Back on Finjan

security4all posted a comment about a potential disclosure of personal information when using Finjan. Thanks to him!

Once installed the Finjan Firefox add-on does not require any registration nor authentication on the Finjan web site. The service is available “as is” and relies on the HTTP protocol. Here follow more details about this service.

Finjan uses the following netblock:

inetnum:   82.166.163.0 - 82.166.163.31
netname:   FINGAN-1
descr:     Fingan Ltd
country:   IL
admin-c:   BPT2-RIPE
tech-c:    BPT2-RIPE
status:    ASSIGNED PA
remarks:   Send Spam and Abuse complains to abuse@013barak.net.il
mnt-by:    BARAK-MNT
source:    RIPE # Filtered

First, the URL checked are those returned by your search query. All of them are checked and Finjan does not know which one will be “clicked”. The only thing that can learn about you is what you are looking for (based on the search engine results).

Here is a typical client-server conversation (let’s assume my IP is 10.0.0.1). First a typical TCP session initialization:

10.0.0.1:12345 -> 82.166.163.10:80 | SYN
82.166.163.10:80 -> 10.0.0.1:12345 | SYN,ACK
10.0.0.1:12345 -> 82.166.163.10:80 | ACK

Then the HTTP request containing the URL to check:

10.0.0.1:12345 -> 82.166.163.10:80 | POST /advice/advise?\
rnd=pxTuhngd23711227301243150_eWaJTngF1227306376040&n=0&m=12&t=12
Line-based text data: application/x-www-form-urlencoded
[truncated] version=1.333&url0=http%3A%2F%2Fwww.subserials.net\
%2F&url1=http%3A%2F%2Fwww.subserials.net%2Fhtml%2Fy1.html\
&url2=http%3A%2F%2Fwww.appzplanet.com%2F&url3=http%3A%2F%2F\
www.serialcrackz.com%2F&url4=http%3A%2F%2Fwww.cracktop.com%2F

In the text data, you will find the URLs returned by Google: www.subserials.net, www.appzplanet.com, www.serialcrackz.com, etc. Note that the rnd parameter is a randomly generated ID for your requests. Then the Finjan server replies:

82.166.163.10:80 -> 10.0.0.1:12345 | HTTP/1.1 200 OK (text/html)
Line-based text data: text/html
{"url0": {"category": "Hacking", "reason": "", "state": "safe"}, \
"url10": {"category": "Reference", "reason": "", "state": "safe"}, \
"url11": {"category": "Reference", "reason": "", "state": "safe"}}

To conclude the only information they grab about you are:

  • your IP address
  • your User-Agent
  • the URLs returned by your search queries

If you’re paranoid, use a proxy to relay your requests to Finjan and fake your User-Agent.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.