot like conclusions. The smoking gun is the fs_usage observation. What else could I provide?

What else could I provide?

For one, you could provide a public conversation on their issue tracker where you expose the problem. By your own admission, this can be also be a bug or a hacked server, so let’s sort that out first.

If they don’t respond, we can think about next steps then.

What else could I provide?

For one, you could provide a public conversation on their issue tracker where you expose the problem. By your own admission, this can be also be a bug or a hacked server, so let’s sort that out first.

If they don’t respond, we can think about next steps then.

I appreciate that line of reasoning, but I don’t expect it to be productive if either of my theories are right.

but I don’t expect it to be productive if either of my theories are right.

Your theories are: malicious intent, bug, hacking. For two thirds of them, it’s in their best interest to reply.

but I don’t expect it to be productive if either of my theories are right.

Your theories are: malicious intent, bug, hacking. For two thirds of them, it’s in their best interest to reply.

The bug theory was mildly facetious, but whatever. Their sever being hacked is not something we can expect them to understand, diagnose, or solve.

I raised the concern with the closest upstream channel that should be concerned.

We are not the closest channel which should be concerned, https://github.com/rsms/fb-mac-messenger is, so please open an issue there first and then link to it.

And then, like @vitorgalvao said:

If they don’t respond, we can think about next steps then.

Their sever being hacked is not something we can expect them to understand, diagnose, or solve.

Their server being hacked is solely resolvable by them. How do you know what to expect from them if you don't even try to contact them?

Homebrew links to this app. That’s why I reported it here. If you think you should keep doing so, feel free to.

Homebrew links to this app.

And from the start we’ve been adamant that the last line of defence is the user. This has been pointed out ad nauseam in the tracker and the FAQ.

If you think you should keep doing so, feel free to.

Quite frankly, by this point I’m more suspicious of the fact you’re refusing to open a bug report with them. In the time and words you’ve spent arguing against opening one, you could’ve done so three timer over.

You don’t lose anything by making the bug report. If they reply, we have more information; if they don’t, we’re in the same position.

Either you make the bug report, or there’s no point to continuing this conversation.

There’s clearly no point to continuing this conversation either way.

I encourage you to open the bug report if you feel so inclined. You have a slight chance of repairing software Homebrew links to, which its users generally trusted.

There’s clearly no point to continuing this conversation either way.

Oh, but there is. If you open the bug report, which you still refuse to do. Doing so has the chance to warn more users than removing the cask. If you make the claim in their tracker, they either don’t respond / try to silence it (looks bad for them) or they do respond and we get to the bottom of it.

You have a slight chance of repairing software

So far, everything indicates the software isn’t broken. There’s nothing to repair.

Homebrew links to, which its users generally trusted.

Don’t worry, I’m pretty sure our users still trust us. They trust us to do our due diligence and evaluate the validity of malware claims, which we do with the help of the community. We’re human and thus not perfect, so mistakes are bound to happen. That is why we’re adamant the last line of defence is the user. We do appreciate when we’re informed of problematic software, but it shouldn’t be controversial that if you’re accusing others of being malicious, you should be able to backup that claim with more than faint suspicions.

For any other user landing here in the future, if you’re able to shed more light on this issue, you’re welcome to open a new issue. We will be open to resolving the problem, but we need you to also be open to cooperating with us. Homebrew Cask is a community project; we’re all volunteers working for the same goal.