|
|
|
|
| |
| WebInspect, S.P.I. Dynamic's premier product, is a network-based web application security solution. A privacy issue has been noted in the product that might escape a user evaluating the product. The trial version of the product will send the authors the names of the sites it has been used to scan. This would be considered a breach of privacy (Note, the email sent to users receiving the TRIAL version, would include a warning that this would happen). |
| |
Credit:
The information has been provided by A.S., Caleb Sima.
|
| |
SpiDynamics keeps track of what sites you are scanning with their software and possibly much more. There is no mention of this "Reporting" activity on the part of the software in the EULA (End User License Agreement) that you must agree to before you install their demo of WebInspect. However, the email message you receive in order to download the trial version does include a statement about this behavior.
Vendor response:
I can understand DB's concern and I apologize to DB that the support and sales people that he spoke to did not elevate this up to the proper individuals to answer his questions properly. (No developers actually spoke to DB)
We make no effort to hide that this remote authentication is done.
After registering for a download from our website, an email is sent to the user describing how to use WebInspect. Pasted below is an excerpt from that message.
> As a WebInspect pilot user, your current trial license allows you to scan
> up to 5 devices and is valid for 2 weeks. If you have any questions or
> comments on installing or running the software please contact our support
> desk at support@spidynamics.com or call 1-866-SPI-2700 (M-F, 9 - 5 Eastern).
>
> Note: An active Internet connection is needed to authenticate. If you are
> located behind a proxy, set your IE settings to point to your proxy.
Below is an excerpt from our logfile on exactly what we log from the user.
>GET /spiAuth/spiAuth.spi
>Action=Auth&Key=NkYCBMFFEXLrTXeHUHH8&LastDate=2/4/2001+1:22:14+AM&IP=2.2.2.2 200
>Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) -
Broken up this is:
Action=: This says whether the user is updating the product or just authorizing use
Key=: This is the users key id that was given to them to use the product.
LastDate=: This is the date and time that the authorization took place
IP=: This is the ip address of what the user is attempting to scan
This remote authentication is used only on demo keys and is used to keep users from abusing the product and scanning sites that they are not authorized to scan. If SPI Dynamics notices a user scanning a site that is illegal this allows us to cut off access to the product immediately. If anyone would actually want to take the time to look at the authentication they to verify this, just add a host's entry to download.spidynamics.com and point the ip address to an SSL webserver.
|
|
|
|
|
|
|
|
|
|
