Blog

Anti-virus companies spy on your personal web site visits and replay sensitive URLs in an attempt to detect malware

During daily monitoring of F5 Application Security Manager blocks in Splunk our security experts detected abnormal behavior of specific IP ranges belonging to different anti-virus companies.

Different IP addresses requested URLs that are linked to users visiting the web site! These URLs were captured & stored on the user his machine and forwarded to the cloud without the user his consent!

URLs containing sensitive information in GET parameters like username, passwords, credit card information, personally identifiable information,.. are all captured by the anti-virus engine and transmitted to the anti-virus datacenter. A few moments after the user requested the URLs, the same URLs are requested from the anti-virus datacenter without the cookie but using the full URL containing the parameters and the information.

If you look at the OWASP Top 10 a lot of web applications are still using Direct References to sensitive information and are used in GET and/or POST parameters.

A fictuous example:

1. Log in to website: www.acme.com/login?user=foo&pass=bar

2. Load your profile: www.acme.com/getprofile?userid=12345

3. Download credit card statement: www.acme.com/getstatement?guid=12345-CARD1234

The same URLs are stored by the anti-virus product on the user his machine, send to the anti-virus cloud and replayed by virtual machines using a browser.

Gladly these requests are blocked by the F5 web application firewall because it is detected as a forcefull browsing attack, but I have seen a lot of web applications that are not protected with a web application firewall and could leak sensitive information when authentication and authorization flaws exist in the web site.

I also think that this is a huge privacy issue because when a user enabled web malware protection in his anti-virus he/she is not aware that full URLs are send to the anti-virus company! Now everybody is using cloud apps and uploading information in cloud storage solutions, URLs should be protected because there is too much security by obscurity with URLs and parameters.

I will not mention the IP ranges or the anti-virus companies. Instead I hope that these companies take the responsibility to come forward with:

  1. what information they collect
  2. how they protect that information in transit and in storage
  3. why they upload it to their datacenter
  4. why they replay it without the user his formal approval

Please retweet, like or leave a comment!

Update 30/04/2012

During a training last week where I discussed the OWASP Top 10 - A3 Broken Authentication and Session Management it was obvious that web applications that use URL Rewriting for session management are very vulnerable to the anti-virus replay attacks.

So if your web application uses URL Rewriting to communicate the session-ID you now have a big issue for privacy and confidentiality.

If you use a web application that uses URL Rewriting, make sure that you don't use the cloud protection of your anti-virus.

Update 02/05/2012

A tweet from d3tm4r directed me to his blog: http://www.dissectingthehack.com/profiles/blogs/reputation-or-cloud-based where he discusses the same issues but with some nice links to more information.

IP addresses that are discussed on following online forum: http://serverfault.com/questions/138240/strange-iis-hits-originating-from-trend-micro

  • 216.104.15.130
  • 216.104.15.138
  • 216.104.15.142
  • 216.104.15.13
  • 150.70.84.49
  • 150.70.84.44

If you have examples of logs in your Apache/WAF/.. for IP addresses above, please mail them to info at zionsecurity.com so we can add this to this blog.

Add comment