-1

On macOS Sierra, I am getting this popup asking me to enter my administrator's username and password in order to install some "Slack helper tool".

enter image description here

  • How do I know this popup is from my system and not from some malicious program?
  • It appears at random times.
  • When the popup is active no other app is "selected" in the Dock.
  • When I look at the processes in Activity Monitor the popup does not seems to have it's own process while there are already several "Slack Helper" processes running.

If this is legit it seems like a terrible design to me.

EDIT: Even if I identified the process of the window, how could I know the process is from the system? Unlike in Window's task manager, all the processes in the Activity Monitor are from "User" myself.

daniel.sedlacek
  • 954
  • 1
  • 8
  • 15
  • 1
    In Activity Monitor there is an option under the view menu to see processes from all users. – Hector Jan 15 '18 at 09:53
  • I agree with checking the process name in activity monitor, but as a first sanity-check step I'd look in the upper left hand corner of your screen and make sure the popup belongs to a plausible app (ie not Safari or something in which case it's likely phishing) – winhowes Jan 15 '18 at 18:39
  • Related: https://security.stackexchange.com/q/167412/61443 – Mike Ounsworth Dec 11 '18 at 19:07

1 Answers1

1

The popup certainly looks like a legitimate one. To be certain you would want to verify to which process it belongs and from there verify you trust the underlying executable.

This answer shows one way to identify the process for the window. The ps command should allow you to find the underlying executable.

If this is legit it seems like a terrible design to me.

The ability of applications to fake OS input fields is a known issue. There is ongoing work to find better ways to perform tasks like this.

Hector
  • 10,923
  • 3
  • 41
  • 44
  • 1
    "The popup certainly looks like a legitimate one" - based on what? And what would prevent me from creating an identical popup? – daniel.sedlacek Jan 15 '18 at 09:28
  • Even if I identified the process of the window, how would I know the process is from the system? – daniel.sedlacek Jan 15 '18 at 09:31
  • 1
    @daniel.sedlacek - in that that is exactly what a legitimate popup does look like. As stated at the bottom it is trivially easy to imitate this. As for your "all processes" comment its on the view menu for Activity Monitor or you can use "ps aux". – Hector Jan 15 '18 at 09:52