| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 3 Sep 2017 20:36:56 +0000 (UTC) From: Eitan Caspi via Fulldisclosure <fulldisclosure@...lists.org> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] "VirusTotal Windows Uploader" poor design of privacy Somethingto share with you, which I am not sure is known enough: Recently,while I was tweaking a network monitoring systems, I noticed an upload of afile that its name included a full local Windows file path, ending with a nameof a file I uploaded to VirusTotal, using their Windows application –"VirusTotal Windows Uploader", version 2.2, which is the most recentversion https://www.virustotal.com/en/documentation/desktop-applications/ Lookingdeeper into this I found that uploading a file using this app is performed in away that: 1. The upload is performed via HTTP. NoSSL/TLS based HTTPS is used. Just for comparison - the web site of VT, and itsAPI, forces the use of HTTPS to upload files 2. The uploaded file name is not merely thefile's name and extension – but rather the full path of the file, from thedrive letter up to the extension, like"c:\users\dan\Downloads\file-name.exe" Neitherof these issue can be changed by the user of the app. The app's interfacedoesn't have any options to change these issues. Irealize this app is rather old, possibly from 2013 by its file attribute, but Iwas not expecting that either VirusTotal or its parent company, Google, whoboth care about information security – to have such a weak privacy design,running around for so many year, without even informing the users of this appabout this way of work, in the app's page (in the link from above). Iapproached VT about these issues, by email, and I got this response: " Wehaven't updated the uploader in some time, so there are certain issues likethat, and we can take them into account. In the meantime, you are welcome touse the Public API to build an uploader setup that you are more comfortablewith. " Ihope that VT will, ASAP: 1. Use the app's page on their site toinform users about these issues 2. Create a new version of this app - onethat use HTTPS, possibly using their own API, and of course – upload only thecore name of the file, not including its full path as part of the file's name FYI. EitanCaspi https://www.linkedin.com/in/eitancaspi/ InformationSecurity blogs: FUDfor thought (English) - http://fudie.net NotSafe/Sure (Hebrew) - http://security.caspi.org.il Articles:You can find several IT, business and security articles I wrote some time agoat http://www.themarker.com/misc/search-results?searchType=textSearch&text=eitan+caspi&simpleSearch=simpleSearch _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists