1 2 3 4 Previous Next 49 Replies Latest reply on Jan 10, 2016 10:42 AM by BruceRobertson

    Webviewer and Web Snoops

      Does adding a WebViewer page to your file create a potential security issue if it is used to browser the Internet?

       

      I've posted a blog page where I consider this and invite you to read it.

       

      http://fmpfirewall.com/2015/12/30/filemaker-webviewer-and-malware/

       

      The issues are that the Webviewer cannot employ the plugins and safety features of whatever browser you use such as preventing popups and planting cookies or malware downloads.

       

      Using a Webviewer for FileMaker specific tasks is probably safe but what happens when it is exposed to the Internet. Are there security issues that cannot be handled by a FileMaker scripter?

        • 1. Re: Webviewer and Web Snoops
          mikebeargie

          If a developer is offering open access to the internet via a webviewer, then I doubt there's a "guaranteed" level of security. But most filemaker developers I know are using the webviewer for highly restricted or sandboxed files, and not allowing such open access. The nature of a webviewer however, would indicate that it's the developer's responsibility, and NOT filemaker inc.'s responsibility to test the security and make decisions for their solution.

           

          The webviewer has no address bar, and right clicking only ever produces "forward/back/reload", so how exactly are users getting to malicious sites without a developer allowing it?

           

          Reading your article, you mention using adblock plus, popup blockers and ghostery to reduce tracking, however you fail to point out that if a filemaker user has unrestricted access to the internet in filemaker, they most likely have it in their browser of choice as well. Also, since you're depending on plugins for your browser security, you're going outside of what your browser provider is giving you by default, in essence "cheating" when comparing your browser as a baseline to filemaker.

           

          I'm not sure what your goal is here, but I think pointing the finger at filemaker and saying that the webviewer is completely without security is false. In general, the only takeaway I get from your article is that "the internet is dangerous and you can get personal information stolen and malware installed from accessing it"; Which is NOT a filemaker specific statement, it's generalized to all internet access.

           

          Have you successfully installed malware to a user's computer via a webviewer? I don't mean to put on too much of an "innocent until proven guilty" tone, but you can call me skeptical of your doomsday edict when you compare the average capabilities (and vulnerabilities) of a browser against the limited scope of a webviewer.

           

          I think the only thing you might be able to point to as a security flaw is filemaker's suggested links for a google search link in the webviewer. I've never used them, but can see that this potentially opens up access as you suggest.

          • 2. Re: Webviewer and Web Snoops
            user19752

            It seems you are using only OSX.

            I have tested on only Windows, at least Flash add-on setting (disable/enable) in IE is applied to web viewer.

             

            And I saw web viewer blocked some contents for security reason.

             

            "data:text/html,<body style='margin:0;border:0;padding:0;overflow:hidden'><img src='https://community.filemaker.com/resources/statics/140612/fm_community_logo_big.png' onload='this.style[this.width>this.height?\"width\":\"height\"]=\"100%\"'></body>"

            • 3. Re: Webviewer and Web Snoops

              Flash settings are controlled separately by Adobe and not by the browser or

              plugins. And Adobe jumped on the tracking bandwagons long ago and now sells

              our info to its customers who have $$. By the way, the default setting for

              any of them is that they are allowed to use your camera, your microphone

              and store data on your computer to be shared. So much for security but then

              the account name and password is supposed sufficient, right...

              • 4. Re: Webviewer and Web Snoops
                wimdecorte

                JackRodgers wrote:

                So much for security but then

                the account name and password is supposed sufficient, right...

                 

                That's an inane statement for someone who seems to be so focused on security.   The account and password just tells the system WHO  you are, not WHAT you can do.  It is the privilege set and the design decisions by the developer that determine the level of security and is at the heart of good security, not the account name and pw.

                 

                Any database system is designed to get data in and out and manipulate data along the way.  Any of this can be leveraged to subvert the process.  Any entry and exit point is a risk.  Does that mean it is "wholesale scary" as you seem to be trying to make it out?  No.

                 

                What is the possible impact (varies by what the system is there for)

                What is the easy of exploitation (to be assessed - by developer and client).

                What is the possibility of the risk materializing (to be assessed - by developer and client)

                 

                I'm with mikebeargie on this:  the webviewer is pretty well locked down and only the developer's choices can open it up.  And I have not seen a solution so far that just lets the user browse around the internet from a web viewer.

                • 5. Re: Webviewer and Web Snoops
                  mikebeargie

                  Again, the only way someone's going to see flash in the webviewer is if the developer allows it.

                   

                  If your interest is to educate this community on better security practices, then please demonstrate potential flaws with actual results, and we can work together to avoid them. Otherwise it's just speculation and trying to place blame where it isn't due.

                  • 6. Re: Webviewer and Web Snoops

                    Any webviewer that sends a user to a webpage allows the user to browse

                    around the Internet by clicking on any url on that web page. I am amazed

                    that you aren't aware of this. And if the page offers a search engine,

                    anything can happen. Those web pages can be filled with malware clickers.

                    Webviewers won't stop the popup ads and other new java devices.

                     

                    HTML is becoming quite sophisticated and many web pages contain a dozen or

                    more trackers built in. Java allows the web page designer to do so many

                    things and to scrape so much information from our computers. Not to mention

                    what FileMaker built in a version or 2 ago that allows the developer to

                    scrape the user's documents folder and even insert files from their into a

                    container field without notifying the user.

