Security Issue? Names of our internal Eclipse packages "escaped" to the internet

  1. Secure Delivery Center > Getting Help

Tagged: 

This topic contains 2 replies, has 2 voices, and was last updated by  alexander-marktl 4 years, 2 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #497624 Reply

    alexander-marktl
    Participant

    Hi,

    We found something very strange, somehow our Eclipse Packages we host on an internal SDC Server are listed on several software download sites on the internet.

    Example: http://wamas-c-ide-neon.software.informer.com/

    If you follow the download links on this page you end up on the official genuitec web page.

    It would be really interessting how this could happen. Could it be that other information is leaked as well?

    IMHO this is a security relevant issue.

    BR,
    Alex

    #497642 Reply

    timwebb
    Keymaster

    On first glance, this does not appear to be related to SDC directly. SDC has absolutely no communication path whereby it would share any information outside of the network. In fact, we go to great lengths to ensure that all communication can’t go that way, including ensuring our server and clients can run fully isolated. The only time any component of SDC talks to the internet is when you choose to import an update site from the public internet — but in that case, it is fully related to downloading software from the update site — no sharing of information.

    Taking a look at:
    http://software-informer.en.softonic.com

    To me, it looks like this software is something one of your users chose to install on their system. The software is designed (it appears) to scan the system and upload information about what is installed. Given we don’t have control over other software on the system choosing to scan the HD, I’m not quite sure what we could do to protect against it. Do you have any thoughts on your side?

    #497832 Reply

    alexander-marktl
    Participant

    Thank you timwebb for your answer.

    Good to hear that SDC itself is not communicating with the outside network. I will ask our Developers if they installed something from Software Informers. Thanks for pointing out the link.

    I have no idea if it is possible to prevent such a situation from SDC side, i think this is something that needs to be ensured by the System / Network Administrators.

    BR

Viewing 3 posts - 1 through 3 (of 3 total)
Reply To: Security Issue? Names of our internal Eclipse packages "escaped" to the internet

You must be logged in to post in the forum log in