Wednesday, April 02, 2008

FlashGet or TrojanGet - Beware FlashGet Users

I have been using FlashGet since I started working at ESS. One thing about this little bandwidth sucker.. is it ...works... 100% and makes the network admins cry if you know how to configure it and what exactly should be done to improve your share of bandwidth in a given network.[BTW, If your network admin is a really smart guy/gal then it is almost impossible to suck all the bandwidth of your network], Now coming to the point, one of my friend pointed out this post from a forum, that reveals a dirty secret about FlashGet 1.9.xx.
According to the article here, the flaw was pretty basic, but worked like a charm for the smart guy who hacked the developer's website and put the malicious automatic update files on the Server itself. And then FlashGets, around the world downloaded the files according to the update files, which were various trojans. I am so damn happy I never upgraded my FlashGet as I hardly get time to make huge downloads now and mostly I get everything done via Opera.
The major problem here is, the flaw still exists in FlashGet, if someone can change the config file locally, FlashGet will download the new files accordingly... and I am sure someone will figure it out how to do it and yeah, I am really happy that I did not recommend this software to one of my colleagues who was desperately asking for a Download Manager.

No comments: