Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Other file formats that can "phone" home
From: jsl2 () JEDITECH COM
Date: Sun, 3 Sep 2000 21:50:36 -0700

On Sat, 2 Sep 2000, Richard M. Smith wrote:

However, clearly not every web-enabled application has this problem.
The key issue is not if the application is web-enabled but
if a *file format* supported by an application is web-enabled.

        There is really no distinction between web-enabled file formats and
web-enabled apps. Privacy Foundation's advisory mentions MP3, so I will use
that to illustrate a point:

The ID3v2 tag format allows for embedded URLs for things like additional
artists' informations, album graphics, etc. Clearly the ID3v2 tags are
web-enabled, and any web-enabled MP3 player can be subverted to notify

Now imagine a "smart" MP3 player that can reference an Internet DB for
album pictures by using the title in the MP3 tag to perform a query. There
need not be any URLs in that MP3 file... put the appropriate keywords in the
title and the "smart" MP3 player can potentially be tricked to notifying
somebody without the user's knowledge.

For a file format to be "buggable" it needs to support
embedded HTML content or links to Web images that
are automatically activated when a file is opened.

        Strictly speaking that is true; you can't "bug" a FILE that doesn't
support web links. But if the goal is to identify potential privacy problems,
then we must also include any web-enabled application that can automatically
"reach out" without the user's knowledge.

Does anyone have know if current web-enabled apps use unique User-Agent
strings? For example, I would prefer that MS Word identify itself in the
User-Agent string when it retrieves a link over the Web (even if it uses IE's
libraries to do so) The point is:

- people can block specific applications from the 'Net by a proxy or
- people who do not want Word to identify itself via User-Agent can use a
proxy like JunkBusters (or hex-edit the executable!)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]