Warning: Voucher Printing Software & Privacy

wendy05

Ive been doing some research on the coupon software that one finds at supersavvyme (elsewhere?) so that one can print off vouchers.

Download and Use with Caution.

What the makers of the software say:

Privacy Statement:

Coupons, Inc. uses the information that we collect to operate, maintain, and provide to you all of the coupons and promotional offerings found on the Sites and for other non-marketing or administrative purposes such as notifying you of major service updates or for customer service purposes.

Coupons, Inc. uses all of the information that we collect from our Consumers to understand the usage trends and preferences, to improve the way the Sites work and look, to improve our marketing and promotional efforts, and to create new features and functionality.

Coupons, Inc. uses "automatically collected" data to (a) process and record coupon printing and redemption activity; (b) store information so that you will not have to re-enter it during your visit or the next time you use the Sites; (c) provide custom, personalized coupon promotions, advertisements, content, and information; (d) monitor the effectiveness of marketing campaigns; and (e) monitor aggregate usage metrics such as total number of visitors and pages viewed.

Coupons, Inc. discloses "automatically collected" data (such as coupon print and redeem activity) to its Clients and third-party ad servers and advertisers. These third parties may match this data with information that they have previously collected about you under their own privacy policies, which you should consult on a regular basis.

What researcher John Stottlemire reports:

Coupons, Inc uses a technology which will retain a unique ID it has assigned to a computer even after that computer has removed its software from the computer.

At first glance, I assumed this was done using a simple cookie or other form of identification of the computer such as IP number or even the MAC address assigned to the Ethernet card. Deleting the IP number, removing cookies and even changing the MAC address had no impact on the retention of the unique ID.

My curiosity getting the best of me, I undertook an analysis of the coupon printer software to see what technology Coupons, Inc may have invented which thwarted all efforts to remove the unique ID.

On a computer I use strictly for testing, I reformatted and reinstalled my Windows XP operating system before beginning my analysis of the coupon printer offered by Coupons, Inc on its website at https://www.coupons.com.

Then, through the use of tools, I compared changes to my Windows registry and hard drive so that I could determine exactly what changes the coupon printer made to my system. I further analyzed the html pages served by the coupons.com website and have come to the following conclusions:

Through the use of hiding files and registry keys on a computer, in areas normally reserved for the Windows operating system and naming these files and registry keys very closely to files and registry keys Windows requires to operate, Coupons, Inc attempts to control access to coupons it offers to the public. A special "password buster", "DVD Decrypter", "Key Generator", or software designed to block access to the hard drive or windows registry is not required to obscure your identity from Coupons, Inc.

The only tool required is the delete button on your keyboard (or in the alternative, the simple windows command "erase") and knowledge of where these unprotected files lie.

i can confirm that the same technology and methods are being used by the coupon program via coupon star at supersavvyme with much the same components intact as the coupon.com program.

more info : http://www.benedelman.org/news/082807-1.html

and : http://www.benedelman.org/news/031808-1.html

Privacy Implications
Coupons.com software provides a user's unique user ID to any web page that invokes Coupons.com's simple "GetDeviceID" JavaScript interface. Any web page a user visits can retrieve this ID. In fact, the JavaScript is so straightforward that it can even be embedded within a page element, i.e. a banner ad or a tracking beacon. Via a HTTP POST, invisible frame, or various other methods, such a web page (or page element) can then transmit the user's unique ID to any desired web server.


Test your computer:


http://www.benedelman.org/spyware/couponsdotcom/demo.html

This page retrieves a user's ID using the specified Coupons.com "GetDeviceID" JavaScript interface. However, this page does not make any further use, copy, or transmission of the user's ID.

In particular, this page does not transmit any user ID back to any web server, nor does this page store a user's ID in any other way.

note: the software has been updated so may interact slightly differently - that is the locations and some of the assets / registry keys etc of the program have changed - but it still essentially functions in the same way as previously reported.

note: spybot search and destroy will remove some aspects of the program not removed by the normal uninstall method.

wendy05

some more info on these types of softwares that gives an idea as to how it collates information:

Installer
I started by re-examining the installer with the latest copy I downloaded yesterday. Using UniExtract, I was able to pull all files embeded in the installer in their raw format. This didn't shed a ton of light on what was going on more than was abvious after the installation. Other than the fact that they have a purchased Verisign certification to pass Microsoft checks on the DLLs being installed (Pretty pricey and a sure sign of a larger corporate budget)

Reg Keys
The registry keys created are still very similiar to what was reported a few years back. Class IDs in the normal CLSID locations referring to one of the installed .ocx files, and the cpbrkpie Control component the developers used within the application.

