Off-topic, yes, but I think it's important to get the word out on
this.
Have
you ever clicked on an End-User License Agreement without bothering to read it?
Me, too, but after reading this article I'll never let one slip by
again.
Steve
Team
Tierra Buena
10/30/2002 Subject:
Security Implications with Web Based
03:32 PM Greeting Cards
Have you been receiving and sending a lot of Web based Greeting
Cards? If
you do, as a co-worker told me today that he sends them to a lot of
people,
you may want to read this article.
* SNEAK ATTACK THROUGH A
LICENSE AGREEMENT
Have you ever received a Web-based greeting card from a
friend or
relative? They're common these days, and they seem to be taken
for
granted, in that people trust the intent of someone who might
send
them a greeting card. People like to be greeted with kindness,
so
they're inclined to look at and read the greeting card. It's one of
the
feel-good things that many people simply can't resist.
Have you ever
wondered why a company would spend its Internet
resources delivering free
greeting cards on behalf of people with whom
it conducts no business
otherwise? How does such an entity profit from
those endeavors? What might
its motives be?
Last week, a user posted an interesting message to our
HowTo for
Security mailing list regarding one company that delivers
Web-based
greeting cards. That company, Permissioned Media, runs a Web
site
called FriendGreetings.com, which lets one person send another
person
an electronic greeting card. The friendly facilitation seems
simple
and harmless, but it has a rather insidious side.
When you
receive a greeting from FriendGreetings.com, the message says
that someone
sent you the greeting and that to read it, you must click
a URL that takes
you to the Web site hosting the greeting. When you
click the URL, you're
prompted to install an ActiveX control before
you view the greeting. As the
greeting-card recipient, you would
probably assume that you must install the
ActiveX control to view the
greeting; however, that's not the case. Instead,
FriendGreetings.com
has designed the ActiveX control, complete with an End
User License
Agreement (EULA), to interact with your mail client software
and
harvest information about your email contacts. After the
ActiveX
control obtains your private contact list information, it sends
a
similar greeting card to everyone in your contact list,
probably
unbeknownst to you!
If you took time to read the EULA from
FriendGreetings.com, you'd
discover that the EULA clearly states Permissioned
Media's intention
to do just that. A section of the EULA reads, "As part of
the
installation process, Permissioned Media will access your
Microsoft
Outlook contacts list and send an e-mail to persons on your
contacts
list inviting them to download FriendGreetings or related
products."
By accepting the EULA and installing the ActiveX control, you give
the
company permission to perform that activity.
In essence, the
greeting cards that FriendGreetings.com delivers
resemble many worms that
travel the Internet: They're parasitic,
intrusive, devious, elusive, and most
of all, probably unwanted. Even
some antivirus vendors issued warnings about
the greeting card last
week. However, we can't completely blame
FriendGreetings.com for its
use because, although the company counts on most
users' acceptance of
the unread EULA, the EULA does spell out some of its
intention. By
agreeing to the EULA, users agree to the ActiveX control
activity.
Nevertheless, the lesson here should be obvious: When you encounter
a
EULA, don't take anything for granted. Read it word for word
to
understand exactly what you're accepting and think through what
the
consequences of acceptance might be.
Permissioned Media bills
itself as a "behavioral marketing network"
with more than 100 clients that
advertise online. The company also
operates Cool-Downloads.com. You can read
Permissioned Media's EULA at
the URL below. Take note that it grants the
company "the right to add
additional features or functions to the version of
PerMedia you
install, or to add new applications to PerMedia, at any time."
Yikes!
http://permissionedmedia.com/license.htm
If you've received a
greeting card from FriendGreetings.com and
installed the associated ActiveX
control, you might want to remove its
software from your system. To find out
how, be sure to read the
related news article, "Protect Your Contact List:
Read the EULA!" in
this
newsletter.
http://www.secadministrator.com/articles/index.cfm?articleid=27122
Source:
Windows & .NET Magazine Security UPDATE--brought to you
by
Security
Administrator, a print newsletter bringing you practical,
how-to
articles about securing your Windows .NET Server, Windows 2000,
and
Windows NT systems. (Contributed by Mark Joseph Edwards, News
Editor)