
A Comscore Company Distributes a MITM Proxy Spyware Compromising Users Security - AiroSecurity
https://www.airoav.com/mitm-voicefive/
======
mwthrow1111
(Throwaway account)

I am currently tasked by an Adtech company with writing something similar,
HTTP(S) MITM and content injection/replacement, remote C&C server
communication, etc.

I feel pretty bad about it and told them straight ahead that what they do is
illegal. They know and there is no single written proof outlining requirements
etc. Just took it b/c I need the money.

~~~
deogeo
> illegal

I thought these companies/programs include disclaimers buried in the ToS,
which makes this not illegal?

At least in the case of this Comscore company, I'm assuming that disclaimer is
the only reason they're not in jail for CFAA violations.

~~~
userbinator
This, precisely this.

I suspect companies like this also have lawyers they can rely on, or they
would be sued out of existence almost immediately. Just look at what Microsoft
does with its "telemetry"... I'm sure many would want that to be illegal, but
there is definitely somewhere in the EULA that such behaviour is specified and
you agreed to it.

------
userbinator
The main problem with software like this is not the MITM, but what it does
with the data. All AVs and similar systems need to do it, and AFAIK even
Windows Defender's "real-time protection" does it. I also have a MITM proxy
that _removes_ ads and other stuff I don't want. The difference is that this
one is specifically for spying, while the "benevolent MITMs" don't.

~~~
tialaramex
At best this is "another" problem, rather than the main problem. And no,
Windows Defender "real time protection" is not actually a MITM.

For security you rely on your TLS implementation actually being competently
implemented and enforcing all the policy requirements you may have. The MITM
proxy hides that, now you're reliant on _their_ implementation, and they get
to do whatever enforcement they feel like.

Unless you deliberately run archaic web browser versions there's a good chance
your browser does TLS 1.3 with PFS and fast high quality crypto, whereas the
MITM proxy lazily downgrades to TLS 1.2 (or earlier) with whatever the
programming team could be bothered to get working in, say, 2016 when they last
put effort into this. It still works, and they don't actually care about your
security, so it's fine, right?

That browser (and possibly your entire OS if you aren't running some DIY Linux
setup) manages a CA root trust programme, but if there's a MITM it might...
not bother (everything is considered "trusted" hooray) or it might punt and
rely on some other trust store, did it tell you which one, who manages it and
how often they update?

TLS can also be mutually authenticated, a MITM proxy breaks that because it
will need to not only MITM one side, it will need to MITM both sides, and if
that's allowed you don't have any meaningful security between the endpoints.

I watched both IETF 105 TLS meetings last week, there are key browser and/or
operating system people there actively participating. When you hear people say
"ecker" that's Eric Rescorla of Mozilla, and when they say "A G L" that's Adam
Langley of Google. You may briefly see Nancy - Nancy Cam-Winget of Cisco but
that's the extent of the representation the MITM proxy vendors have, and MITM
proxies are only one of many pies Cisco has fingers in.

It may be that the convenience of blocking advertisements is worth the extra
security risk, but that would be the correct way to understand this - it's not
just a matter of "I consent so this is fine".

------
walrus01
Remember how apple used its remote software kill switch, a mostly hidden anti
malware feature in macos to kill zoom's huge gaping security hole, just two
weeks ago?

Can we get somebody at Apple to do the same to this malware?

[https://news.ycombinator.com/item?id=20407233](https://news.ycombinator.com/item?id=20407233)

~~~
NelsonMinar
I'm wondering why they haven't long ago. Instead we're told "The application
has a valid and signed developer ID, by VoiceFive Networks."

------
walrus01
Whoever controls the BitTorrent corporation trademark at this point has a lot
to answer for.

~~~
joosters
It's another crime committed by a scummy (is there any other kind?) blockchain
company, naturally.

~~~
RL_Quine
Not sure why this was downvoted, this is quite literally the case.
"BitTorrent" as a company was sold to "Tron", a "blockchain" company making
the same nonsensical and impossible claims as the rest of them. This one in
particular was made famous by not even writing their 'white paper', but
copying the text from another.

[https://twitter.com/juanbenet/status/950142785373405184](https://twitter.com/juanbenet/status/950142785373405184)

~~~
codetrotter
Thanks for the clarification. Their comment read to me like they were calling
BitTorrent “a blockchain company”, but I guess they were referring to Tron?

It would be weird to characterize BitTorrent as “a blockchain company” just
because they’ve been sold to another company that is doing blockchain.

Edit: The original article and the comments above gave me the impression that
BitLord was a product by the BitTorrent company but it’s not. Removed sentence
asking about who made the decision to bundle malware and when.

~~~
RL_Quine
[https://blog.bittorrent.com/2018/07/23/its-official-
bittorre...](https://blog.bittorrent.com/2018/07/23/its-official-bittorrent-
is-now-part-of-tron/)

The announcement is dated 23rd July 2018.

[https://www.airoav.com/wp-
content/uploads/2019/07/image14.pn...](https://www.airoav.com/wp-
content/uploads/2019/07/image14.png)

The certificate for the malware is stamped 4th September 2018.

~~~
codetrotter
That doesn’t tell us when they first started bundling the malware though.

Either way, I just found out that BitLord is not made by the BitTorrent
company.

Same thing has happened before – companies bundling malware with their own
BitTorrent clients.

For example, in 2016. [https://www.pcworld.com/article/3114134/bittorrent-
client-is...](https://www.pcworld.com/article/3114134/bittorrent-client-is-
found-distributing-mac-based-malware.html)

I think any blockchain companies have nothing much relevance here.

And I guess what the top-most commenter was calling for was that BitTorrent
the company should use trademark laws to disallow companies that bundle
malware with their software from using the BitTorrent brand?

~~~
rocqua
I remember having to format my PC after updating uTorrent and just spamming
next. I installed some opt-out adware that was a decent rootkit.

------
nickphx
Spammy post of questionable value from a company slinging 'anti malware
software' with a 'powerful AI', whatever that means, for osx. The Comscore
software discloses what it does and the user is given opportunity to decline
the installation.

~~~
Xylakant
> The Comscore software discloses what it does and the user is given
> opportunity to decline the installation.

So basically you’re saying that consent given from mostly nontechnical users
that have no idea what they’re consenting to makes it ok to install a mitm
proxy on their machine, especially one with extremely lacking security
properties? Consent makes it ok to expose them to such a risk?

~~~
close04
> Airo Security (AiroAV) has recently discovered that a Comscore product for
> macOS, called PremierOpinion

> PremierOpinion is a decade old [0] spyware developed by VoiceFive, a
> ComScore company (NASDAQ: SCOR)

The "news" does seem a bit overblown. It looks like it always had HTTP MITM
functionality, presumably now also for HTTPS.

[0] [https://www.intego.com/mac-security-blog/intego-security-
ale...](https://www.intego.com/mac-security-blog/intego-security-alert-
osxopinionspy-spyware-installed-by-freely-distributed-mac-
applications/?sr=1&sr=1)

~~~
Xylakant
Maybe, but I’m not talking about the product promotion. It’s the “consent
makes everything ok” that’s the problem.

~~~
close04
Dark patterns to trick people into installing something should be prohibited
by law. Opt-out is a classic one. And this should apply to malware-like
software like this one as much as to respectable software like antivirus
solution (can mention BitDefender Free from personal experience) many of which
at install time make no mention of installing a certificate and breaking SSL,
let alone explaining what it means.

~~~
Xylakant
Absolutely, this is why I take issue with the original comment. Consent is
worthless in such a setting and I consider saying “but they consented” as some
kind of an excuse why installing spyware of such kind malicious.

