fb-mac-messenger
fb-mac-messenger copied to clipboard
rsms
31 GB changelog.xml.rss
Messenger created a 31 GB changelog.xml.rss file, full of private machine data. I noticed because my laptop was out of disk space.
I believe this to be malicious. You can read my reasons here: https://github.com/Homebrew/homebrew-cask/issues/64793
This is concerning. However, note that:
-
The source code is available right here for you to inspect: https://github.com/rsms/fb-mac-messenger?files=1
-
The distribution build is code signed with an official cert issued by Apple.
It’s possible this could be a bug in Sparkle, or some different software on your system created that file.
This is a screenshot from the AWS S3 admin UI (the website and changelog file is served from S3 over HTTPS.)
Do you have any more information? Do you have the logs from fs_usage? Can you provide a snippet of the large file that was written for inspection? What version of macOS do you use? (pls also include result from uname -a if possible.) Thanks.
10.14.5 (18F132) Darwin MacBook-Pro.local 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64 x86_64
I did not keep the file. Running strings on it revealed lots of PDF related file format strings, including strings referencing my version of macOS.
I can confirm that Messenger writes to a file called changelog.xml.rss, so that addition of .rss is normal:
15:03:10 setattrlist /private/var/folders/zf/w4brt9f91jv2nwxf5h1kzqym0000gn/T/changelog.xml.rss 0.000039 Messenger
15:03:10 fstat64 0.000003 Messenger
15:03:10 WrData[A] /private/var/folders/zf/w4brt9f91jv2nwxf5h1kzqym0000gn/T/changelog.xml.rss 0.000119 W Messenger
15:03:10 close 0.000141 Messenger
The very old version of Sparkle you're using did have a bug in this area. It would assume the filename even if NSUrlDownload could not guarantee it:
https://github.com/sparkle-project/Sparkle/blob/75551e8d0a0ee1fa3b39840fea504e01865ec81b/Sparkle/SUAppcast.m#L84