Trend Micro has confirmed reports that some of its Mac consumer products were silently sending users’ browser history to its servers, and apologised to customers for any “concern they might have felt.”
However, in an advisory on its blog,the well-known internet security firm maintained that all collected data was “safe and at no point was compromised.”
Furthermore, Trend Micro claims that the data collection was not a secret – as users should have spotted they were agreeing to the data collection when they approved the software’s EULA at installation.
Yeah, because we all know that users read the license agreement when they install software – right?
In its advisory, Trend Micro confirmed researchers’ findings that products such as Dr Cleaner, Dr Cleaner Pro, Dr Antivirus, Dr Unarchiver, Dr Battery, and Duplicate Finder were snaffling users’ browser history, although Trend was at pains to point out that the data collection only occurred once per installation, and did not contain the full browser history:
“[The products] collected and uploaded a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation. This was a one-time data collection, done for security purposes (to analyze whether a user had recently encountered adware or other threats, and thus to improve the product & service).”
The discovery of the apps’ behaviour resulted in them being kicked out of the Mac App Store (for now at least).
In response to concerns and media reports, Trend Micro says that it has now removed the browser data collection code from its affected consumer products, and deleted any legacy data logs.
But it’s the company’s final statement which caught my eye the most:
“Third, we believe we identified a core issue which is humbly the result of the use of common code libraries. We have learned that browser collection functionality was designed in common across a few of our applications and then deployed the same way for both security-oriented as well as the non-security oriented apps such as the ones in discussion. This has been corrected.”
In short, Trend Micro says that the code was designed to help the software determine if users had recently encountered online threats – and yet the code was also incorporated into products which were not security-related.
Dr Battery, for instance, is an app that purports to offer real-time monitoring of your Mac’s battery and determine which apps are draining resources the most. Why on earth would that need to take a gander at your browsing history?
It’s a similar story for Dr Unarchiver which – as its name suggests – allows you to browse, access, and extract files within archive formats. Nothing to do with adware, malware, or which websites you’ve been visiting.
Other software manufacturers should learn a lesson from this incident. Not only should you be sure to get positive agreement from your users as to what private data you may extract from them (and not hide it away in a EULA), but also you need to be careful to not be fattening up your different products with unnecessary code.
Shared code libraries that aren’t actually required by a program to perform its function increase the threat surface, introduce security and privacy vulnerabilities that could impact your customers, and – potentially – give more opportunities for hackers to strike.
For more discussion of this issue, be sure to listen to this episode of the “Smashing Security” podcast:
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.