[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1389788789.2215225.1504471016530@mail.yahoo.com>
Date: Sun, 3 Sep 2017 20:36:56 +0000 (UTC)
From: Eitan Caspi via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] "VirusTotal Windows Uploader" poor design of privacy
Somethingto share with you, which I am not sure is known enough:
Recently,while I was tweaking a network monitoring systems, I noticed an upload of afile that its name included a full local Windows file path, ending with a nameof a file I uploaded to VirusTotal, using their Windows application –"VirusTotal Windows Uploader", version 2.2, which is the most recentversion
https://www.virustotal.com/en/documentation/desktop-applications/
Lookingdeeper into this I found that uploading a file using this app is performed in away that:
1. The upload is performed via HTTP. NoSSL/TLS based HTTPS is used. Just for comparison - the web site of VT, and itsAPI, forces the use of HTTPS to upload files
2. The uploaded file name is not merely thefile's name and extension – but rather the full path of the file, from thedrive letter up to the extension, like"c:\users\dan\Downloads\file-name.exe"
Neitherof these issue can be changed by the user of the app. The app's interfacedoesn't have any options to change these issues.
Irealize this app is rather old, possibly from 2013 by its file attribute, but Iwas not expecting that either VirusTotal or its parent company, Google, whoboth care about information security – to have such a weak privacy design,running around for so many year, without even informing the users of this appabout this way of work, in the app's page (in the link from above).
Iapproached VT about these issues, by email, and I got this response:
"
Wehaven't updated the uploader in some time, so there are certain issues likethat, and we can take them into account. In the meantime, you are welcome touse the Public API to build an uploader setup that you are more comfortablewith.
"
Ihope that VT will, ASAP:
1. Use the app's page on their site toinform users about these issues
2. Create a new version of this app - onethat use HTTPS, possibly using their own API, and of course – upload only thecore name of the file, not including its full path as part of the file's name
FYI.
EitanCaspi
https://www.linkedin.com/in/eitancaspi/
InformationSecurity blogs:
FUDfor thought (English) - http://fudie.net
NotSafe/Sure (Hebrew) - http://security.caspi.org.il
Articles:You can find several IT, business and security articles I wrote some time agoat
http://www.themarker.com/misc/search-results?searchType=textSearch&text=eitan+caspi&simpleSearch=simpleSearch
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists