security issue: VirusTotal check leaks full local file system path according to dialog

[garretwilson]

When clicking on the VirusTotal icon to send a file to VirusTotal for analsys, the "VirusTotal Terms of Service" confirmation dialog says:

The following will be sent: file path, creation date, hash
You must agree to VirusTotal's terms of service to use this.
The ToS is available at
https://www.virustotal.com/about/terms-of-service
Do you agree to the VirusTotal Terms of Service?

According to this dialog, the extension sends the full local file system path. The file path should not be required to submit information to VirusTotal. If I drag-and-drop a file into the VirusTotal web site, no local path information is sent. See for example this answer on Stack Overflow:

There is no way to get full path of uploading file. Browsers have a security feature that prevents JavaScript from knowing your file's local full path. It is good that as a client, you don't want the server to know your local machine's filesystem.

See also the MDN documentation for <input type="file">.

If OpenHashTab does in fact send "file path" information as it claims, this leaks information about the local system and is a security concern.

[namazso]

OpenHashTab is using the undocumented SysInternals API for VirusTotal, which requires a different set of data. For example, the file upload dialog you mention also does not transmit the file creation time. On the other hand, it does transmit the file contents, which OpenHashTab does not.

In reality, OHT only sends in the display path. That may or may not be the actual path depending on how and where you initiated the hashing dialog. Since Autoruns also sends these pieces of data, I decided to use the API properly, to not anger the powers that may be. VT generally doesn't like if you pollute their dataset with spoofed data. I don't believe this would constitute a security issue in any capacity - the dialog says we send paths, the api requires we send paths, and in reality we may or may not send paths. If anything the fact that paths are not always sent would be a bug instead.

[garretwilson]

You said a lot of things, some of which are relevant and some of which are not. We are discussing a potential security issue. The issue is whether this tool leaks file system path information to VirusTotal. My interpretation of your response is that it may. Please correct me if I misunderstood.

Thus the conclusion is:

• OpenHashTab does not guarantee that it will not send local file system path information to VirusTotal.
• Therefore OpenHashTab may leak to VirusTotal some information about the local system, specifically local file system path names.
• Moreover this represents more leaked information than would occur than if I were to use the VirusTotal web site.

All the parts about "we use this or that API" or "VirusTotal doesn't like this or that" may be interesting background information for developer chit-chat, but it has no bearing upon the security conclusions I just listed.

I don't believe this would constitute a security issue in any capacity

If you don't mind information about your local system being sent to Google, that is your opinion. Many people have no problem sharing all sorts of things with all sorts of companies, for little or even no remuneration. But from a security standpoint typically sending additional information about a system when it is not necessary for the end goal, and when it leaks more information than using the direct web site, is not a good security design. (See "Principle of Least Privilege", "Attack Surface", etc.)

[garretwilson]

All the parts about "we use this or that API" or "VirusTotal doesn't like this or that" may be interesting background information for developer chit-chat …

To be clear, as a developer I find those parts interesting! I didn't mean to be so critical on that point—I enjoy learning the background information about the APIs used and such. Thanks. But I also want to emphasize that, although interesting, these tidbits do not affect the security conclusion. I wanted to make sure the two are separated. It does what it does, and that is the security concern. Why it does what it does is surely interesting and useful to know, but it doesn't affect the security analysis.

[namazso]

My interpretation of your response is that it may.

Correct.

OpenHashTab does not guarantee that it will not send local file system path information to VirusTotal.

Yes. It sends whatever you see in the main dialog. That may be names, fragments, or full paths.

Therefore OpenHashTab may leak to VirusTotal some information about the local system, specifically local file system path names.

I disagree. Leak implies it is not intentional or known about. The dialog explicitly says it will send paths. It is intended behavior.

Moreover this represents more leaked information than would occur than if I were to use the VirusTotal web site.

Besides the whole "leak" thing, yes, this does transmit more data than VT's search option, which only requires a hash.

But from a security standpoint typically sending additional information about a system when it is not necessary for the end goal, and when it leaks more information than using the direct web site, is not a good security design.

If you don't wish to play by VirusTotal's rules, you can opt not to use this feature. That's why the dialog exists. VT has introduced stricter filtering to these requests a few years ago, so I don't wish to commit API abuse. As an alternative, you can copy-paste the hashes into a VT URL and fill out a captcha for each after about five instead. Different API, different rules, that's all this comes down to.

[garretwilson]

Besides the whole "leak" thing, yes, this does transmit more data than VT's search option, which only requires a hash.

Not to belabor the point (and I do appreciate your prompt responses and discussion), but just to be clear, not only does it "transmit more data than VT's search option, which only requires a hash", but it also transmits more data than VirusTotal's web-based upload option, which transfers the whole file, correct?

[namazso]

it also transmits more data than VirusTotal's web-based upload option, which transfers the whole file, correct?

No, OHT will never transmit the contents of the file, and as such is not a superset of the file upload option’s transmitted data. Only display path, creation date, and hash is ever sent, exactly as the message box tells you.

[garretwilson]

I think I may have not phrased the question in the clearest way. Let me retry:

… this does transmit more data than VT's search option, which only requires a hash.

OpenHashTab may transmit file system full path information. VirusTotal's online web site search-by-hash option does not transmit file system full path information. Likewise VirusTotal's online web site upload-entire-file option also does not transmit file system full path information.

Therefore OpenHashTab not only transmits additional data that VirusTotal's search option does not, but also transmits additional data that VirusTotal's web site upload of the entire file option does not.

[namazso]

Yes, that is correct. Creation date and maybe-full path are not something that anything on the website transmits.

[garretwilson]

Gotcha. Thanks.

I would imagine that most users, even reading the warning dialog, will not read it so closely to realize that OpenHashTab will send additional information to VirusTotal that would not be transmitted should they submit the file directly via the VirusTotal web site. They will probably think, "oh, cool, this is a great convenience, I can more easily do exactly what I do on the VirusTotal site, and it works exactly the same way". (That's a guess; neither of us know for sure unless we poll users, but it's a reasonable guess.) Perhaps a bold sentence in the dialog "This function will send additional information to VirusTotal that would not be sent using the VirusTotal web site." might help clarify this.

In any case, if I continue to use the tool, I may try the registry trick to keep from accidentally clicking on the VirusTotal button. It would be nice if that was an actual option in the settings.

Thanks for the discussion and the transparency.

[namazso]

I wanted to check what other users of this API do, just for the record and anyone else finding this issue:

Sysinternals Process Explorer by Microsoft shows the following prompt:

And submits the following body:

[
  {
    "autostart_location": "",
    "autostart_entry": "",
    "hash": "437AC095F1CA1BE57DF144FA3B9072FA005CD7FE",
    "image_path": "C:\\test.exe",
    "creation_datetime": "2025-04-20 02:05:01"
  }
]

Nevertheless I'm honored to be held to a higher standard than Microsoft.

Perhaps a bold sentence [...]

Formatted text is quite challenging to achieve on Windows (compared to a MessageBox anyway). If it wasn't, the link would be made clickable too.

In any case, if I continue to use the tool, I may try the registry trick to keep from accidentally clicking on the VirusTotal button. It would be nice if that was an actual option in the settings.

The ToS acceptance dialog will pop up if you do that and haven't accepted the ToS. It's actually implemented as a hidden setting. This is also identical to how it's done in Process Explorer.

[mariomadproductions]

Since Autoruns also sends these pieces of data, I decided to use the API properly, to not anger the powers that may be. VT generally doesn't like if you pollute their dataset with spoofed data.

You're already "spoofing" the program the data is coming from. And if you can submit a filename without full path depending on where you initiated the hashing dialog, or by using the VirusTotal website, it follows that it is not truly "spoofing" anything to just provide VirusTotal with the filename.