On Sun, 09 Oct 2005 13:25:09 -0400, Susan Bugher wrote:
[eBay Searchbar bundled with IrfanView 3.92 an newer]
Could some of our resident experts please speak up. I'd like to know if
Spyware is a valid concern.
Okay. At last your persistence made me check this thing. The following
applies to v3.97:
- The eBay Toolbar option installs EbaySrch.dll into an Ebay subfolder
of the IrfanView directory; in addition IrfanView gets an Edit Box
and a Submit query Button into its toolbar (you can write a string
into the Edit Box and look it up on eBay); Edit Box and Button can
later be removed via Option->Misc.3 (that doesn't uninstall the
*.dll, though)
- The Desktop shortcut / IE Toolbar option creates an eBay.htm and an
eBay.ico file into the above mentioned Ebay folder; further it
creates a desktop link to that *.htm file and it adds a button to
the IE button bar which again loads the *.htm page; in both cases
a new browser window of the *default* browser (not necessarrily
IE) will be opened
The EbaySrch.dll is packed with Aspack. If extracted, one sees that it
contains the necessary functions to connect to an intermediate server
('webtip') which counts all requests and redirects them to the real
target. Seems, a different counter is used for queries from a German
IrfanView version and for the English.
http://www.webtip.ch/cgi-bin/irfanview/tracker_qry_de.pl?
http://www.webtip.ch/cgi-bin/irfanview/tracker_qry_com.pl?
I use English localization on German Win2k and was redirected to the
second tracker on a test.
At the moment only the German redirection seems to work. It redirects
again to an 'Adfarm' and after that opens the eBay searchpage with
the query result.
The same goes with the desktop link and the IE button. They first
connect to Webtip and get redirected. The only difference is the
target: the eBay homepage instead of the search page.
In either case (searchbar, desktop link/IE button) no hidden (maybe
private) information is sent. (As I didn't check in-depth, there is
a - minimal - chance left, that I missed something. But it would
need to use separate channels and stealth techniques. ;-) )
And of course all information usually visible on browsing is visible
here, too.
I checked the installation file, the IrfanView directory and the
Win2k folder with virus scanners using the latest deinition files
(F-Prot, McAfee, AVP). None of them complained. Neither did Adaware
on a smart system check and on a special check into the IrfanView
directory.
After that I submitted EbaySrch.dll to:
http://www.virustotal.com
http://virusscan.jotti.org
On the first Fortinet claimed it 'suspicious'. On the second even
Fortinet didn't find anything. Both servers use different versions
of the definition files, obviously.
I don't regard Fortinet a reference. It's more likely they have
a false positive on a file available (and causing unease) for
months, than all other miss it...
So what's going on? There's one problematic point: Webtip (and the
Adfarm redirection, coming to this). Let's have a look into the
privacy statements of Webtip:
| Datenschutz-Erklärung
[...]
Some general declarations about usage (only with the best of the
user in mind, no passing on of personal data to third party, ...).
Nothing special.
| Info:
That's interesting:
| Bei der eBay-Integration im Rahmen des Browsers Firefox werden keine IPs
| oder Suchanfragen gespeichert, noch an Dritte weitergegeben. Es wird
| lediglich die Anzahl der dort getätigten Suchanfragen statistisch
| erfasst.
Regarding the eBay search add-on of the Firefox browser they claim only
to count the accesses. No storage of IPs, no passing on to third party.
I *believe* (but don't know), they handle requests from the IrfanView
bar (and from the desktop link / IE button) the same way. Even if they
don't: As long as one has dynamic IP (most private users do) and one
doesn't permit Webtip to aquire personal information out of the
request itself (or on an independent path), Webtip could store the IP
and wouldn't be any wiser. Ebay itself might link the question to a
person if one logs into eBay while having still the same IP. But that's
also the case if one opens the eBay search page manually.
I don't know which rule the Adfarm plays. But from a quick check, ISTM
that this is a 'normal' eBay function. Every time one opens an eBay
page the Adfarm will be contacted. (Perhaps to place Ads onto the newly
opened eBay page...)
I hope that clarifies some questions. I'll clean my system now. The
eBay option is, IMHO, no security risk. But it sure is no functionality
I need or like.
BeAr