Gnutella Forums  

Go Back   Gnutella Forums > Current Gnutella Client Forums > LimeWire+WireShare (Cross-platform) > LimeWire Beta Archives
Register FAQ The Twelve Commandments Members List Calendar Arcade Find the Best VPN Today's Posts


 
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old June 21st, 2005
ultracross's Avatar
FrostWire Developer
 
Join Date: February 7th, 2005
Posts: 815
ultracross is flying high
Default action metadata problem/bug/vunerability

yea, im not quite sure where to put this one, but some people have got the smart idea to set up a "sponsored" gnutella bot on the network, and when you try to download this result, it opens up a browser or just uses the one currently up and redirects you to a webpage.

and while you cant download this file at all because limewire will just keep reading the action metadata and sending you to some page, (auto-launching action) i moused-over to see the metadata, and their was an action that had the directing URL in its place.

some bug in limewire or is this meant to happen? because this is a definate vulnerability. cause someone in the wrong mind can maliciously send someone to a page that will install a trojan by some vulnerabilitys of the browser...

definately get this fixed asap. if someone already found out that they can exploit it for profit, then someone will eventually exploit it for malice.

btw, the url in its action was:

http://www.gnoozle.com/gofishXX

where XX is some ID number of top results listed.


i did a small bit of investigating, and it seems this is related to a limewire rip-off clone http://gnoozle.com/

and it also seems like this modified limewire client was modified so all these "sponsored" results would be at the fault of the user, giving out hundreds of sponsored ads without gnoozle having to spend bandwidth doing it..

man, sometimes i think its conspiracy.
  #2 (permalink)  
Old June 21st, 2005
I_Have_No_Account
Guest
 
Posts: n/a
Default

Gnoozle is not a rip-off of LimeWire. It's a project by one of the LimeWire developers. As you can easily see it's completely legimate. It offers a free version (just like LimeWire) and the GPL'd source code.

I don't see a vulnerability either.
  #3 (permalink)  
Old June 21st, 2005
Software Developer
 
Join Date: November 4th, 2002
Location: New York
Posts: 1,366
sberlin is flying high
Default

It'll be fixed.
  #4 (permalink)  
Old June 22nd, 2005
Gnutella Muse
 
Join Date: February 18th, 2001
Posts: 207
gbildson is flying high
Default

Do you recall the search term that was typed in?
  #5 (permalink)  
Old June 22nd, 2005
Enthusiast
 
Join Date: July 2nd, 2002
Posts: 35
sdaswani is a great assister to others; your light through the dark tunnel
Default

Sam, when you say 'it will be fixed', what do you mean? I hope you are only going to give a warning to the user like you do for .exe files. I don't see LimeWire disabling downloading .exe files. So it doesn't make sense to disable the html launches either.

Susheel

And for those folks who don't understand open source, you really can't 'rip' open source code. The whole point of open source is to allow people to 'rip'. I don't see Linus Torvalds complaining about people 'ripping' Linux .
  #6 (permalink)  
Old June 22nd, 2005
Software Developer
 
Join Date: November 4th, 2002
Location: New York
Posts: 1,366
sberlin is flying high
Default

It'll be fixed in the sense that we won't allow LimeWire users to be overrun by search results that only contain launches to websites. Precisely how we'll go about doing this is left to be seen. I most certainly agree that launching webpages from Gnutella search results is a useful feature, but on a mass-scale it can become a very large problem.
  #7 (permalink)  
Old June 22nd, 2005
Gnutella Muse
 
Join Date: February 18th, 2001
Posts: 207
gbildson is flying high
Default

Susheel,

As I told John Borland, I hope you didn't open that feature up to every spammer in the world. Spammers could drive a truck through that capability and heavy use of it will only make it all too obvious. In the past, we have used it in extremely limited cases. You can't possibly expect it to survive as is with this concern in mind.

Thanks
-greg
  #8 (permalink)  
Old June 22nd, 2005
Enthusiast
 
Join Date: July 2nd, 2002
Posts: 35
sdaswani is a great assister to others; your light through the dark tunnel
Default

Sam & Greg,
I don't think I've opened up any feature to spammers, etc. LimeWire is open source so any so called vulnerabilities are open to the world. The limewire.org website talks about open protocols and open networks - lets not backtrack on that ideal. Also, security by obfuscation (i.e., lets hope people don't figure stuff out) is never good policy.

I absolutely agree that gnutella spam should be detected and discarded like any other spam. I don't agree that LimeWire should make the decision about what is offered to users though - doesn't that get away from the ideals of decentralization and openness? As I've made clear, we don't spam - we offer relevant, targeted ads similar to Google AdWords.

Greg, gnutella is already open to spammers, as you know. If you want to get rid of spammers, close the source.

Adding a warning to a user prior to launching the html page is the correct course of action. Also, don't other open source projects, such as LionShare, depend on this feature?

Thanks!
Susheel
  #9 (permalink)  
Old June 22nd, 2005
zab zab is offline
Connoisseur
 
Join Date: May 16th, 2004
Location: Big Apple
Posts: 266
zab is a great assister to others; your light through the dark tunnel
Default

There is one slight difference between your results and google ad-words: your results look 100% like any other search result. Last time I checked, google ad words appear on a special place to the right of the screen.
  #10 (permalink)  
Old June 22nd, 2005
Software Developer
 
Join Date: November 4th, 2002
Location: New York
Posts: 1,366
sberlin is flying high
Default

You're correct on every point, for the most part. Security by obfuscation is bad, open protocols are good, and warnings are good.

Spam shouldn't be fixed by closing the source, though. I'd like to see you argue that to Thunderbird for their spam filter, or any open source enterprise level spam filtering software.

As far as LimeWire deciding what ads to show to their users, well, we'll see what's required.
 


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
MP3 Metadata piskipai Open Discussion topics 3 July 23rd, 2005 05:31 PM
metadata via CDDB poop New Feature Requests 7 May 16th, 2004 02:39 PM
Find more by same [metadata] pcfrank New Feature Requests 2 March 3rd, 2004 02:31 AM
MP3/metadata coded in Gnotella Moak Gnotella (Windows) 2 October 16th, 2001 05:03 PM
When to expect MetaData? GnutellaFan New Feature Requests 16 September 18th, 2001 03:20 PM


All times are GMT -7. The time now is 09:48 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.

Copyright © 2020 Gnutella Forums.
All Rights Reserved.