Bugtraq mailing list archives
Re: SpiDynamics WebInspect - Keeping Track of its Users?
From: "Caleb Sima" <csima () spidynamics com>
Date: Sun, 16 Dec 2001 00:20:40 -0500
I can understand DB's concern and I apologize to DB that the support and sales people that he spoke to did not elevate this up to the proper individuals to answer his questions properly. (No developers actually spoke to DB) We make no effort to hide that this remote authentication is done. After registering for a download from our website an email is sent to the user describing how to use webinspect. Pasted below is an excerpt from that message.
SUPPORT & SERVICE As a WebInspect pilot user, your current trial license allows you to scan up to 5 devices and is valid for 2 weeks. If you have any questions or comments on installing or running the software please contact our support desk at support () spidynamics com or call 1-866-SPI-2700 (M-F, 9 - 5
Eastern).
Note: An active Internet connection is needed to authenticate. If you are located behind a proxy, set your IE settings to point to your proxy.
Below is an excerpt from our logfile on exactly what we log from the user.
GET /spiAuth/spiAuth.spi Action=Auth&Key=NkYCBMFFEXLrTXeHUHH8&LastDate=2/4/2001+1:22:14+AM&IP=2.2.2.
2 200 >Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) - Broken up this is: Action=: This says whether the user is updating the product or just authorizing use Key=: This is the users key id that was given to them to use the product. LastDate=: This is the date and time that the authorization took place IP=: This is the ip address of what the user is attempting to scan This remote authentication is used only on demo keys and is used to keep users from abusing the product and scanning sites that they are not authorized to scan. If spidynamics notices a user scanning a site that is illegal this allows us to cut off access to the product immediatly. If anyone would actually want to take the time to look at the authentication themselves to verify this, just add a hosts entry to download.spidynamics.com and point the ip address to an SSL webserver. Caleb Sima CTO SPIDynamics Inc. csima () spidynamics com ----- Original Message ----- From: "A.S." <DB () globalapathy com> To: <bugtraq () securityfocus com> Sent: Saturday, December 15, 2001 10:12 AM Subject: SpiDynamics WebInspect - Keeping Track of its Users?
WebInspect - *Privacy ALERT* ------Cut and paste from SpiDynamics Website-- ---- WebInspect, S.P.I. Dynamic's premier product, is the most comprehensive network-based web application security solution ever designed. It dynamically uncovers well-known static security holes, as well as security vulnerabilities specific to your own custom web applications, working with your existing security software to re-enforce and strengthen functionality. Using patent-pending logic, WebInspect hones in on a new class of vulnerabilities undetected by any other scanner currently on the market. ------End cut and paste from SpiDynamics Website------ Basically it's a vulnerability scanner that you use to remotely test your website for potential security holes. A demo of it is available for download from the SpiDynamics Website (http://www.spidynamics.com) for the cost of filling out an information form. I've come to the conclusion that SpiDynamics is keeping track of atleast what sites you are scanning with their software and possibly much more. What's worse is that there's NO mention of this "Reporting" activity on the part of the software in the EULA(End User License Agreement) that you must agree to before you install their demo of WebInspect. I'm no legal expert, Or master hacker...But anyone can see that something strange is going on here. And a lead developer from their company even admitted to me on the telephone that "I had found a Bug". The thing is, that I personally think it's intentional, and not just some accidental oversight on their part. It seems to me that this is Highly illegal, almost to the point of evesdropping...but like I said i'm no legal expert, you be the judge... http://www.globalapathy.com/news/default.asp (Read full article here) -DB
Current thread:
- SpiDynamics WebInspect - Keeping Track of its Users? A . S . (Dec 15)
- Re: SpiDynamics WebInspect - Keeping Track of its Users? Caleb Sima (Dec 17)