[Bug 299987] Automatically accept file transfers
Daniele E. Domenichelli
daniele.domenichelli at gmail.com
Thu Jul 19 16:19:12 BST 2012
https://bugs.kde.org/show_bug.cgi?id=299987
--- Comment #10 from Daniele E. Domenichelli <daniele.domenichelli at gmail.com> ---
(In reply to comment #9)
> The other thing is - who sends files without communicating by chat first and
> getting confirmation from the other side ("sure, send it")?
Most of my work colleagues don't do it, usually when they send files to group
chats.
Moreover someone might tell you "I'll send you 10 images", and send them one by
one, I don't want to accept 10 file transfers...
> > I don't see a big security risk, the option will be disabled by default and the
> > file is not run, is just saved...
>
> Getting the file inside the computer is the first thing ;)
Then you should reject all emails containing attachments as well
> I believe you cannot generalize this. I have ~150 contacts on GTalk, half of
> which I don't know personally but I have them there because G+ adds
> everybody automatically. So if some of these people would send me some file,
> I would most probably deny it.
G+ is really broken then... I would be more worried about automatically added
contacts rather than about a file saved on my hard drive.
> Actually thinking about it - with the auto-accept enabled only when away
> it's even worse. Suppose you have some contact in your list (even a
> bot/virus), who wants to do damage to your machine. He knows when you are
> away (either sees you or by other means), so he just waits until you're away
> and then send you a file, which could be a malicious file and by
> auto-accepting it it will get it through to your computer. There's still a
> possibility of some remote access/hijacking all this. And this would all
> happen while you're away from your computer, not knowing anything that's
> going on.
Granted that your contact knows that you have enabled auto-accept, you end with
a file received on your hard drive and a notification that your contact sent
you a file. More or less like when you receive an email with a virus, except
that through email anyone can send it, while it must be in your contact list to
send it through telepathy.
And that suddenly you realize that you should ban that contact...
But I agree with you that there is some risk if someone is trying to saturate
your bandwidth (even though his upload bandwidth is quite likely to be way
smaller than your download one) or to fill your hard drive, anyway, I don't say
you have to enable that option.
By the way I just had an useful idea for a future version: we could have an
observer that scans the received files for virus...
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
More information about the Kde-telepathy-bugs
mailing list