adware extensions erode trust in Apple, Google app stores
Browser extensions are a staple of almost every user’s set up. Even in managed environments, users are often able to install extensions or ‘Add Ons’ without authorisation when these are sourced from trusted sources like Apple’s Safari Extensions Gallery and Google’s Chrome store. Of course, there’s nothing new about attackers exploiting the browser extension as a means to gaining a foothold in a target environment. The problem has been around for years: what is surprising is just how difficult it is to contain the problem. In this post, I take a look at the risks involved with what appears to be a harmless extension available for both Safari and Chrome. As we’ll find out, not everything appears as it seems.
malware can make Safari windows invisible
Given news that some hackers are using websites to mine cryptocurrency even when users apparently close their browser on Windows, I got to wondering whether a similar exploit would work on macOS.
As the video above shows*, a malicious app can easily hide an open Safari window from all desktop workspaces, making it incredibly difficult for users to notice or to make visible again even when they do. This trick can be exploited without elevated privileges, and it doesn’t matter whether the malicious app is code-signed or not.
An invisible Safari window is a problem because it could be running scripts, mining cryptocurrency, redirecting to sites for adware revenue or doing all manner of other things. Note the window could contain multiple tabs that the user may have already been tricked into opening before the window is made invisible.
As can be seen in the video, the Safari window isn’t in another full screen workspace, or minimized in the Dock or hidden by any other window or toolbar (as in the Windows 10 trick).
On the contrary, it can’t actually be found anywhere, and nor will Window > Bring All To Front help. If you open a new window and then try to use Merge All Windows to bring the hidden window out, all that happens is your new window will disappear with the hidden window too.
The only visible indicators that there’s an invisible window open are the window list in the Window menu, and the invisible outline revealed by Expose (four-finger swipe down).
So what if you find there is an invisible window hiding from you, how do you get it back?
To retrieve and kill the hidden window, you need to click View > Enter Full Screen, then click the red close button. Don’t click the green button to take it out of full screen though, as that’ll just cause it to hide again, with a nice animation that you can see on the video!
Another day, another hacker trick to watch out for folks!
* This vulnerability was demonstrated on 10.12.6. It also exists in both 10.11.6 El Capitan and 10.13.2 High Sierra.
how to recover Safari from a browser hijack
The quickest way to get out of a persistent popup that won’t go away (unless you do what it demands!) is to quit or force quit* the browser then restart Safari holding down the ‘Shift’ key.
Holding down Shift allows Safari (or any other app) to restart without resuming its last state.
While this is a great, fast way to solve the problem, it can be annoying if you had other tabs open, and you don’t want to loose those too (or any unsaved data they may contain).
1. Go to Terminal and paste this command (it’s all one line):
2. Reopen Safari
You’ll get all your tabs back including the hijacked tab, but the pop up won’t appear, and you can now close the hijacked tab.
(alternatively you can do that in Terminal).
Don’t forget this step, or you’ll think the web is broken!
More sophisticated or persistent adware and malware attacks can be mitigated by using apps like my free App Fixer or DetectX.
*You can force quit an app by pressing the following keys in combination on your keyboard <command><option><esc> then choosing the app you want to quit.
how to block Flash in Safari
If you’re worried about news like yet another Flash vulnerability, the first thing to note is that Apple has moved to block all but the latest version.
However, given that exploits of Flash seem to occur sometimes within days of even new releases, it might be wise to think about blocking Flash altogether in your day-to-day browser.
Fortunately, that’s pretty easy to do in Safari. Just go to Safari’s Preferences > Security tab, and uncheck the ‘Allow Plug-ins’ box at the bottom. You can manage which websites are allowed access to Flash from the adjacent button, but an alternative strategy is to use a different browser (Firefox or Opera for example) for only viewing sites where you need Flash access.
Either way, its seems wise to make sure that Flash isn’t allowed unrestricted access on your main browser.
Transmission – Port is closed
I don’t often get into 3rd-party software or non-Mac hardware issues, but here’s a little trick I discovered today that could prevent a situation that adversely affects Safari and other network software.
Not so long ago I bought a new router, and everything was working fine. However, when I recently fired up Transmission, I found that not only were my downloads not so fast as I’d normally expect, but that all internet browsing was completely throttled. Basically, Safari would just get stuck half way into loading a page and eventually timeout. Killing Transmission would immediately restore Safari’s connectivity.
