Bad dog! PrivDog chews HTTPS, hurls clear text

Sysadmin Hanno Böck has scratched a few more holes in the PrivDog privacy tool, reporting it tracks and sends in clear text a users' visited web URLs to creator AdTrustMedia.

The company says the data is anonymous and is used to help prevent attacks such as click fraud, to identify automated bots, and other unspecified threats, adding it will change the transmission from clear text to HTTPS.

PrivDog was this week revealed to have installed a man-in-the-middle proxy and a root certificate prompting a slap-down from the US Computer Emergency Response Team to the following effect:

"Adtrustmedia PrivDog is a Windows application that advertises "... safer, faster and more private web browsing." Privdog installs a Man-in-the-Middle (MITM) proxy as well as a new trusted root CA certificate. The MITM capabilities are provided by NetFilterSDK.com.

Although the root CA certificate is generated at install time, resulting in a different certificate for each installation, Privdog does not use the SSL certificate validation capabilities that the NetFilter SDK provides. This means that web browsers will not display any warnings when a spoofed or MITM-proxied HTTPS website is visited. We have confirmed that PrivDog version 3.0.96.0 is affected

Adtrustmedia PrivDog is promoted by the Comodo Group, which is an organization that offers SSL certificates and authentication solutions."

The CERT goes on to say that attackers can "spoof HTTPS sites and intercept HTTPS traffic without triggering browser certificate warnings in affected systems."

Böck, who revealed the PrivDog tampering this week, now says the transmission was bad for privacy – the very element the tool is deigned to protect – and adds it could be a risk if sensitive URLs such as those pointing to back-end systems are shipped off.

“PrivDog will send webpage URLs you surf to a server owned by AdTrustMedia [in] unencrypted in cleartext HTTP,” Böck says.

“This is true for both the version that is shipped with some Comodo products and the standalone version from the PrivDog webpage.

“The URLs I surf to are all sent to a server owned by AdTrustMedia [including] HTTPS-protected URLs, some of them from the internal backend of my blog.”

Adtrustmedia issued a fix to correct what it calls a "minor defect".

The mess means web browsers are fooled into thinking they are talking to legit websites, such as online banks and secure webmail, when in fact they are being tampered with by PrivDog so it can inject adverts.

If that's not bad enough, PrivDog turns invalid HTTPS certificates on the web into valid ones: an attacker on your network can point your computer at an evil password-stealing website dressed up as your online bank, and you'd be none the wiser thanks to PrivDog.

Böck says HTTPS links could, thanks to PrivDog, expose session IDs or tokens that would otherwise be obfuscated. “With PrivDog installed the HTTPS URL was no longer protected, because it was sent in cleartext through the net”, he wrote.

PrivDog told Böck its wares did not create user profiles based on the user URLs it receives adding the anonymous data was also used to help improve the software. ®