Bugtraq mailing list archives

RealPlayer and Comet Cursor

From: keela () REAL COM (Keela Robison)
Date: Thu, 9 Mar 2000 19:10:04 -0800


Mr. Harrington,

I wanted to respond directly to your concerns regarding RealPlayer and
privacy.  First to set the record straight, the version of Comet Cursor
distributed with RealPlayer does NOT transmit GUIDs.  RealNetworks is
committed to protecting privacy, and we specifically worked with Comet
Systems to ensure that their software met our standards for informed
consent.  We decided along with Comet Systems to remove any GUID from the
version distributed by RealNetworks.  As a result, the Cursor software
distributed with RealPlayer 7 could not be used in any way to track any
individuals' behavior.  In addition, it is very important to understand
that selecting the RealPlayer version with Comet Cursor is entirely
optional during the download process and that Comet Cursor's existence as
part of some RealPlayer bundles is clearly disclosed when you download,
along with links to Comet's privacy statement.

The privacy policy that you quote in your post is not accurate for the
RealPlayer version; please refer to the privacy policy that Comet Cursor
has posted relating to the version bundled with RealPlayer, and to which we
link from our Web site: http://www.cometsystems.com/help/real_privacy.shtml.

I hope that this addresses your questions.  RealNetworks is very concerned
that our privacy practices are accurately described; if you have any
further questions about our privacy policies or practices, please email us
at privacy () real com.

Regards,
Keela Robison
Product Manager, RealNetworks Consumer Products

---------- Forwarded message ----------
Date: Wed, 8 Mar 2000 14:36:25 -0800
From: pedward () WEBCOM COM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Realnetworks is trojaning people...again!!!

Okay, I had a nice long message I wrote, but accidentally canned it in ELM
(arggh!)

So, I admit to using windows for 2 reasons:  playing games and viewing
content that
can't be viewed on my Unix box.

That brings me to this subject.  I wanted to watch some classic Southpark and
Windows media player wouldn't play it (virgin '98 install), so I got RP 7.0
from
RealNetworks.

I installed it and so on and soforth.  I noticed tonight (3 days later) a
program
called "Comet Cursor" installed on my machine.  I recalled a privacy issue
with
this and investigated further.  Here's the lowdown from their website for
those
who don't remember:

http://www.cometsystems.com/help/privacy.shtml

What anonymous information is collected about users of the Comet Cursor?
 Our software contacts our servers to record logs of cursor impressions
using a GUID (Globally Unique
 IDentifier). When you download the Comet Cursor software, it is issued a
GUID from our servers. Using
 this GUID, we can keep track of how many people are using our software.
The GUID is also used every
 time the software contacts our servers when we log cursors changing (for
example, our software could
 inform our servers that at 12:31pm on November 16, 1999, 143 different
people saw their arrow cursor
 change into a baseball bat cursor on a baseball team's Website).
Collecting such statistics is an audit
 mechanism we use to bill our clients, since some of them pay us on a
"per-cursor-impression" basis.

 Second, our software checks in to see if a new version of the Comet
Cursor software is available. If
 there is a bug fix or version upgrade available for the Comet Cursor, the
software will retrieve the new
 code and replace the outdated code.

So, the Comet Cursor is really a backdoor to log your viewing habits, etc.

I was fairly confident that I didn't get this 'infection' via unprotected,
ahem, viewing
of websites.

I searched the registry and found the Comet Cursor to be a child of the
"RealNetworks" root.

I then uninstalled the realnetworks package and comet cursor.  I checked
back, the only items
remaining were:

- c:\windows\system\comet.dll -- I deleted this by hand
- A registry entry at HKEY_LOCAL_MACHINE\Software\Clients\Comet -- The
notable thing about this
      entry was the following key->value pair:

              OriginatorId    "Real_Dec99"

So, I uninstalled, reinstalled, uninstalled, and reinstalled to confirm
this hypothesis; RealNetworks
is installing a privacy trojan into your system without your permission or
documentation.

They have been caught once before doing this.

FYI, the press release is here:

      http://www.cometsystems.com/press/pressrels/102099.shtml

Grr, I am plenty pissed (not in the UK sense of the word, unfortunately)
right now...

--Perry

--
Perry Harrington                 Director of                   zelur xuniL

()

perry () webcom com             System Architecture               Think Blue.

/\

Current thread:

PGP Signatures security BUG! Povl H. Pedersen (Mar 07)
- Re: PGP Signatures security BUG! Tobias Haustein (Mar 08)
- Re: PGP Signatures security BUG! Werner Koch (Mar 08)
- RealServer exposes internal IP addresses tschweikle () FIDUCIA DE (Mar 08)
- Re: PGP Signatures security BUG! Eric Murray (Mar 08)
- [ Hackerslab bug_paper ] Linux printtool get printer password Sheshep ankh Dubhe (Mar 08)
  - Re: [ Hackerslab bug_paper ] Linux printtool get printer password Tuomas Jormola (Mar 09)
  - RealPlayer and Comet Cursor Keela Robison (Mar 09)
    - Fwd: ircii-4.4 buffer overflow bladi (Feb 07)
    - Re: Fwd: ircii-4.4 buffer overflow Derek Callaway (Mar 11)
    - Re: RealPlayer and Comet Cursor pedward () WEBCOM COM (Mar 09)
    - The Comet Cursor Sarah MacArthur (Mar 09)
    - Network File Resource Vulnerability Eric Hacker (Mar 09)
    - Re: Network File Resource Vulnerability David LeBlanc (Mar 11)
    - misc. cross site scripting issues Marc Slemko (Mar 12)
    - a few bugs ... Maurycy Prodeus (Mar 13)
    - Re: a few bugs ... Thomas Roessler (Mar 15)
    - Re: a few bugs ... Michal Zalewski (Mar 17)

(Thread continues...)