Looking in Transmission’s preferences ‘Network’ pane revealed that the port was either closed (red button) or the port could not be checked (yellow button). Now there are a number of reasons this can happen, but since I knew nothing had changed except my router since the last time Transmission was successfully used, I decided to go check out some of the router’s settings.
To do this, quit Transmission if it’s running, then enter your router’s IP address in Safari’s search bar. Typically, this will be something like
192.168.1.1, but if you’re not sure, you can find your router’s IP using my free utility ‘FastTasks‘.
Once you’re in your router’s admin pages, look for Advanced network settings. In my router, I found a bunch of firewall and network protocols (see the first screenshot below). Neither disabling
UPnP had any effect (those were my first thoughts about the likely culprit), but turning off the
ipSec PassThrough option sure did, with the upshot that Safari and Transmission are not only playing nicely together again, but Transmission’s download speeds have markedly improved. 🙂
Here’s the settings I used to get back up and running; see if you can find similar options if you’re experiencing the same problem.
Turning off ‘ipSec PassThrough’ in my Router’s Advanced Settings:
search Safari Reading List
This is something I’ve been thinking about for a while. I have a pretty long Reading List and Spotlight often fails to find things in it. For that reason I came up with this little script which you might find useful.
1. Open up Automator by typing
auto in Spotlight.
2. Click on ‘Service’ (the big cog wheel) and then ‘Choose’.
3. Change the
Service receives option to “No input” from the dropdown menu.
4. In the small filter bar to the left, type ‘run app’. You should see an action called ‘Run AppleScript’ in the second column. Drag it to the big pane on the right.
5. Select all the purple text inside the window and delete it. You don’t need any of it.
6. Command click on the image below, and copy the code from the pastebin page that opens up in another Safari tab. Paste the code into the Automator pane.
7. Hit ‘Command-S’ and give it a name like ‘Search Safari Reading List’. Click ‘Save’ (note: you do not specify a location for the save as it will automatically be saved in your ~/Library/Services folder).
8. Now click on the main menu for any app and have a look in the Services submenu. You should see your new service there (to add the keyboard shortcut, see Step 10 below).
9. Test it to make sure it works as expected. You should end up with something that looks like this:
10. If you want to assign a universal shortcut key like mine in the screenshot from Step 8, do so by going to > System Preferences > Keyboard > Keyboard shortcuts. Look in Services for the name you gave it and add the shortcut by clicking in the empty space to the far right of the name.
A note on usage:
The reading list is really just a list of special bookmarks, with one difference: they contain short snippets or previews from each page. This has an impact on the way my script works in the following way: if the search string is in the preview snippet but isn’t in the URL, you’ll get back the line from the snippet but you won’t get the URL. It might be possible to code round that, but I haven’t had time to figure it out yet. If that’s a feature you want, send me a nag mail and I’ll put it on my list of things to do! ;). Otherwise it appears to function quite well as a workaround for the lack of a proper search facility.
disable captive network assistant
If you use coffee shop wifi services or others that require internet login, you’ve probably noticed in both Lion and Mountain Lion that OS X will produce a pop-up Safari window asking you to login. This can be annoying for several reasons:
1. The window floats on top and gets in the way if you’re trying to do something else
2. The window doesn’t keep cookies or allow plug-ins like 1Password, so you have to enter the login details manually every time
3. Sometimes the pop-up window will simply produce an error message that it can’t connect to the network. You either have to dismiss it manually or wait for it to go (it’ll normally auto-close after about 30 seconds)
If you find this behaviour annoying and want to stop it, there’s a very simple solution (and one that’s also easy to undo if you want to reverse it). Here’s what you do.
1. First go to
[Hard Disk] > System > Library > CoreServices > Captive Network Assistant.app
Click on the app once, and hit ‘return’ on your keyboard. This will make the name editable.
2. Hit the ‘left arrow’ key once to move the cursor to the beginning of the name and to unselect the text.
3. Type an ‘X’ (actually any letter will do, but I like ‘X’ so I can easily find the app later at the bottom of the list even if I forgot its exact name).
4. Hit ‘return’ on the keyboard. At this point, OS X will ask you to provide an Admin password as only Admin users are allowed to mess with files in the System directory. Type in your password and hit ‘OK’.