However, examining the browser DLLs and ActiveX files shed some eye opening, and frankly disturbing information about what is really going on in the background.

At each run, the browser plugins are calling multiple system services to gather tons of data regarding your hardware, system variables, and user information. I spent a good many hours tonight sifting through the rediculous amount of data in these to filter out everything important.

Each DLL was disassembled, and here is what we have that seems critical...


C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll & npMozCouponPrinter.dll

Mostly the same data, and here is most of the details collected about your machine:

Operating System (OS)
Computer Name
IP Address
User Name
Internet Explorer Version
Total RAM
Free Memory
Number of Hard Disk Drives
Partitions
Hard Disk Total Space
Hard Disk Free Space
Hard Disk Used Space
Hard Disk Features
(S.M.A.R.T.)CDD-ROM Drives
Monitor Resolution
Color Depth
Number of CPUs
CPU Speed
CPU Identifier (ID)
CPU Vendor Identifier (Vendor ID)
Operating System Folder
System Folder
Desktop Folder
Cookies Folder
Startup Folder
Start Menu Folder
Favorites Folder
Fonts Folder
Internet Cache Folder
Local Application Folder
My Documents Folder
Program Files Folder
Program Group Folder
Recent Folder
Send To Folder
Templates Folder
Administrative Tools Folder
History Folder
NetHood Folder
Personal Folder
Profile Folder
Common Startup Folder
Common Programs Folder
Common Desktop Folder
Common Favorites Folder
Common Start Menu Folder
Common Administrative Tools Folder
Common Application Data Folder
Common Documents Folder
Common Templates Folder
SMBIOS BIOS Version
SMBIOS BIOS Release Date
Win32_BIOS
Win32_Baseboard
Win32_SystemEnclosure
Manufacturer
Install Date
Win32_PhysicalMedia
SerialNumber
Digital Product Id
Product Id

