Monthly Archives: August 2017

“VirusTotal​ Windows Uploader” poor design of privacy

Something to share with you, which I am not sure is known enough:

Recently, while I was tweaking a network monitoring systems, I noticed an upload of a file that its name included a full local Windows file path, ending with a name of a file I uploaded to VirusTotal, using their Windows application – “VirusTotal Windows Uploader“, version 2.2, which is the most recent version.

Looking deeper into this I found that uploading a file using this app is performed in a way that:
1. The upload is performed via plain text HTTP. No SSL/TLS based HTTPS is used. Just for comparison – the web site of VT, and its API, forces the use of HTTPS to upload files
2. The uploaded file name is not merely the file’s name and extension – but rather the full path of the file, from the drive letter up to the extension, like “c:\users\dan\Downloads\file-name.exe”

Neither of these issue can be change by the user of the app. The app’s interface doesn’t have any options to change these issues.

Attached at the bottom of this post – a screen shot of a network packet capture that I made – demonstrating these issues.

I realize this app is rather old, possibly from 2013 by its attributes, but I was not expecting that either VirusTotal or its parent company, Google​, who both care about information security – to have such a weak privacy design, running around for so many year, without even informing the users of this app about this way of work, in the app’s page (in the link from above).

I approached VT about these issues, by email, and I got this response:

We haven’t updated the uploader in some time, so there are certain issues like that, and we can take them into account. In the meantime, you are welcome to use the Public API to build an uploader setup that you are more comfortable with.

I hope that VT will, ASAP:
1. Use the app’s page on their site to inform users about these issues
2. Create a new version of this app – one that use HTTPS, possibly using their own API, and of course – upload only the core name of the file, not including its full path as part of the file’s name

FYI.

Eitan Caspi