Anti-virus companies spy on your personal web visits and download sensitive information

Monday, April 29, 2013

One year ago we discovered a serious privacy issue with anti-virus software running on your PC, capturing the URLs you visit, uploading them to the anti-virus datacenter in the cloud and accessing these URLs from that datacenter, see the blog post here.

Belgian journalist Koen Vervloesem did some further investigation of our findings and the results confirm the data breach and privacy issue.

He setup a lab environment with one brand of anti-virus and a web server. He accessed several URLs from his web server from the PC with the anti-virus installed and he noticed in this web server logs attempts to access the same URLs that he visited from other IP addresses.

He published the results in an article for PC-Active called "Your private photo's leaked online?!". PC-Active and Koen gave us permission to blog about the article and the results of Koen his research.

On his test PC, Koen installed Trend Micro where he enabled "Share information about threats with Trend Micro" which enables the Smart Network Protection (SPN) feature.

Trend Micro settings

He created HTML pages with random file names on his web server so that he was so that it was extremely unlikely that anyone could access the web pages with his sensitive information. On his test PC he used Internet Explorer and Chrome to access the different URLs with the anti-virus active.

A tail of his web server logs showed access from different IP addresses from Japan and the US:

Web server logs

Probably other anti-virus solutions implement the same functionality to detect web pages that are infected with web malware.

Koen also describes a scenario where a husband takes some intimate pictures of his wife and sends her an e-mail with a download link (same functionality that you have with Dropbox and Nomadesk to share information). When this URL is clicked on a PC with an anti-virus agent installed, the pictures will be downloaded by the anti-virus datacenter that is located outside of the European Union. You have no control of what will happen with that data: is it shred, is it stored, is it distributed to other datacenters, who has access to the data, ...

In this test there were no session cookies replayed by the anti-virus datacenter, but it is very possible that the anti-virus agent sends the full HTTP request to the anti-virus datacenter.

We discovered this privacy breach when investigating web application firewall logs for unauthorized access to homebanking information like transaction history, credit card statements, ...

There is no mention of this in the End-user-license-agreement.

There is still a lot of work for the European Privacy Commission. Google got fined in Germany for unauthorized access to personal wifi-networks, is this a comparable situation?

Solution: Koen proposes that URLs must be hashed by the anti-virus agent so that replaying them is impossible but that it would be sufficient enough to block access to malware infected web pages.

Add new comment