lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 3 Sep 2017 20:36:56 +0000 (UTC)
From: Eitan Caspi via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] "VirusTotal Windows Uploader" poor design of privacy


Somethingto share with you, which I am not sure is known enough:

 

Recently,while I was tweaking a network monitoring systems, I noticed an upload of afile that its name included a full local Windows file path, ending with a nameof a file I uploaded to VirusTotal, using their Windows application –"VirusTotal Windows Uploader", version 2.2, which is the most recentversion

 

https://www.virustotal.com/en/documentation/desktop-applications/

 

Lookingdeeper into this I found that uploading a file using this app is performed in away that:

 

1.      The upload is performed via HTTP. NoSSL/TLS based HTTPS is used. Just for comparison - the web site of VT, and itsAPI, forces the use of HTTPS to upload files

2.      The uploaded file name is not merely thefile's name and extension – but rather the full path of the file, from thedrive letter up to the extension, like"c:\users\dan\Downloads\file-name.exe"

 

Neitherof these issue can be changed by the user of the app. The app's interfacedoesn't have any options to change these issues.

 

Irealize this app is rather old, possibly from 2013 by its file attribute, but Iwas not expecting that either VirusTotal or its parent company, Google, whoboth care about information security – to have such a weak privacy design,running around for so many year, without even informing the users of this appabout this way of work, in the app's page (in the link from above).

 

Iapproached VT about these issues, by email, and I got this response:

 

"

Wehaven't updated the uploader in some time, so there are certain issues likethat, and we can take them into account. In the meantime, you are welcome touse the Public API to build an uploader setup that you are more comfortablewith.

"

 

Ihope that VT will, ASAP:

 

1.      Use the app's page on their site toinform users about these issues

2.      Create a new version of this app - onethat use HTTPS, possibly using their own API, and of course – upload only thecore name of the file, not including its full path as part of the file's name

 

FYI.

 

EitanCaspi

https://www.linkedin.com/in/eitancaspi/

 

InformationSecurity blogs:

FUDfor thought (English) - http://fudie.net 

NotSafe/Sure (Hebrew) - http://security.caspi.org.il

 

Articles:You can find several IT, business and security articles I wrote some time agoat 

http://www.themarker.com/misc/search-results?searchType=textSearch&text=eitan+caspi&simpleSearch=simpleSearch

 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists