Trend Micro imports browser passwords, lets websites upload them all

fencepost

fencepost

Well-Known Member
Reaction score
2,314
Location
Schaumburg, IL
The sheer level of incompetence described in the security report that this Hacker News thread is about is astonishing. (The original security report is here: https://code.google.com/p/google-security-research/issues/detail?id=693).

Basically, Trend Micro (apparently the consumer edition(s) not so much the business/enterprise ones) has a few minor security flaws. The first one to turn up was that they install a local webserver which can be used to launch any program - all a webpage has to do is send a request to it using 'localhost'. Of note: the sample exploit code that Tavis provided in post #13 on the bug report launches an excutable to.... Uninstall Trend Micro.

After that little issue turned up and more investigation ensued, it turns out they include a "Secure Browser" mode - it even says "Secure Browser" in the User-Agent of what they launch - which turns out to be a year-old version of Chromium (so minus a bunch of security fixes) that is explicitly launched with the command-line option "--disable-sandbox" thrown in just to remove an additional layer of security.

And the real winner: When you install, it offers to import all your browser-stored passwords into their Secure Password Storage (don't worry - if you decline to do that, any webpage you visit can force it later by calling one of those 'localhost' APIs). Once your passwords are in the Secure Password Storage, any website can generate a call to a 'localhost' API to extract the encrypted passwords, then use another to decrypt them, then POST them out to another website.

I'm horrified. And glad that I don't know anyone running consumer Trend Micro.
 
fencepost said:
The sheer level of incompetence described in the security report that this Hacker News thread is about is astonishing. (The original security report is here: https://code.google.com/p/google-security-research/issues/detail?id=693).

Basically, Trend Micro (apparently the consumer edition(s) not so much the business/enterprise ones) has a few minor security flaws. The first one to turn up was that they install a local webserver which can be used to launch any program - all a webpage has to do is send a request to it using 'localhost'. Of note: the sample exploit code that Tavis provided in post #13 on the bug report launches an excutable to.... Uninstall Trend Micro.

After that little issue turned up and more investigation ensued, it turns out they include a "Secure Browser" mode - it even says "Secure Browser" in the User-Agent of what they launch - which turns out to be a year-old version of Chromium (so minus a bunch of security fixes) that is explicitly launched with the command-line option "--disable-sandbox" thrown in just to remove an additional layer of security.

And the real winner: When you install, it offers to import all your browser-stored passwords into their Secure Password Storage (don't worry - if you decline to do that, any webpage you visit can force it later by calling one of those 'localhost' APIs). Once your passwords are in the Secure Password Storage, any website can generate a call to a 'localhost' API to extract the encrypted passwords, then use another to decrypt them, then POST them out to another website.

I'm horrified. And glad that I don't know anyone running consumer Trend Micro.
Click to expand...
That doesn't strike me as incompetent, it strikes me as malicious. Installing a local web server or using a year old browser with sandbox disabled is not the kind of thing you do accidentally. Stealing passwords and sending them to anyone that asks is not code that slips past QA, that is undeniably deliberate and malicious intent.
 
I don't get this behavior at all - what reason would Trend Micro have for doing this?
 
The scary thing about this is that its becoming the norm to see press releases like this. I think a lot of security vendors would just get complacent in the routine of getting the latest virus signatures and throwing them into the database. Hopefully the work being done forces people to invest more in auditing their code.
 
At some point in the process I'm sure there was a high ranking manager that used his authority to push it through and said "I don't care if this is the worst possible way to get this to work, it sounds fancy and it might make us some extra sales. Plus the consumer will never find out how bad it really is." Otherwise there incompetence is truly horrifying. it's getting harder and harder to trust companies these days.
 
katz said:
I don't get this behavior at all - what reason would Trend Micro have for doing this?
Click to expand...
It was an easy way to develop the backend, and it let their developers play with the "new hotness." I actually do believe incompetence - I'll reserve my "bad actors" opinion for Juniper.
 
You must log in or register to reply here.

Similar threads

ThatPlace928
Dropbox Security Breach
Replies
9
Views
591
YeOldeStonecat
YeOldeStonecat
thecomputerguy
Probably one of the dumbest things I've ever heard of.
Replies
14
Views
958
timeshifter
timeshifter
phaZed
Synology warns of malware infecting NAS devices with ransomware (Bruteforce)
Replies
1
Views
1K
Sky-Knight
Sky-Knight
phaZed
iPhone CSAM photo scanning reverse engineered and tricked in one night
Replies
0
Views
630
phaZed
phaZed
HCHTech
No good deed...
Replies
2
Views
1K
Markverhyden
Markverhyden
Back
Top