
Trend Micro says sorry after apps grabbed Mac browser history - dvdhnt
https://www.zdnet.com/article/trend-micro-says-sorry-after-apps-grabbed-mac-browser-history/
======
MiddleEndian
If I broke into your computer and stole your browser history I'd probably face
criminal charges under the Computer Fraud and Abuse Act. So why not Trend
Micro?

~~~
throwaway5752
I don't want to defend Trend Micro here, but since browser history is a
primary vector for malware they at least have a reasonable business purpose
related to the intended use of the apps. The contract and permission people
agreed to when they willingly installed it and accepted the EULA are probably
the distinction between them doing it and you breaking into a system and doing
it.

~~~
dvdhnt
> since browser history is a primary vector for malware

Can you expand on this from a technical perspective?

> distinction between them doing it and you breaking into a system and doing
> it.

I think a more accurate comparison would be you being given access to a system
to perform some work, but then accessing files and performing operations, such
as exfiltrating that data, outside the scope of your work.

~~~
throwaway5752
Come on, cut me a break even though I was not 100% precise with my language! I
mean browser exploits in general. Unpatched plugins, XSS, spoofing, etc. If
they didn't clean up after themselves you could try to correlate an attack
with something in the browsing history and try to evaluate it and add it to a
shared blacklist. I am not endorsing that, just speculating that could be the
well-meaning (if dumb) explanation for this.

~~~
dvdhnt
Sorry about that!

I didn't mean to scrutinize - I just know very little about browser exploits,
especially details, and thought there was some specific attack for browser
history.

Cheers.

~~~
throwaway5752
No problem at all! I was being a bit tongue in cheek with my response, too. I
wasn't really offended or anything.

------
blihp
So lets see... this was for the customers benefit AND was allowed by the EULA
anyway AND was accidentally enabled on non-security products AND this feature
is so important that it is being disabled and the collected archives purged.

I'm skeptical that this is the whole story. And really, why should the benefit
of the doubt still be given to companies collecting this kind of data for
dubious (stated) reasons without an explicit opt-in?

------
fallenhitokiri
Does anyone know how the post installation process for those applications
looked like (on first start)? Did a window pop up asking to accept the EULA
and were you able to decline or was the EULA hidden behind some menu entry and
using the application was consider accepting it?

I'm asking because I haven't installed an app myself yet through the Mac
AppStore which would explicitly ask me to accept any terms.

