"VirusTotal Windows Uploader" poor design of privacy

[Eitan Caspi via Fulldisclosure <fulldisclosure () seclists org>]

Somethingto share with you, which I am not sure is known enough:

 

Recently,while I was tweaking a network monitoring systems, I noticed an upload of afile that its name included a full 
local Windows file path, ending with a nameof a file I uploaded to VirusTotal, using their Windows application 
–"VirusTotal Windows Uploader", version 2.2, which is the most recentversion

 

https://www.virustotal.com/en/documentation/desktop-applications/

 

Lookingdeeper into this I found that uploading a file using this app is performed in away that:

 

1.      The upload is performed via HTTP. NoSSL/TLS based HTTPS is used. Just for comparison - the web site of VT, and 
itsAPI, forces the use of HTTPS to upload files

2.      The uploaded file name is not merely thefile's name and extension – but rather the full path of the file, from 
thedrive letter up to the extension, like"c:\users\dan\Downloads\file-name.exe"

 

Neitherof these issue can be changed by the user of the app. The app's interfacedoesn't have any options to change 
these issues.

 

Irealize this app is rather old, possibly from 2013 by its file attribute, but Iwas not expecting that either 
VirusTotal or its parent company, Google, whoboth care about information security – to have such a weak privacy 
design,running around for so many year, without even informing the users of this appabout this way of work, in the 
app's page (in the link from above).

 

Iapproached VT about these issues, by email, and I got this response:

 

"

Wehaven't updated the uploader in some time, so there are certain issues likethat, and we can take them into account. 
In the meantime, you are welcome touse the Public API to build an uploader setup that you are more comfortablewith.

"

 

Ihope that VT will, ASAP:

 

1.      Use the app's page on their site toinform users about these issues

2.      Create a new version of this app - onethat use HTTPS, possibly using their own API, and of course – upload only 
thecore name of the file, not including its full path as part of the file's name

 

FYI.

 

EitanCaspi

https://www.linkedin.com/in/eitancaspi/

 

InformationSecurity blogs:

FUDfor thought (English) - http://fudie.net 

NotSafe/Sure (Hebrew) - http://security.caspi.org.il

 

Articles:You can find several IT, business and security articles I wrote some time agoat 

http://www.themarker.com/misc/search-results?searchType=textSearch&text=eitan+caspi&simpleSearch=simpleSearch

 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/