“The Secunia PSI software is a free security tool designed to detect vulnerable and out-dated programs.” Although this application is very useful to secure a computer by keeping it up to date, unfortunately it will put the user’s or company’s privacy in danger. Based on the latest post in the following URL, user’s information “is never passed on with personally identifiable information (such as the usernames in path names)”:
I want to prove that the Secunia PSI actually passes the following information which can be treated as a confidential data for a company or causes privacy issues for a real person:
1- Domain Name or Workgroup Name (“langgourp”)
2- Computer Name (“hostname”)
3- Username (as there are special files on “Application Data” directory such as Mozilla Firefox “extensions” folder which should be listed by using Secunia PSI)
4- List of directories of the hard disk which contain some special name with extensions such as “exe”, “dll”, “ocx”, and so on. Some of these directories can contain important information such as the personal names, project names, company names, and so on.
My proof is very simple and you can do it yourself. As Secunia PSI is based on a Web Application, all of its messages to its server can be monitored by using Fiddler HTTP Debugging Proxy which is absolutely free: http://www.fiddler2.com/Fiddler2/version.asp
Now follow these steps:
- Scanning the computer once by using the Secunia PSI (If it is the first time)
- Close the Secunia PSI application completely from the task manager
- Open Fiddler and go to “Tools”> “Fiddler Options”> “HTTPS”> and select “Decrypt HTTPS traffic” option and click on “OK”
- Now, open Secnuia PSI application again
- Monitor its behavior by using Fiddler. If there isn’t anything on Fiddler, click on “Start Scan” button of Secunia PSI to scan your computer.
- Now, look at the responses from the Secunia server. As you can see there are information of your computer in responses which means the Secunia server has stored them on its database.
For example, look at the following images (if you cannot see the images, your ISP has been blocked by GoDaddy):
Now, my recommendation for Secunia is to use a local database on each computer to keep location of files and folders private. The only thing that should be passed to the server is the user ID, signature (hash) of the application, and file or application ID which can be linked to the database in order to find the exact place of that files and/or folders on the local computer. Moreover, I cannot understand why it needs to send the Domain/Workgroup Name and the Computer name to its server (maybe it is used for copyright!).
My suggestion to the users: Currently – 1st Dec. 2010 -, using Secunia PSI for those people who want to be anonymous and those companies which want to keep all of their information private is a nightmare and this application should be removed. Ask Secunia to fix this issue.
Hope to see a better Secunia PSI soon.