Intuit secretly collects information from QuickBooks 2000 users
------------------------------------------------------------------------
SUMMARY
<http://www.intuit.com/> Intuit collects a wide verity of information
about its users of the new QuickBooks 2000 and QuickBooks Pro 2000
software. The information ranges from system configuration settings to
usage behaviors, and the user never aware of this information leakage.
DETAILS
Intuit uses Marimba Castanet, an automated software update technology,
to
update the QuickBooks 2000 software on customers' computers. The client
does not allow the user to restrict what information will be sent back
upon request by to Intuit server. Intuit is able to collect private user
information without the user's knowledge. Intuit has also implemented
this
software in an insecure manner that allows malicious users to hijack it
and either obtain information about the user, or install their own files
or programs on the user's computer.
Intuit provides WWW integration by providing links to web sites. When
going to such a link, Intuit is sent both the user's unique serial
number
and their registration number. This allows the monitoring of software
installation and user's usage patterns.
Description:
Using two different methods, QuickBooks reports user information back to
Intuit.
Issue 1
QuickBooks has integrated the <http://www.marimba.com/> Marimba
Castanet
product into their software. Immediately upon first execution,
QuickBooks
displays the license agreement. However, before QuickBooks completes
its
launch and presents the user with the interface, it connects to Intuit's
Castanet server (qbmarimbaqw.quicken.com) on port 80.
Below is the first HTTP session packet. It shows the initial connection
to the Castanet server and the transmitting of information regarding the
configuration of the host running QuickBooks (such as the operating
system
version).
The meaning of the other strings that are seen below, such as the
reference to "properties.txt" and "any/any" are currently unknown.
- -----------------------------------------------------------------
qb2000-pc.1046 -> qbmarimbaqw.quicken.com.http over TCP
POST /UpdateDirChanQB HTTP/1.0.
User-Agent: null.
Connection: Keep-Alive.
Content-length: 391.
Pragma: no-cache.
Content-type: application/marimba.
Request-type: update/13.
.
- -----------------------------------------------------------------
qbmarimbaqw.quicken.com.http -> qb2000-pc.1046 over TCP
<No data>
- -----------------------------------------------------------------
qb2000-pc.1046 -> qbmarimbaqw.quicken.com.http over TCP
........%.......qbmarimbaqw.quicken.com...P.....(..
update.sdk....1..L_L....US..L_C....en..
Windows
NT..x86..4.0..en_US....UpdateDirChanQB........DATA=AUC01QFN00000
21911004000011501002 0000000000
0000000005200000057010300000000000000000
05701n
ewfeatures 00000000 0000................
- -----------------------------------------------------------------
- -----------------------------------------------------------------
qb2000-pc.1047 -> qbmarimbaqw.quicken.com.http over TCP
<No data>
- -----------------------------------------------------------------
qbmarimbaqw.quicken.com.http -> qb2000-pc.1046 over TCP
HTTP/1.0 200 Reply follows.
Server: Marimba-Transmitter/4.0.3.
Content-type: application/marimba.
Expires: 0.
Pragma: no-cache.
Connection: Keep-Alive.
Content-length: 140.
.
........%...B....B..A....A..segment....any/any....T..........UpdateDirC
[email protected]+.X.<.....7......p..
- -----------------------------------------------------------------
Next, QuickBooks connects again to the Castanet server and initiates a
request for updated information. The following capture gives an
indication
of the control that the server holds over the client. It includes the
receipt of various configuration instructions.
- -----------------------------------------------------------------
qb2000-pc.1047 -> qbmarimbaqw.quicken.com.http over TCP
POST /UpdateDirChanQB HTTP/1.0.
User-Agent: null.
Connection: Keep-Alive.
Content-length: 113.
Pragma: no-cache.
Content-type: application/marimba.
Request-type: getfiles/3.
.
- -----------------------------------------------------------------
qbmarimbaqw.quicken.com.http -> qb2000-pc.1046 over TCP
HTTP/1.0 200 Reply follows.
Server: Marimba-Transmitter/4.0.3.
Content-type: application/marimba.
Expires: 0.
Pragma: no-cache.
.
..........
[email protected]
00QFN0000030111004010011501002 0000000000
0000000005200000139010301000000000000000
11801newfeatures n .edition
000000213dff621c4a11b6c0
2b10fe8c8394cd92..0000000000000000000000002000_01_14_17_21_25.
....X+.X.<.....7..........pcapabilities=none
desktop.shortcut=false
extension=channel
install.inactive=ignore
locale=any
macresourceforks=false
mimetype=application/x-castanet-channel
name=UpdateDirChanQB
platform=any
publish.time=944543763933
title=UpdateDirChanQB
type=Data
update.action=ignore
update.active=never
update.inactive=weekly
update.schedule=every 1 weeks on sun update at 04:00AM
- -----------------------------------------------------------------
There are further exchanges between QuickBooks 2000 and the Castanet
server. During these exchanges, files are sent and installed without
user
approval. In fact, the user isn't even aware that this entire exchange
is
taking place.
The full version of Castanet is able to retrieve information such as,
but
not limited to IP addresses, user names and host names. The exact
information that is obtained depends on what their customer configures
the
server to request. Marimba explicitly stated that there is no way for
the
user to prevent certain types of information from being sent if the
server
requests it. Also an additional module exists that allows remote server
to request the client to perform a full disk scan of the computer
running
the client software and send back its output.
If someone is able to hijack a session, they could install programs that
create back doors to allow an intruder to take full control of the
computer.