And here is all of the system resources queried, and what it is collecting from each to send to the server:
IMPORTS
; Imports from KERNEL32.dll
;
extrn GetProcAddress
extrn GetModuleHandleA
extrn lstrlenA
extrn FreeLibrary
extrn LoadLibraryA
extrn GetVersionExA
extrn GetSystemDirectoryA
extrn GetTempPathA
extrn DeleteFileA
extrn GetLastError
extrn CreateFileA
extrn MultiByteToWideChar
extrn DeviceIoControl
extrn VirtualFree
extrn VirtualAlloc
extrn InterlockedDecrement
extrn WideCharToMultiByte
extrn DisableThreadLibraryCalls
extrn LocalFree
extrn SetErrorMode
extrn GetDriveTypeA
extrn GetVolumeInformationA
extrn GetLogicalDriveStringsA
extrn GetVersion
extrn CloseHandle
extrn GetWindowsDirectoryA
;
; Imports from USER32.dll
;
extrn SetWindowLongA
extrn DefWindowProcA
extrn EndPaint
extrn BeginPaint
;
; Imports from ADVAPI32.dll
;
extrn RegOpenKeyA
extrn RegQueryValueExA
extrn RegOpenKeyExA
extrn RegCloseKey
;
; Imports from ole32.dll
;
extrn CoInitializeEx
extrn CoInitializeSecurity
extrn CoUninitialize
extrn CoSetProxyBlanket
extrn CoCreateInstance
;
; Imports from OLEAUT32.dll
;
extrn OLEAUT32.8
extrn OLEAUT32.6
extrn OLEAUT32.9
extrn OLEAUT32.2
;
; Imports from MFC42.DLL
;
extrn MFC42.926
extrn MFC42.6662
extrn MFC42.4278
extrn MFC42.350
extrn MFC42.354
extrn MFC42.6153
extrn MFC42.5186
extrn MFC42.6385
extrn MFC42.825
extrn MFC42.800
extrn MFC42.939
extrn MFC42.2818
extrn MFC42.535
extrn MFC42.537
extrn MFC42.2915
extrn MFC42.823
extrn MFC42.858
extrn MFC42.860
extrn MFC42.540
extrn MFC42.922
extrn MFC42.941
extrn MFC42.2763
extrn MFC42.5710
extrn MFC42.4129
extrn MFC42.2764
extrn MFC42.2614
extrn MFC42.940
extrn MFC42.3790
extrn MFC42.3337
extrn MFC42.3811
extrn MFC42.5651
extrn MFC42.3127
extrn MFC42.3616
extrn MFC42.3663
extrn MFC42.665
extrn MFC42.1979
;
; Imports from MSVCRT.dll
;
extrn _strrev
extrn ??1type_info@@UAE@XZ
extrn _strdup
extrn wcslen
extrn _purecall
extrn malloc
extrn _mbscmp
extrn __CxxFrameHandler
extrn atol
extrn strncpy
extrn sprintf
extrn fclose
extrn fopen
extrn free
extrn printf
extrn _CxxThrowException
extrn atoi
extrn strtok
extrn _beginthread
extrn ftell
extrn fseek
extrn srand
extrn time
extrn rand
extrn _ftol
extrn isdigit
extrn memmove
extrn __dllonexit
extrn _onexit
extrn _except_handler3
extrn ?terminate@@YAXXZ
extrn _initterm
extrn _adjust_fdiv
extrn _mbsicmp
;
; Imports from MSVCP60.dll
;
extrn ??1_Winit@std@@QAE@XZ
extrn ??0Init@ios_base@std@@QAE@XZ
extrn ??1Init@ios_base@std@@QAE@XZ
extrn ??0_Winit@std@@QAE@XZ
;
; Imports from iphlpapi.dll
;
extrn GetAdaptersInfo
;
; Imports from WS2_32.dll
;
extrn WS2_32.52
extrn WS2_32.115
extrn WS2_32.57
extrn WS2_32.116
extrn WS2_32.12
;
; Imports from VERSION.dll
;
extrn VerQueryValueA
extrn GetFileVersionInfoSizeA
extrn GetFileVersionInfoA
;
; Imports from WINTRUST.dll
;
extrn WinVerifyTrust
;
; Imports from CRYPT32.dll
;
extrn CertFreeCertificateContext
extrn CryptVerifyMessageSignature
extrn CertGetNameStringA
;
; Imports from imagehlp.dll
;
extrn ImageGetCertificateHeader
extrn ImageGetCertificateData
extrn ImageEnumerateCertificates
;
; Imports from WININET.dll
;
extrn InternetOpenA
extrn InternetOpenUrlA
extrn InternetReadFile
extrn InternetCloseHandle


Is all this data getting stored on their Databases?

Now, there are allot of references to database locations, that appear to be at the remote server, so one can pretty much conclude that all of these variables being collected, are getting pushed to a stored location on their database. This is not a definite, but seems pretty practical with what they collect. If that is the case, than I would also assume, that the first connection made to their servers, creates the unique key stored in registry, and uses this key to reference all of your hardware specs stored on their databases. The reason this would make sense, is it is now very simple to check your specs against other keys in the system, to make sure your not just using a different key each time.

As you can see from what is collected, they have enough details to keep everyone completely unique, regardless of how many Dell Latitude model e6400's with matching hardware connect to the site. Your hardware and OS variables should always be different than anyone else that comes in.

Here it is. One thing I have learned working in large corporate IT departments, is the work done here to write this application has many years, and likely a pretty good size team of employees and consultants on staff to put this project together and keep it running. And I can also say that allot more work is put in here, then the teams I work around and our company had about 50,000-60,000 employees. (before cut backs)

That tells me that there has been some pretty serious finance put into this, and although its not impossible to get around, you have to ask how far a company with that much invested will go to keep it protected. If this is hacked and leaked, not just does it cost many, if not hundreds of thousands to have rebuilt by their dev teams, but they also loose the trust of the clients that keep the business running.

Those few facts, are enough for me to walk from, especially after finding that they actively pursued a lawsuit on someone in 2007 for getting around their security and posting how to online.

Thats my 2 cents.... Hope it helps those out there eager enough to dig deeper as I have.