Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Other file formats that can "phone" home
From: "Richard M. Smith" <rms () PRIVACYFOUNDATION ORG>
Date: Mon, 4 Sep 2000 12:31:34 -0400


      There is really no distinction between web-enabled file formats and
web-enabled apps.

Actually there is a very important difference.  A "phone home"
application in general only communicates with the vendor that produced
the applicatoon.  However, a "buggable" file format allows a
document to talk to anyone's servers.  In addtion, document files
are more mobile than executable files and hence companies
are more interested in doing tracking.

The ID3v2 tag format allows for embedded URLs for things like additional
artists' informations, album graphics, etc. Clearly the ID3v2 tags are
web-enabled, and any web-enabled MP3 player can be subverted to notify

Yep, for a "buggable" file format to actually work
requires an application to be Web-enabled.  Applications do
not necessary handle the same file format in the same way.  For example,
not all applications which can  read Word .DOC files support the image
linking feature.  Wordpad from Windows 98 is an example of program
that apparently does not.

Now imagine a "smart" MP3 player that can reference an Internet DB for
album pictures by using the title in the MP3 tag to perform a query. There
need not be any URLs in that MP3 file... put the appropriate
keywords in the
title and the "smart" MP3 player can potentially be tricked to notifying
somebody without the user's knowledge.

Are you aware of any of the popular MP3 players that support
the ID3v2 tags in MP3 files?  If so, do these players automatically
render HTML content or fetch Web iamges when a song is played?
If an MP3 player only provides clickable links to external content,
then it seems to me that the privacy problems are less of an issue.
In this case, a user has to take an action to be tracked.

      Strictly speaking that is true; you can't "bug" a FILE that doesn't
support web links. But if the goal is to identify potential
privacy problems,
then we must also include any web-enabled application that can
"reach out" without the user's knowledge.

The Privacy Center is actually in the process of wrapping up a
study of 15 browser addons that "phone home".

In addtion, my personal Web site has write-ups about other
applications that "phone home":


Does anyone have know if current web-enabled apps use unique User-Agent
strings? For example, I would prefer that MS Word identify itself in the
User-Agent string when it retrieves a link over the Web (even if
it uses IE's
libraries to do so)

I've seen some browser addons sending out unique
user agent strings.  In general, this sounds like a pretty
good idea for the reasons that you have pointed out.  However,
vendors need to be careful about making applications too
talkative.  For example, sending out a product serial number
as an HTTP header is a really bad idea.

See ya,

Richard M. Smith
Chief Technology Officer
Privacy Foundation

Email: rms () privacyfoundation org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]