Comment by nyanpasu64

It doesn't smell like a state actor to me, just gross negligence. Brushing up on the Reddit comment we wrote, the MITM isn't exploitable by default, since the client will error out at the 301 redirect and leave an obvious black window on the user's desktop. Exploiting a user would require replacing the 301 redirect with a direct download, which requires the same amount of effort whether the default disclosure was broken or not.

Now if they could've started shipping a modified AMD auto update that followed redirects, that would allow them to pwn users of the updated program. But it would do nothing to people who had installed older versions, up to the version the author installed (which left a black window open indicating the downloads never completed)...