lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031203161053.GA20716@lustosa.net>
Date: Wed, 3 Dec 2003 14:10:53 -0200
From: Bruno Lustosa <bruno@...tosa.net>
To: bugtraq@...urityfocus.com
Subject: Altova XMLSpy "phones home" user data

I don't know if this is already well known, but it has come to my
attention that whenever someone will launch XMLSpy, the program will try
to connect to Altova's servers, send some user info through a POST to a
web server, and wait for a response.
It will then answer whether the copy is authentic or not, and probably
stop the program should it be a pirated copy.
It also seems to be some kind of Live Update, judging from the script
name it's calling.
What bothers me is that it's sending user information that was _not_
entered into the program. It sends user name used to register the
program, and it also sends an email address that I'm almost sure was not
entered into the program.
If the machine is not connected to the internet, or its path to altova
is firewalled, the program will run with no problems.
Of course, being a security professional, I don't like programs opening
hidden connections to the outside and sending personal data from users
without my (and their) knowledge, so I thought that others here would
like to know that.

This is a sample of the data sent out that I captured with tcpdump. It
is being sent to 207.244.119.109. Already firewalled here.

POST /liveupdate.asp HTTP/1.1
Referer: LicMan 
Content-Type: application/x-www-form-urlencoded
User-Agent: AltovaLiveUpdate
Host: link.altova.com
Content-Length: 117
Cache-Control: no-cache

u=User%20Name&c=Company&e=email%40address.com&v=XMLSpy%205%20rel.%202&k=28GkAD-Ee281s-qCAt2s-4Fss37-8P7M2C-AP3EH3&f=l

-- 
Bruno Lustosa, aka Lofofora          | Email: bruno@...tosa.net
Network Administrator/Web Programmer | ICQ UIN: 1406477
Rio de Janeiro - Brazil              |

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