Bugtraq mailing list archives
Re: Other file formats that can "phone" home
From: "Richard M. Smith" <rms () PRIVACYFOUNDATION ORG>
Date: Mon, 4 Sep 2000 12:31:34 -0400
Hi,
There is really no distinction between web-enabled file formats and web-enabled apps.
Actually there is a very important difference. A "phone home" application in general only communicates with the vendor that produced the applicatoon. However, a "buggable" file format allows a document to talk to anyone's servers. In addtion, document files are more mobile than executable files and hence companies are more interested in doing tracking.
The ID3v2 tag format allows for embedded URLs for things like additional artists' informations, album graphics, etc. Clearly the ID3v2 tags are web-enabled, and any web-enabled MP3 player can be subverted to notify somebody.
Yep, for a "buggable" file format to actually work requires an application to be Web-enabled. Applications do not necessary handle the same file format in the same way. For example, not all applications which can read Word .DOC files support the image linking feature. Wordpad from Windows 98 is an example of program that apparently does not.
Now imagine a "smart" MP3 player that can reference an Internet DB for album pictures by using the title in the MP3 tag to perform a query. There need not be any URLs in that MP3 file... put the appropriate keywords in the title and the "smart" MP3 player can potentially be tricked to notifying somebody without the user's knowledge.
Are you aware of any of the popular MP3 players that support the ID3v2 tags in MP3 files? If so, do these players automatically render HTML content or fetch Web iamges when a song is played? If an MP3 player only provides clickable links to external content, then it seems to me that the privacy problems are less of an issue. In this case, a user has to take an action to be tracked.
Strictly speaking that is true; you can't "bug" a FILE that doesn't support web links. But if the goal is to identify potential privacy problems, then we must also include any web-enabled application that can automatically "reach out" without the user's knowledge.
The Privacy Center is actually in the process of wrapping up a study of 15 browser addons that "phone home". In addtion, my personal Web site has write-ups about other applications that "phone home": http://www.tiac.net/users/smiths/privacy/index.htm
Does anyone have know if current web-enabled apps use unique User-Agent strings? For example, I would prefer that MS Word identify itself in the User-Agent string when it retrieves a link over the Web (even if it uses IE's libraries to do so)
I've seen some browser addons sending out unique user agent strings. In general, this sounds like a pretty good idea for the reasons that you have pointed out. However, vendors need to be careful about making applications too talkative. For example, sending out a product serial number as an HTTP header is a really bad idea. See ya, Richard ================================================ Richard M. Smith Chief Technology Officer Privacy Foundation Email: rms () privacyfoundation org http://www.privacyfoundation.org ================================================
Current thread:
- Re: Microsoft Word documents that "phone" home, (continued)
- Re: Microsoft Word documents that "phone" home Hal DeVore (Sep 02)
- Re: Microsoft Word documents that "phone" home Rob Slade, doting grandpa of Ryan and Trevor (Sep 01)
- Re: Microsoft Word documents that "phone" home Rex Sanders (Sep 01)
- Re: Microsoft Word documents that "phone" home Kris Kennaway (Sep 01)
- Re: Microsoft Word documents that "phone" home Michael Wojcik (Sep 01)
- Re: Microsoft Word documents that "phone" home Microsoft Security Response Center (Sep 01)
- Re: Microsoft Word documents that "phone" home Terje Bless (Sep 02)
- Re: Microsoft Word documents that "phone" home Brad (Sep 02)
- Other file formats that can "phone" home Richard M. Smith (Sep 03)
- Re: Other file formats that can "phone" home jsl2 (Sep 04)
- Re: Other file formats that can "phone" home Richard M. Smith (Sep 04)
- Sun StarOffice documents that "phone home" and other interesting problems Kurt Seifried (Sep 04)
- Re: Sun StarOffice documents that "phone home" and other interesting problems Luca Berra (Sep 05)
- Leftover data in other files (was Re: Sun StarOffice documents that "phone home".....) jsl2 (Sep 05)
- Re: Leftover data in other files (was Re: Sun StarOffice documents that "phone home".....) Ryan Russell (Sep 05)