action metadata problem/bug/vunerability

[ultracross]

yea, im not quite sure where to put this one, but some people have got the smart idea to set up a "sponsored" gnutella bot on the network, and when you try to download this result, it opens up a browser or just uses the one currently up and redirects you to a webpage.

and while you cant download this file at all because limewire will just keep reading the action metadata and sending you to some page, (auto-launching action) i moused-over to see the metadata, and their was an action that had the directing URL in its place.

some bug in limewire or is this meant to happen? because this is a definate vulnerability. cause someone in the wrong mind can maliciously send someone to a page that will install a trojan by some vulnerabilitys of the browser...

definately get this fixed asap. if someone already found out that they can exploit it for profit, then someone will eventually exploit it for malice.

btw, the url in its action was:

http://www.gnoozle.com/gofishXX

where XX is some ID number of top results listed.


i did a small bit of investigating, and it seems this is related to a limewire rip-off clone http://gnoozle.com/

and it also seems like this modified limewire client was modified so all these "sponsored" results would be at the fault of the user, giving out hundreds of sponsored ads without gnoozle having to spend bandwidth doing it..

man, sometimes i think its conspiracy.

Gnoozle is not a rip-off of LimeWire. It's a project by one of the LimeWire developers. As you can easily see it's completely legimate. It offers a free version (just like LimeWire) and the GPL'd source code.

I don't see a vulnerability either.

[sberlin]

It'll be fixed.

[gbildson]

Do you recall the search term that was typed in?

[sdaswani]

Sam, when you say 'it will be fixed', what do you mean? I hope you are only going to give a warning to the user like you do for .exe files. I don't see LimeWire disabling downloading .exe files. So it doesn't make sense to disable the html launches either.

Susheel

And for those folks who don't understand open source, you really can't 'rip' open source code. The whole point of open source is to allow people to 'rip'. I don't see Linus Torvalds complaining about people 'ripping' Linux .

[sberlin]

It'll be fixed in the sense that we won't allow LimeWire users to be overrun by search results that only contain launches to websites. Precisely how we'll go about doing this is left to be seen. I most certainly agree that launching webpages from Gnutella search results is a useful feature, but on a mass-scale it can become a very large problem.

[gbildson]

Susheel,

As I told John Borland, I hope you didn't open that feature up to every spammer in the world. Spammers could drive a truck through that capability and heavy use of it will only make it all too obvious. In the past, we have used it in extremely limited cases. You can't possibly expect it to survive as is with this concern in mind.

Thanks
-greg

[sdaswani]

Sam & Greg,
I don't think I've opened up any feature to spammers, etc. LimeWire is open source so any so called vulnerabilities are open to the world. The limewire.org website talks about open protocols and open networks - lets not backtrack on that ideal. Also, security by obfuscation (i.e., lets hope people don't figure stuff out) is never good policy.

I absolutely agree that gnutella spam should be detected and discarded like any other spam. I don't agree that LimeWire should make the decision about what is offered to users though - doesn't that get away from the ideals of decentralization and openness? As I've made clear, we don't spam - we offer relevant, targeted ads similar to Google AdWords.

Greg, gnutella is already open to spammers, as you know. If you want to get rid of spammers, close the source.

Adding a warning to a user prior to launching the html page is the correct course of action. Also, don't other open source projects, such as LionShare, depend on this feature?

Thanks!
Susheel

[zab]

There is one slight difference between your results and google ad-words: your results look 100% like any other search result. Last time I checked, google ad words appear on a special place to the right of the screen.

[sberlin]

You're correct on every point, for the most part. Security by obfuscation is bad, open protocols are good, and warnings are good.

Spam shouldn't be fixed by closing the source, though. I'd like to see you argue that to Thunderbird for their spam filter, or any open source enterprise level spam filtering software.

As far as LimeWire deciding what ads to show to their users, well, we'll see what's required.