I don't know if this is already well known, but it has come to my attention that whenever someone will launch XMLSpy, the program will try to connect to Altova's servers, send some user info through a POST to a web server, and wait for a response. It will then answer whether the copy is authentic or not, and probably stop the program should it be a pirated copy. It also seems to be some kind of Live Update, judging from the script name it's calling. What bothers me is that it's sending user information that was _not_ entered into the program. It sends user name used to register the program, and it also sends an email address that I'm almost sure was not entered into the program. If the machine is not connected to the internet, or its path to altova is firewalled, the program will run with no problems. Of course, being a security professional, I don't like programs opening hidden connections to the outside and sending personal data from users without my (and their) knowledge, so I thought that others here would like to know that. This is a sample of the data sent out that I captured with tcpdump. It is being sent to 207.244.119.109. Already firewalled here. POST /liveupdate.asp HTTP/1.1 Referer: LicMan Content-Type: application/x-www-form-urlencoded User-Agent: AltovaLiveUpdate Host: link.altova.com Content-Length: 117 Cache-Control: no-cache u=User%20Name&c=Company&e=email%40address.com&v=XMLSpy%205%20rel.%202&k=28GkAD-Ee281s-qCAt2s-4Fss37-8P7M2C-AP3EH3&f=l -- Bruno Lustosa, aka Lofofora | Email: bruno@xxxxxxxxxxx Network Administrator/Web Programmer | ICQ UIN: 1406477 Rio de Janeiro - Brazil |
Attachment:
pgppTqVuDjQ12.pgp
Description: PGP signature