[alexander-marktl]

Hi,

We found something very strange, somehow our Eclipse Packages we host on an internal SDC Server are listed on several software download sites on the internet.

Example: http://wamas-c-ide-neon.software.informer.com/

If you follow the download links on this page you end up on the official genuitec web page.

It would be really interessting how this could happen. Could it be that other information is leaked as well?

IMHO this is a security relevant issue.

BR,
Alex

[timwebb]

On first glance, this does not appear to be related to SDC directly. SDC has absolutely no communication path whereby it would share any information outside of the network. In fact, we go to great lengths to ensure that all communication can’t go that way, including ensuring our server and clients can run fully isolated. The only time any component of SDC talks to the internet is when you choose to import an update site from the public internet — but in that case, it is fully related to downloading software from the update site — no sharing of information.

Taking a look at:
http://software-informer.en.softonic.com

To me, it looks like this software is something one of your users chose to install on their system. The software is designed (it appears) to scan the system and upload information about what is installed. Given we don’t have control over other software on the system choosing to scan the HD, I’m not quite sure what we could do to protect against it. Do you have any thoughts on your side?

[alexander-marktl]

Thank you timwebb for your answer.

Good to hear that SDC itself is not communicating with the outside network. I will ask our Developers if they installed something from Software Informers. Thanks for pointing out the link.

I have no idea if it is possible to prevent such a situation from SDC side, i think this is something that needs to be ensured by the System / Network Administrators.

BR

[Author]

Posts