They also weren’t doing any kind of SSL verification for the download request, nor were they doing any kind of hash verification or signing. The former would have prevented a redirect attack in the first place, and the latter would have prevented downloaded files from being modified or swapped out.
They also weren’t doing any kind of SSL verification for the download request, nor were they doing any kind of hash verification or signing. The former would have prevented a redirect attack in the first place, and the latter would have prevented downloaded files from being modified or swapped out.