These sessions raise a list of issues:
1) Intuit knows the identity of the user connecting. They can
theoretically target specific files to specific users, such as a program
to monitor the user's computer or network, even behind a firewall.
2) Since the sessions are not secured, the session can be hijacked and a
malicious user can insert their own information into an existing
session,
allowing them to insert files and /or backdoors onto the user's system.
Intuit has chosen not to encrypt the sessions, thereby creating this
risk.
3) The user has no control over what information is retrieved from their
system. They must simply hope that Intuit won't do something to violate
their privacy, and that no malicious users will hijack a legitimate
session.
4) Users are unaware of what information is being collected and for what
purpose it is being used.
Issue 2
QuickBooks 2000 is integrated with Microsoft Internet Explorer 5. Many
of
the windows in QuickBooks are HTML generated on the fly. With the
seamless web integration, Intuit has created certain text items within
the
GUI that are in fact links to web sites, and not buttons, to perform
local
program functions. These links are not labeled as such and appear no
different than HTML links that open other local windows. This in itself
is not such a security problem.
The issue lies in the method with which Intuit directs the user to a web
site. The following is the URL that is accessed when the user clicks on
the text of a reminder that the program refers to as an "alert". The
below example is linked to by a warning with regard to a periodic tax
payment due to the government:
http://redirect.quickbooks.com/redirect/reg=****-****-****/
serial=####-###-####-####/ ?http://www.ccra-adrc.gc.ca/menu-e.html
The '*' replace the registration number provided by Intuit. If you have
not registered, the value in the URL is "Unregistered". This is a
unique
number identifying a particular customer of Intuit.
The '#' replace the serial number found on the back of the manual. This
is a unique number identifying a specific copy of the software.
When you register your purchased copy of QuickBooks with Intuit after
supplying them with your detailed information, you receive a
registration
number in return. Even if you buy the software, you can only run it a
certain number of times without entering a registration number.
Therefore, unless you provide them with false information when
registering, Intuit knows exactly what actions their users are
performing
that take them to Internet sites.
Vendor Response:
Once contact was established, the company seemed quite receptive to the
above concerns.
Since first contacting Intuit on March 14, 2000, they have implemented
the
following changes to their QuickBooks 2000 US R5 and Canadian R6:
1) Users installing the R5 and R6 updates are presented with an html
window the next time they run the application explaining the use of the
Automatic Update feature but also including information on how to
disable
it.
2) Added a top-level item on the help menu "About Automatic Update,"
which
displays a secondary page used for the previously described html window,
and also provides detail about the Automatic Update feature. This is
more
complete than in the previous help index.
3) All, rather than most, html links to Internet sites are now marked
with
a lightning bolt. However, users are not told clearly, what this means
unless they click on the relevant help link.
4) Instead of sending serial numbers in readable text to their redirect
server, they now perform a two-way hash of the information using a
proprietary algorithm. This is basic obfuscation. This is not optimum,
but Intuit acted to protect against transient sniffing and will use an
MD5
one-way hash in the next version of QuickBooks.
5) When running the installer for the update, a connection to Intuit's
Castanet server is done if that option was enabled in QuickBooks 2000.
This appears to be an unintentional side effect of installing the
Automatic Update software itself. As the software installs itself into
Windows, it starts itself up the default way; i.e., to check for
available
updates. However, after installing itself, the software quits, which
will
terminate any connection it may have initiated. Intuit believes that
it's
unlikely that, even on a slow computer, any such connection would remain
open long enough for any content to actually be downloaded to the
computer.
6) Intuit is planning to switch to the industry standard, highest
security
level SSL for all Castanet updates beginning with the next version of
QuickBooks. The Castanet SDK software embedded in QuickBooks 2000
currently supports SSL enablement and provides other security features.
However, Intuit believes that updating QuickBooks 2000 to enable SSL
would
risk key functionality in the product and risks adversely affecting
existing users.
Quick Solution/Workaround:
Turn off the Automatic Update feature. Information about how to do this
is found in the help menu of QuickBooks 2000.
Alternatively, use Intuit's QuickBooks 2000/QuickBooks Pro 2000 on a
computer that is a dedicated, standalone computer with no modem or
network
interface. The computer should not have Internet connectivity
capability
at any time.
Solution:
Customers should contact Intuit through their web site at:
<http://www.intuit.com/corporate/quickbooks2000privacy/>
http://www.intuit.com/corporate/quickbooks2000privacy/
And request that this issue be resolved immediately.
The customer service or pay-per-use support representative you speak
with
may try to tell you that no method other than the Castanet automated
updates is available for software updates, or that they are not sure.
However, an additional phone call to their customer service department
will reveal to you that the updates are available via FTP on the
Internet
and they do indeed mail software updates via diskette to customers if
requested.
The quick solution of using QuickBooks on a dedicated computer with no
Internet capability is also sufficient for the long-term. Intuit will
also be introducing additional security and privacy enhancements in the
next version of the software.
--
Eko Sulistiono
MIKRODATA & AntiVirus Media
Web: http://www.mikrodata.co.id/
WAP: http://www.mikrodata.co.id/wap/index.wml
This message contains no viruses. Guaranteed by AVP.
------------------------------------------------------------------------
Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM)
Informasi : http:[EMAIL PROTECTED]
Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/
WAP : http://mikrodata.co.id/wap/index.wml
Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA.
Termasuk rubrik-rubrik yang ada di media lain.
Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah
tindakan kriminal.
Please check with the latest AVP update before you ask about virus:
ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
