Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

RE: browsers and trojan-like behaviour
From: "Tim Heagarty" <tim () heagarty com>
Date: Sun, 6 Apr 2003 10:35:38 -0700
This appears to be the known behavior of the free version of Opera as
stated at http://www.opera.com/docs/ads/. And
http://www.opera.com/support/tutorials/security/prefs/ads/index.dml and
this topic is the second paragraph of the Opera  privacy policy at
http://www.opera.com/privacy/.

I don't see where they confirm that the user accepts this privacy policy
or acknowledges that the user knows of the Ad window and how it works.
The acknowldegement could come during the installation of course, but
who reads those silly licenses anyway? 

The number of popups and junk that appear on the SimTel download page
should probably lead one to believe that there is Spyware close at hand.

As Opera.com states it is easy to eliminate this behavior, for only
$39.00, but does that eliminate the communication or just reduce it?

Tim Heagarty CISSP, MCSE
http://www.TheaSecure.com/
"There are only 10 kinds of people in the world, those that understand
binary, and those that don't."
Work: (928) 636-0489
Cell: (928) 533-9690


-----Original Message-----
From: Bogdan Hamciuc [mailto:hb () p16 pub ro] 
Sent: Sunday, April 06, 2003 6:48 AM
To: webappsec () securityfocus com
Subject: browsers and trojan-like behaviour


   Hi,

   I have always been aware that certain applications might 
develop 'initiatives' such as sending information about the 
host machine/system to their home sites. Until now, I thought 
of that as of an abstract thing, but today I accidentally 
dumped such a 'conversation', started by my 'Opera' browser. 
Here's an excerpt of what it sent:


------------

POST http://rps2.opera.com/scripts/cms/xrps.asp HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Linux 2.4.19 
i686) Opera 6.02  [en]
Host: rps2.opera.com

[...]

<?xml version="1.0" encoding='ISO-8859-1'?>
<xacp version="1.0.0">
   <activity_report vendor="Opera" product="Opera_Linux" 
product_version="600" distribution="Lin_602"
user_code="a8c01805104863399445821" tag="0000000   en0731">
<client_connection last="2003-03-25" units="days" 
count="1"/><acpo code="3"> <exposure location="top" 
date="2003-03-25" count="3"/> </acpo> <profile> <property 
name="Language" val="en"/> </profile> </activity_report></xacp>

--------------


   I honestly consider this a trojan-like behaviour, since I 
have not been asked about it, and I do not expect a web 
browser to initiate TCP connections on its own.

   The fact that, as stated in their EULA, 'IN NO EVENT SHALL 
OPERA SOFTWARE [...] BE LIABLE FOR ANY [...] LOSS OF BUSINESS 
INFORMATION, PERSONAL INJURY, LOSS OF PRIVACY OR OTHER 
PECUNIARY OR OTHER LOSS
WHATSOEVER) ARISING OUT OF USE OR INABILITY TO USE THE 
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES' 
does not entitle them to disclose information about my 
operating system, kernel version or anything else about my 
machine or myself, as this was the case. The very thought 
that it could have uploaded any file that I could access concerns me.

   If you don't mind, I would like to read a few other 
opinions on this issue.



   Sincerely,
   Bogdan Hamciuc

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]