Greenshot network traffic beacon every 5 minutes. Malware !?

[SekDev]

Hello,

I noticed something very unusual in my firewall log. Greenshot seems to beacon to your server every 5 minutes.

Even when I have update settings to only check every 14 days (default setting?).

This same activity occurs for multiple users at my company, different computers all exhibit the same behavior.

Why is this happening ? What data are you capturing ? This is very alarming.

Is your source code secure ? Do you have a supply chain security problem ? Please investigate / fix.

[Lakritzator]

Our code is secure, I check ever change to it. And as long as you download our app from our own site, and do not take it from the Microsoft store (unless I finally manage to publish it) you get exactly what is in our repository. We build on secure servers, so I do not build Greenshot from my own laptop, which in theory could be infected. That said, this is plainly a bug from our side, which is known and we fixed it for the next release.

Some background

I have not been able to reproduce it, but looking at the code it was very simple to see the issue:

1. Update check process runs every ~5 Minutes
2. This performs a check if the last information from our website is older than the specified update check interval
3. If the information is older, the information retrieved (a get request) from our project feed.
4. If the answer is returned and processes, the last checked time is updated to "now"
5. If the information contains a newer Greenshot version, inform the user.

Now the issue is in 4, if the answer for some reason is not arriving, causing an error, or has garbage in the response, than the last checked time is not updated. This means that 5 minutes later the check in step 2 doesn't know it just checked, and will do so again. Not good, but bugs happen.

Why there is an issue in step 4, is still not clear to use, maybe the user doesn't have a network connection or a firewall is blocking it? Seeing the "301" in the answer does make me wonder if that might be the issue, and the code we wrote doesn't handle that, need to check.

For now I advise you to disable the check, set it on 0, and there should no longer be a get to our feed every 5 minutes.

[Lakritzator]

I checked the request, and when I do request https://getgreenshot.org/project-feed/ there is no 301. The initial request is done on http (yes the code is a bit old), but forced to https, via a 301. The code should be able handle redirects, which is configured here, and it uses get, so the 301 should work.

The response looks sane to me to, so I cannot find a reason for it to fail on our side. That doesn't mean the reason is on your side, I just do not have the information to explain the issue. This is why we rewrote the check in newer versions.

[Noctis-]

Still an issue btw, i found the same thing, and was wondering what the heck is happening :) / :( ... any updates ?

[Lakritzator]

@Noctis- Should be fixed this in the coming 1.3, but I never understood what is causing the issue. Do you have any details on the networking setup you are using?

[Noctis-]

Hmm... win 10, hitting my r-pi with pihole for dns. Domain is approved. If you want more, tell me what or where to look. Happy to help if I can.

On Tue, 28 Mar 2023, 22:13 Robin Krom, @.***> wrote:

@Noctis- https://github.com/Noctis- Should be fixed this in the coming 1.3, but I never understood what is causing the issue. Do you have any details on the networking setup you are using?

— Reply to this email directly, view it on GitHub https://github.com/greenshot/greenshot/issues/456#issuecomment-1486769660, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABO76C4QMXSUGLHY5FJLQCTW6LIXFANCNFSM6AAAAAARPTKXA4 . You are receiving this because you were mentioned.Message ID: @.***>

[GitMensch]

note that along to the HTTP request which is later forced to HTTPs (I guess that was changed for the upcoming version to directly ask via HTTPS) #481 may be an issue for blocks, too

[LinuxOnTheDesktop]

I find that if I block Greenshot in my firewall then, upon boot, Greenshot uses 14 - 15% of my quad-core Intel i7 3770S, on Windows. So, I'm afraid (partly because of the dialling home, and partly because of the CPU): uninstalling.

EDIT: Greenshot even tries, and rampantly, to phone home upon uninstalling.

[jklingen]

@LinuxOnTheDesktop which version are you using? This is a known bug in 1.2.*, which @Lakritzator has described above and fixed for 1.3 (you can try the unstable releases). Disabling the update check should also work around the issue.

Apart from this unintended behavior: no need to be alarmed because of "phoning home" - Greenshot is just checking whether a new version is available.

[LinuxOnTheDesktop]

@jklingen: I believe I was using 1.3.256-UNSTABLE.