BigBoss repo allegedly hacked [updated]

By , Jul 18, 2014


BigBoss, one of the default repositories for jailbreak tweaks in Cydia, has allegedly been hacked by an individual or a group of individuals whose identity is still unknown.

The attackers were apparently able to gain access to all packages (paid and free) that are available in the BigBoss repo, and made the deb index and database available for download. The assailants went as far as creating a new repo which can be added to Cydia to download all BigBoss-hosted tweaks.

As is always the case when this type of security breach happens, jailbreak users should be cautious and stay away from this.

Dubbed ripBigBoss, the website and companion repo are using Saurik’s recent “Competition vs Community” as a motivation for their acts, pushing the use of the #WhichSideAreYouOn and #SupportTheCompetition hashtags. It’s important to note that this verbiage could certainly be used as some sort of disguise in order to blur their tracks and put the blame on different groups of people.

We strongly advise jailbreak users not to install or download any tweaks from this new repo. Besides the obvious moral concern over downloading pirated tweaks, users could put themselves at risk of installing malware on their devices without their knowledge.

BigBoss repo manager 0ptimo has yet to comment on this security breach, but it is safe to assume he’s probably hard at work on securing his assets to prevent a future breach.

As a safety measure, and until more light is shed by official parties on this, we suggest not installing or updating tweaks that are hosted in the BigBoss repo. While the potentiality of malware being injected in the official repo is very unlikely, you’re better safe than sorry.

Note that we purposely did not link to the ripBigBoss website, which you may visit at your own risk.

We have reached out to BigBoss and SaurikIT for comments and we’ll update this post accordingly if we get any information from them.

Update: We have received the following statement from Saurik:

This article mentions malware being potentially injected into the BigBoss repository; we do not believe this to be the case. Packages in Cydia repositories are cryptographically verified from the repository package index. I have an index of all historic changes to the package indices for default repositories, and have verified that the content on BigBoss did not change in ways that the repository administrators did not expect.

Update 2: According to hacker @compiledEntropy:

Regarding malware in the ripbigboss repo: I downloaded all the packages and checked their MD5s against the MD5s listed by bigboss.

All the packages had matching checksums other than the ones listed here:

Any packages not listed are guaranteed not to have malware. Other packages probably don’t either, but I haven’t explicitly checked.

  • Share:
  • Follow:
  • Heru Alkebu-lan

    When I first heard about Sorek’s essay on competition my
    attention was drawn to his closing remarks which in my opinion was a not so
    veiled threat toabandon the jailbreak community and to take his tools and
    resources with him rather than feeling compelled to compete with others. My
    initial reaction to these comments was invisioning the spoiled kid on the block
    who owned the football and would threaten to shut the game down; take his ball
    and go if folks didn’t play by his rules. Needless to say, after having taken
    the time to read Sorek’s perspectives in their entirety, I concluded that he did
    indeed present a compelling argumentin support of his opinion. Additionally, I was intrigued by the peek
    into his mind and the levels of complexity involved in the day to day development
    and management of Cydia from a behind the scenes vantage point. Though I don’t agree with everything Sorek
    wrote, I must admit that I found his honesty and the fact he had the balls to
    put it out there like that knowing all too well that such an opinion from someone
    of his stature within the jailbreak community would most certainly generate a substantial degree
    of controversy oddly refreshing.

    I believe that most of the controversy centers around the
    differences between theory and practice.
    Theoretically I could agree with Sorek’s notion that a more egalitarian
    business model might be more condusive to creativity and innovation. The stark reality though is that the practice
    of capitalism is rooted in competitiveness and that its absence is monopoly. Consequently,
    though both paradigms have their challenges, based on my own comparision of their
    histories, I’d much rather prefer the former over the latter.

    Though I can admit that my perspective as an end user of
    Cydia services may be considered somewhat myopic, I must admit that the thought
    of the fate of the jailbreak community resting in the hands of one individual’s
    capacity to manage their stress levels is somewhat disturbing. Ultimately, while
    such a suggestion as a rationale for taking such action does elicit some
    empathy and insight, it also causes me to conclude that competition (though
    stressful at times) is best equipped to serve as a contingency plan in the
    event that such a tragedy were to occur.

  • Papa Surf

    The hackers being hacked. Oh my!

  • 12345678

    Are the tweaks pirated versions or legit

    • Wolfer

      Aparently are the sames, no change only that they are for free. Being for free does not mean they are pirated. Aparently he is using a server as a link to the real bigboss, but using a code to eliminate the payment check, so they can be for free. The problem is that by that there is no check by the server to see if the tweak works for your idevice. So you are risking to damage your idevice, if the tweak is not compatible. The ip address is not just one, so the hackers. Who are hacking the bigboss repo does not want to be known. Now I see that really this is all about Cydia, about the developers that sell tweaks and software in Cydia , when they know that jailbreaking is not full time accepted in Apple side. So if you loose your jailbreak, you wasted your money. Everything in Cydia needs to be for free, and the owners of the repos, need to do something about how to check the compatibility thing, so people dont install something that can damage their idevice. Like this ripbigboss that do not check the compatibility. So if you are stupid enough to install something without knowing if it is compatible, you are risking to damage your idevice. Insanelyi is another repo that does not check for compatibility, so you are risking a lot. And sometime in this type of repos, are developers that do not pirate, and use the repos to distributes their softwares. So not all is pirated. Some developers never updates their softwares, and do not work anymore; and still they want you to buy it. That is not fair. Why this happen because there is no one to stop this things, and this is something that Saurik can do in a way of implementing a code to hide old or not compatible softwares with your idevice. Cydia knows you idevice and iOS version. So by using a code Cydia can hide the things that do not work inside the repos. And Saurik can create a rule for the repos owners to implement that developers do not charge for updates of their softwares if you buy the original one. Apple never charge you to updates your idevice, nor google, nor Microsoft, if you update by buying by the internet some licenses. I hate developers selling their softwares inside Cydia, knowing that sometimes people loose their jailbreak, so they loose their money. That is never fair. God bless to all.

  • Linda George

    Start working at home with Google! It’s by-far the best
    job I’ve had. Last Wednesday I got a brand new BMW since getting a check
    for $6474 this – 4 weeks past. I began this 8-months ago and
    immediately was bringing home at least $77 per hour. I work through this
    link, go to tech tab for work detail

    ✒✒✒✒✒✒✒✒✒✒ Jobs700.Com


  • jocastro

    figured it was going to happen eventually

  • Abdullah Safdar

    Is it safe to install tweaks from this repo ?