The name should now read ‘XCaptive Network Assistant.app’.
And that’s it! Captive Network Assistant will never run again unless you decide to change its name back to what it was (to do so, just repeat the procedure above and remove the ‘X’). Of course, you can still login to your internet or coffee shop wifi services by opening a normal browser window. The bonus is now your browser can fill the login details from cookies (if enabled) or your password manager.
featured picture: illuminated jellyfish by weaverglenn
problems with wifi, Safari and Mountain Lion
If you’ve upgraded to Mountain Lion and traded swift wifi and fast Safari for a flakey internet connection and sluggish browser, you are not alone. Widespread reports of problems with wifi, Safari and Mountain Lion have been mounting ever since July 25th. However, unlike the lengthy debacle with similar wifi problems experienced after the Lion upgrade last year, a lot of users are finding their problems can be solved by using one or more of the tips below.
1. Create a new location and renew the DHCP lease
OS X Daily have a step-by-step procedure here
that is proving hugely successful. Don’t forget to follow their second step about changing the MTU value while you’re at it.
2. Reset default system preferences
If that didn’t do it for you, it’s time to roll up your sleeves and enter Terminal! Open the Terminal.app from
and paste this command
then press ‘return’.
You will need to restart your mac to see if this has had any beneficial effect, so do that now.
3. Do PRAM & SMC resets
If you’re still suffering problems, it’s time for a couple of system resets. To do the SMC reset you will need to see what kind of mac you have, as the procedure is different for some models. Take a look here and follow the instructions for your model.
Before powering up after the SMC reset, also take the trouble to do a PRAM reset. To do that:
i. Ensure the machine is powered off.
ii. Locate the following keys on your keyboard in preparation for Step 4:
‘command’ – ‘option’ – ‘P’ – ‘R’
iii. Press the ‘power on’ button.
iv. Immediately – and before the grey screen appears – hold down ‘command-option-P-R’ all together.
v. Keep them held down until you’ve heard the start-up chime twice. After you release them you should hear it again, and hopefully your Mac will boot up without wifi/Safari issues.
4. Check Wifi connection
And if that doesn’t work? Time to check your wifi connection. See how strong your signal-to-noise ratio is. You need something in the order of 25 or higher. To find out whether you signal is strong enough, hold down the ‘option’ key and click on the wifi icon in the menu bar. Choose Open Wifi Diagnostics from the menu.
When you see the welcome screen, ignore the ‘Continue’ button and instead press ‘command-N’ on your keyboard.
Click wifi scan in the task bar and scroll to the right where you will see two numbers, ‘signal’ and ‘noise’. Ignore the minus ‘-‘ signs, and subtract the signal number from the ‘noise’ number. Anything over 25 is a good enough signal, below that and the signal is too weak for a reliable connection. Over 40 is excellent (in the example below, you can see the SNR is 34, a pretty good signal for a home router located on the next floor).
If your SNR is lower than 25 you need to either move the computer closer to the router or find a better connection. If the ‘Noise’ shows a very low figure (equals more noise), you can try changing the channel on your router. Look at the other routers in the list and if they are using the same channel as yours, switch your router to something else between 1 and 11.
5. Reinstall OS X
If all else fails…some users are reporting that simply reinstalling OS X is solving the problem for them. Reinstalling doesn’t touch your Apps or user data, but its always wise to make sure you have a backup before undertaking such an operation.
To reinstall, restart the computer while also holding down ‘command-R’ on the keyboard. From the Utilities window that opens up, choose ‘Reinstall OS X’.
Still having problems? Let us know in the comments below.
featured picture: Internet by ~vagraine
block MacKeeper and other browser ads
Generally, I like to keep browser extensions down to a minimum, but here’s an essential one if you are tired of all those ‘Clean your mac’ / ‘Speed up your mac’ ads on every website you visit. Download and install the Safari adblock extension from here:
What I like about this particular adblocker is that, if you go with the default filters, not only does it load your pages faster but it also reformats the page as if the ads were never even there, rather than leaving unsightly, blank placeholders in the page as some other ad filtering services do.
The extension is free, though you’re encouraged to donate if you appreciate the work done by the developer. 🙂
how to uninstall MacKeeper