[NEWS] SpiDynamics WebInspect Keeps Track of Its Users (Trial License)

From: support@securiteam.com
Date: 12/18/01 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 18 Dec 2001 17:51:37 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  SpiDynamics WebInspect Keeps Track of Its Users (Trial License)
------------------------------------------------------------------------

SUMMARY

WebInspect, S.P.I. Dynamic's premier product, is a network-based web
application security solution. A privacy issue has been noted in the
product that might escape a user evaluating the product. The trial version
of the product will send the authors the names of the sites it has been
used to scan. This would be considered a breach of privacy (Note, the
email sent to users receiving the TRIAL version, would include a warning
that this would happen).

DETAILS

SpiDynamics keeps track of what sites you are scanning with their software
and possibly much more. There is no mention of this "Reporting" activity
on the part of the software in the EULA (End User License Agreement) that
you must agree to before you install their demo of WebInspect. However,
the email message you receive in order to download the trial version does
include a statement about this behavior.

Vendor response:
I can understand DB's concern and I apologize to DB that the support and
sales people that he spoke to did not elevate this up to the proper
individuals to answer his questions properly. (No developers actually
spoke to DB)

We make no effort to hide that this remote authentication is done.

After registering for a download from our website, an email is sent to the
user describing how to use WebInspect. Pasted below is an excerpt from
that message.

> As a WebInspect pilot user, your current trial license allows you to
scan
> up to 5 devices and is valid for 2 weeks. If you have any questions or
> comments on installing or running the software please contact our
support
> desk at support@spidynamics.com or call 1-866-SPI-2700 (M-F, 9 - 5
Eastern).
>
> Note: An active Internet connection is needed to authenticate. If you
are
> located behind a proxy, set your IE settings to point to your proxy.

Below is an excerpt from our logfile on exactly what we log from the user.

>GET /spiAuth/spiAuth.spi
>Action=Auth&Key=NkYCBMFFEXLrTXeHUHH8&LastDate=2/4/2001+1:22:14+AM&IP=2.2.2.2 200
>Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) -

Broken up this is:
Action=: This says whether the user is updating the product or just
authorizing use
Key=: This is the users key id that was given to them to use the product.
LastDate=: This is the date and time that the authorization took place
IP=: This is the ip address of what the user is attempting to scan

This remote authentication is used only on demo keys and is used to keep
users from abusing the product and scanning sites that they are not
authorized to scan. If SPI Dynamics notices a user scanning a site that is
illegal this allows us to cut off access to the product immediately. If
anyone would actually want to take the time to look at the authentication
they to verify this, just add a host's entry to download.spidynamics.com
and point the ip address to an SSL webserver.

ADDITIONAL INFORMATION

The information has been provided by <mailto:DB@globalapathy.com> A.S.,
<mailto:csima@spidynamics.com> Caleb Sima.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages