Monday, May 18, 2009

Desktopsmiley: Annoying and insecure

Adware giant desktopsmiley.com annoys me in ways I can't repeat here (to protect the innocent and moral among you), so I'll keep this simple.

Some facts:
1) desktopsmiley.com is ranked 287 in the world according to Alexa.
This is simply stupefying to me, and testament to the fact that there are way too many oblivious people installing this crapware.
2) The geniuses at Desktopsmiley.com have wrestled long and hard with the antiviruse vendors such that their latest installer doesn't trip a single signature per Virustotal. Further ground for to be much annoyed...and perhaps impressed at their obvious negotiation skills.
3) Desktopsmiley.com has a privacy policy. Rejoice! Now we can all install it and know our data and our privacy is protected. Or not. Just read this dreck and you'll shudder at the clearly defined consequences of installing this "not spyware".

I am therefore inclined to point out that this spectacular product offering cares little for your privacy or your security.

Case in point 2x:
That privacy page? Not so private. It's vulnerable to XSS, and I'm sure this isn't the only example.
Explore for yourself: http://tinyurl.com/qv9zkw

Screen shot, if you prefer.



The next one is particularly fun as it is clearly indicative of bad Flash coding practices. The clickTag variable is wide open on smiley.swf.
Follow this URL, then click the super happy swf! Hurray!

http://download2.desktopsmiley.com/landing/images/tm106/smiley.swf?clickTag=http://cwe.mitre.org/data/definitions/601.html

Can you say arbitrary redirect? I knew you could, boys and girls.

I hereby declare the creation of a new Holisticinfosec award for just such occasions, the ID Ten C Award.
Don't get it? Spell it out and say it with me: ID 10 C...you should be able to handle it from there.
Desktopsmiley.com, consider yourselves awarded, for being both annoying and insecure.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

2 comments:

Anonymous said...

Do you mean ID Ten T?

Russ McRee said...

Close, I mean to imply idiocy rather than a singular idiot.

Moving blog to HolisticInfoSec.io

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...