OldApps.com under attack, or this is why you checksum.

After finding that Safari couldn’t even properly render text on one of my machines, I went to find an older copy of Firefox from a website I’d used a few times before.i After finding that version 22.0 (pre-Snowden) wouldn’t work, I settled for something in between that and the latest version, 37.0. As if downloading what should’ve been a .dmg file but was in fact an .exe file wasn’t clue enough, it appears that the Firefox 29.0 for Mac at OldApps.com is, how shall we say, diddled.

From their website :ii

Supported Systems: Mac OS X 10.6 (Snow Leopard) (Intel), Mac OS X 10.7 (Lion) (Intel), Mac OS X 10.8 (Mountain Lion) (Intel), Mac OS X 10.9 (Mavericks) (Intel),
MD5 Checksum: DB53A98973A1800AAAC3507AB1416C59
SHA1 Checksum: D51C5CD91BEDA791E3E6F2CC142BC9421E93DCFC
Release Date: 29 April, 2014 (1 year ago )

Compare and contrast with :

$ openssl sha1 /Users/dushenski/Downloads/Firefox\ Setup\ 29.0.exe
SHA1(/Users/dushenski/Downloads/Firefox Setup 29.0.exe)= a4bb872697189e4402ec135aeb993cdb26bb2e0a
$ md5 /Users/dushenski/Downloads/Firefox\ Setup\ 29.0.exe
MD5 (/Users/dushenski/Downloads/Firefox Setup 29.0.exe) = 3a8b2794ae3723a5d2c6ff926e5e3b2c

Doesn’t quite line up, does it ? Next, I also compared the checksums with the figures posted on “Firefox 29.0″ for Winbloze on OldApps.com, just to give them the benefit of the doubt that perhaps a link had improperly re-directed. Nope. No match. I was dealing with a planted mystery file, the kind you expect in spam e-mail from Nigerian princes and b1ockchain.info sc4mzors.

Having never come across this before, I checked out a few other versions of Firefox for Mac on the site, just to see if version 29.0 was an isolated incident :

$ openssl sha1 /Users/dushenski/Downloads/Firefox\ 30.0.dmg
SHA1(/Users/dushenski/Downloads/Firefox 30.0.dmg)= 13929ab1517ab3aaa5e6cbbdee747127f2c0c217
$ md5 /Users/dushenski/Downloads/Firefox\ 30.0.dmg
MD5 (/Users/dushenski/Downloads/Firefox 30.0.dmg) = 6f51b25ca28345504e74f31bbadf8995

$ openssl sha1 /Users/dushenski/Downloads/Firefox\ 28.0.dmg
SHA1(/Users/dushenski/Downloads/Firefox 28.0.dmg)= 68c745c0dd4f4cf74f2c3cfb2b4cd134c7020a60
$ md5 /Users/dushenski/Downloads/Firefox\ 28.0.dmg
MD5 (/Users/dushenski/Downloads/Firefox 28.0.dmg) = 6e6edf9f503062c0e0b887cd3e3853ca

$ openssl sha1 /Users/dushenski/Downloads/Firefox\ 27.0.dmg
SHA1(/Users/dushenski/Downloads/Firefox 27.0.dmg)= 967d86c5e0258d12057781fc8ae4b13e83e31bad
$ md5 /Users/dushenski/Downloads/Firefox\ 27.0.dmg
MD5 (/Users/dushenski/Downloads/Firefox 27.0.dmg) = 74cdfc38bb44f56b2f06915f38250624

All of which matched the posted checksums and downloaded the expected file format. I dunno what’s so special about “Firefox 29.0 for Mac” but someone seems to think that it’s a prime opportunity to reel in lazy suckers who don’t want or trust the latest “updates.”

So what can I say, the world is fundamentally hostile. Keep your head up out there.

___ ___ ___

UPDATE I : The mysterious “Firefox 29.0″ file is hosted here for posterity.
UPDATE II : The Winbloze version of “Firefox 29.0″ also doesn’t verify with its posted checksumsiii and in fact leads to the same malicious file as the Mac version. Fuckin’ eh !

And the Linux version ? There’s no non-beta version 29.0 for Linux hosted at OldApps.com. Hmm…

___ ___ ___

  1. No, the files aren’t signed, but at least there are checksums. Frighteningly, this is more protection and assurance than offered by pretty much every other non-WoT download source. IKR ! []
  2. Link is here, though you have to click “download” to bring up the page listing the relevant checksum details. []
  3. MD5 Checksum DB53A98973A1800AAAC3507AB1416C59
    SHA1 Checksum D51C5CD91BEDA791E3E6F2CC142BC9421E93DCFC []

2 thoughts on “OldApps.com under attack, or this is why you checksum.

  1. The attack, destruction, or otherwise debasement of OldApps.com has intensified since this was posted just two months ago.

    Not only has the e-mail I sent their “support team” informing them of the issue gone unanswered to date, but they’ve removed the checksums from their download pages, a number of the pictures throughout the site are broken, and the landing page is now missing its graphical formatting.

    It’s sad, really. They used to have something there. And now it’s been left to the weeds.

    • Go figure that I’d make a big scene and then realise the error of my ways not 24 hours later. Turns out that the checksums are still there, I just hadn’t clicked on the “download” link… Ayup. What a noob, eh ?

      Still, they never answered my email ! And the same presumably malicious “Mac” FF29.exe file is still being hosted !!!1

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>