40

I had an idea to make a plugin for one of my email clients where my users will be able to upload & scan attachments using VirusTotal service, but then again I was worried about their privacy and security of uploading personal files which may have been exposed to someone.

My question here is; how safe is it to upload personal files, could they get exposed to someone beside owner of VirusTotal?

Mirsad
  • 10,005
  • 8
  • 33
  • 53
  • 1
    See Steffen's answer as to why this might be a bad idea. However, you can still send hashes of the files to VirusTotal which can match known malware samples already in VT but won't detect new or modified malware – BlueCacti Aug 18 '17 at 09:47
  • 7
    @GroundZero Sending file hashes may be dangerous, too. For instance, it is easy for VT to determine which users have a copy of a certain porn movie on their hard disk. – Federico Poloni Aug 18 '17 at 13:52

5 Answers5

73

Paid subscribes to virustotal can download files uploaded by others. If you consider this still safe for your users depends on what you consider safe.

See also their Privacy Policy which clearly says:

Information we share
When you submit a file to VirusTotal for scanning, we may store it and share it with the anti-malware and security industry ... Files, URLs, comments and any other content submitted to or shared within VirusTotal may also be included in premium private services offered by VirusTotal to the anti malware and ICT security industry

Still, I think that your idea of offering a simpler access to a useful service directly from the mail client makes sense. I would though recommend that you add an easy to understand but not easy to ignore warning about the privacy implications before the user uploads a file. And it might be less invasive to first check if the hash already exists at VT before uploading a file (and not upload if hash is known to VT).
Ideally you also make it easy for users to remove an accidentally shared file (thanks to @Mirsad for this suggestion in a comment).

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 7
    Yes, there is a commercial tool (won't say names) out there that got some attention because they had an option to upload files and attachments to virus total, some companies realized some of their sensitive data was being exposed. I know some companies will just upload and check hashes instead – nd510 Aug 18 '17 at 05:16
  • 15
    @nd510: For a more balanced view on the issue you probably refer to see [KrebsOnSecurity: Beware of Security by Press Release](https://krebsonsecurity.com/2017/08/beware-of-security-by-press-release/). – Steffen Ullrich Aug 18 '17 at 06:03
  • 1
    @SteffenUllrich, it would be good to add this one: https://support.virustotal.com/hc/en-us/requests/new - in case if someone uploaded something private/personal, there is already pre-generated subject: **I have accidentaly uploaded something private** – Mirsad Aug 20 '17 at 06:26
  • 1
    @Mirsad: good suggestion, I've added it to the answer. – Steffen Ullrich Aug 20 '17 at 06:43
  • `first check if the hash already exists at VT before uploading a file` - if file with same hash is there, then uploading or not will make no difference AFAICT – akostadinov Aug 21 '17 at 12:52
  • @akostadinov: that's what I was trying to imply: if the hash is already known to VT there is no need to also upload it. – Steffen Ullrich Aug 21 '17 at 13:29
  • The thing is that such strategy should not affect any privacy concerns. The suggested approach by @mootmoot makes more sense - check database but do not upload files. – akostadinov Aug 21 '17 at 13:57
  • @akostadinov: Relying exclusively on checking the hash is only possible if the file is in the VT database. If it is not you still might like to get an opinion from the collection of scanners in order to decide how to handle a suspicious file even if you (hopefully knowingly) reduce your privacy this way. It's a trade-off between what you gain (information about risk) and what you loose (potentially privacy). – Steffen Ullrich Aug 21 '17 at 14:07
  • My point was that checking hash before uploading wouldn't affect privacy in a meaningful way. It could improve efficiency only. – akostadinov Aug 21 '17 at 15:27
  • @akostadinov: then we probably agree. What you described as "wouldn't affect privacy in a meaningful way" I called "less invasive". – Steffen Ullrich Aug 21 '17 at 15:31
20

I wouldn't recommend uploading files containing any sensitive information. Passwords, personal notes or other forms of data that can identify you as a person or expose your privacy. As Steffen mentioned in his answer, the files can be downloaded by premium users, meaning that the files and its contents will be available to other individuals. Usually, reading the privacy policy of the website helps you grasp the general concept of what they are going to do with the data.

Josh Ross
  • 663
  • 3
  • 10
16

Yes, the files do get exposed to people outside of VT administrators.

Virustotal Premium allows downloading files and "hunting" - which involves writing YARA rules to match the files from everything that has been uploaded to VT (e.g. I can search for files that have a string "private", get alerted every time such file is uploaded to VT and download them myself). Having the Premium service is very common for security teams and companies.

Also as already mentioned, the information is shared with other communities. So if there's a risk that private documents could be uploaded, I wouldn't implement this feature.

skooog
  • 1,008
  • 7
  • 17
7

First, read this article thoroughly: Security Firm Accused of Exposing Terabytes of Customer Data, it tells you why you should not make the same mistake.

The rule of thumb of using VirusTotal to protect own file privacy is to send a sha256 hash to the database. Also, one should subscribe to prominent antivirus "business edition" that will scan the file using localized virus scanning engine.

Vilican
  • 2,703
  • 8
  • 21
  • 35
mootmoot
  • 2,387
  • 10
  • 16
3

"how safe is it to upload personal files, could they got exposed to someone beside owner of VT?".

Everyone on the route can see it. If it's not encrypted they can read it. If it is encrypted they might be able to decrypt it. If VT has a rogue employee or they get hacked then your Data can be exposed.

Never let private information go out if you want to keep it to yourself. Similarly don't put anything on your Phone, take it somewhere expecting not to lose it, and then lose it and all your Passwords, Photos, Banking Info, etc.

Same for anywhere else, not VT specifically.

Rob
  • 530
  • 1
  • 3
  • 11