[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031203161053.GA20716@lustosa.net>
Date: Wed, 3 Dec 2003 14:10:53 -0200
From: Bruno Lustosa <bruno@...tosa.net>
To: bugtraq@...urityfocus.com
Subject: Altova XMLSpy "phones home" user data
I don't know if this is already well known, but it has come to my
attention that whenever someone will launch XMLSpy, the program will try
to connect to Altova's servers, send some user info through a POST to a
web server, and wait for a response.
It will then answer whether the copy is authentic or not, and probably
stop the program should it be a pirated copy.
It also seems to be some kind of Live Update, judging from the script
name it's calling.
What bothers me is that it's sending user information that was _not_
entered into the program. It sends user name used to register the
program, and it also sends an email address that I'm almost sure was not
entered into the program.
If the machine is not connected to the internet, or its path to altova
is firewalled, the program will run with no problems.
Of course, being a security professional, I don't like programs opening
hidden connections to the outside and sending personal data from users
without my (and their) knowledge, so I thought that others here would
like to know that.
This is a sample of the data sent out that I captured with tcpdump. It
is being sent to 207.244.119.109. Already firewalled here.
POST /liveupdate.asp HTTP/1.1
Referer: LicMan
Content-Type: application/x-www-form-urlencoded
User-Agent: AltovaLiveUpdate
Host: link.altova.com
Content-Length: 117
Cache-Control: no-cache
u=User%20Name&c=Company&e=email%40address.com&v=XMLSpy%205%20rel.%202&k=28GkAD-Ee281s-qCAt2s-4Fss37-8P7M2C-AP3EH3&f=l
--
Bruno Lustosa, aka Lofofora | Email: bruno@...tosa.net
Network Administrator/Web Programmer | ICQ UIN: 1406477
Rio de Janeiro - Brazil |
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists