Uninstall the Nightowl App, now. (robins.one)
from tedu to cloudsec on 08 Aug 2023 22:29

I think it counts as cloud security if your desktop computer is surreptitiously enrolled in somebody else's cloud.

The daemon uses ‘sudo’ to switch from running as the root user, to the main user account, and then starts an instance of nightowl_t.dylib (which is actually a copy of tinyproxy, which is licensed under GPLv2, and does not contain the GPL license notice, so this might actually be a violation!), which acts as a HTTP(S) proxy and runs on port , It opens up a SSH connection (using autossh, renamed nightowl_a.dylib, which doesn’t have a license) to testconnectuser2023@proxy-gw1-europe.squidyproxy.com on port 2043, using a public key it drops in /tmp (it has a .uu extension), using the -R port to tunnel a port on the remote machine to the local machine. (it retrieves this by making a request to proxy-api1.squidyproxy.com over HTTPS). This domain was registered with GoDaddy in April 2022, and the IP address is hosted by Microsoft.

#cloudsec #mac

threaded - newest