[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] "VirusTotal Windows Uploader" poor design of privacy

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] "VirusTotal Windows Uploader" poor design of privacy
From: Eitan Caspi via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Sun, 3 Sep 2017 20:36:56 +0000 (UTC)

Somethingto share with you, which I am not sure is known enough:

 

Recently,while I was tweaking a network monitoring systems, I noticed an upload 
of afile that its name included a full local Windows file path, ending with a 
nameof a file I uploaded to VirusTotal, using their Windows application 
–"VirusTotal Windows Uploader", version 2.2, which is the most recentversion

 

https://www.virustotal.com/en/documentation/desktop-applications/

 

Lookingdeeper into this I found that uploading a file using this app is 
performed in away that:

 

1.      The upload is performed via HTTP. NoSSL/TLS based HTTPS is used. Just 
for comparison - the web site of VT, and itsAPI, forces the use of HTTPS to 
upload files

2.      The uploaded file name is not merely thefile's name and extension – but 
rather the full path of the file, from thedrive letter up to the extension, 
like"c:\users\dan\Downloads\file-name.exe"

 

Neitherof these issue can be changed by the user of the app. The app's 
interfacedoesn't have any options to change these issues.

 

Irealize this app is rather old, possibly from 2013 by its file attribute, but 
Iwas not expecting that either VirusTotal or its parent company, Google, 
whoboth care about information security – to have such a weak privacy 
design,running around for so many year, without even informing the users of 
this appabout this way of work, in the app's page (in the link from above).

 

Iapproached VT about these issues, by email, and I got this response:

 

"

Wehaven't updated the uploader in some time, so there are certain issues 
likethat, and we can take them into account. In the meantime, you are welcome 
touse the Public API to build an uploader setup that you are more 
comfortablewith.

"

 

Ihope that VT will, ASAP:

 

1.      Use the app's page on their site toinform users about these issues

2.      Create a new version of this app - onethat use HTTPS, possibly using 
their own API, and of course – upload only thecore name of the file, not 
including its full path as part of the file's name

 

FYI.

 

EitanCaspi

https://www.linkedin.com/in/eitancaspi/

 

InformationSecurity blogs:

FUDfor thought (English) - http://fudie.net 

NotSafe/Sure (Hebrew) - http://security.caspi.org.il

 

Articles:You can find several IT, business and security articles I wrote some 
time agoat 

http://www.themarker.com/misc/search-results?searchType=textSearch&text=eitan+caspi&simpleSearch=simpleSearch

 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] DNSMap.sh - 0.1 - enumerate DNS hostnames faster | release announcement.
Next by Date: [FD] Hijacking .uk domains with eNom
Previous by thread: [FD] DNSMap.sh - 0.1 - enumerate DNS hostnames faster | release announcement.
Next by thread: [FD] Hijacking .uk domains with eNom
Index(es):
- Date
- Thread