                     

                    The United States government has hired on with a corporation that plants

                    giant cookies on anyone who visits various websites and then shares that

                    data with other government agencies.

                     

                    The WebViewer as I stated is not equipped with any of the security features

                    one might find in Chrome or Explorer. It does not have the ability to

                    decide if a site is malware and warn about it. I cannot deploy any of the

                    browser plugins that offer some extra degree of security.

                     

                    The web page developer can do amazing things these days. I've begun reading

                    some of the html and so much of it is designed to scrape information from

                    our computers and surfing. FileMaker and the html can deposit files on our

                    computers without us knowing about it.

                    • 7. Re: Webviewer and Web Snoops

                      "Again, the only way someone's going to see flash in the webviewer is if

                      the developer allows it."

                       

                      Which brings us full circle to my originial statement, doesn't it.

                       

                      If the WebViewer is used for surfing the Internet, the WebViewer lacks the

                      features of the plugins I use in my browsers and does not stop popups and

                      all of the data scrapers that are being used. For instance, send a user to

                      FileMaker Inks support pages to view one of the basic pdfs. FileMaker

                      employs several data scrapers on that web page as Ghostery shows below.

                      These were stopped in my browser but not in WebViewer.

                       

                      I don't know if this attachment will make via email but it shows that this

                      FileMaker support page employed three data scrapers. Now your secured

                      database will be sending various information about your computer to these

                      unknown corporations to share with other unknown entities. And no mention

                      is made of this. Does FileMaker violate its own database application

                      security using these data harvesters?

                      • 8. Re: Webviewer and Web Snoops
                        mikebeargie

                        The United States government has hired on with a corporation that plants giant cookies on anyone who visits various websites and then shares that data with other government agencies.

                        I see we're not making it past your tin foil hat. You might want to refrain from using the internet entirely at this point given your attitude. Chances are there's at least a dozen trackers your browser plugins do not capture that are collecting data about you at any given time for any website you visit. Unless you can account for and decode every packet to and from your network card, you'll never know 100% what's happening to your data.

                         

                        As Wim and I have pointed out, the webviewer is only as secure as the developer using the object makes it. This is not a flaw of filemaker itself, or fault of filemaker inc. as a company, it's a "nature of the beast" issue. There are plenty of other software programs and platforms that implement webviewer-like objects that also give no control over any sort of security. The app I have published in the app store for iOS uses the UIWebView class to load html content for the user in my interface. It is the same principle, and is completely secure.

                         

                        I point my filemaker webviewers towards PHP pages that I host, and have total control over. They do not allow user interactions and there are no links to click on. Yet they allow me to act through the internet to perform powerful functionality not native to filemaker. There is no tracking. There are many other developers doing the same thing, loading controlled pages, scripts or content that they have total control over, to augment the filemaker experience.

                         

                        Any webviewer that sends a user to a webpage allows the user to browse around the Internet by clicking on any url on that web page. I am amazed that you aren't aware of this.

                        This tone is uncalled for. We agree with you that if you point your webviewer towards "SpamTheHellOutOfMe.com", you're probably right in saying that you will be tracked and even possibly attacked. What we're trying to point out is that the average developer, and certainly the majority of what we've seen, DON'T open their webviewers to such sites.

                         

                        Your stance against data mining is interesting. As you noted, almost every page on the internet uses it. So do you even browse the internet? There are plenty of sites (EG Hulu) that will block you from using their site if you have such blockers installed. I don't want to debate ethics, but I'm fine handing over some anonymous and even NOT anonymous browsing data to a service provider. Twitter, Facebook, YouTube, etc.. all provide services that make my life easier or enjoyable, at the cost of providing them with data they can use to sell or market. All of those things are free to me, so I don't really have a problem with it.

                         

                        FileMaker does have vulnerabilities, almost all of which are a result of poor development, including the vulnerability you're attempting to point out here. Again, if you're trying to educate the community, educate us. If you're just here to fingerpoint, I'm not interested.

                        • 9. Re: Webviewer and Web Snoops
                          mikebeargie

                          If the WebViewer is used for surfing the Internet, the WebViewer lacks the features of the plugins I use in my browsers and does not stop popups and all of the data scrapers that are being used.

                           

                          So don't use it to surf the internet?

                           

                          The webviewer is designed as a "lite" client for single pages, limited sites, or for loading generated web content from filemaker to display it in a user-friendly format. FileMaker Inc. has never marketed the feature as a fully featured web browser.

                           

                          There are dozens of uses for the webviewer that don't even require an internet connection.

                          • 10. Re: Webviewer and Web Snoops

                            Ah, the old tin foil hat foil...

                             

                            Your PHP pages aren't that secure. The browser will collect information

                            even if the page itself is secured. Chrome and Explorer will grab your IP,

                            email address, etc.

                             

                            I've detected a number of errors in the posts so far.

                             

                            My point in the original post was that the WebViewer is not as secure as a

                            browser might be made via plugins. I made this to enhance the awareness of

                            the community to that issue. You have proven my point.

                             

                            We can pick each other to death over some small point in one of this posts

                            but that is pointless.

                             

                            I say the WebViewer isn't secure and I am wrong according to the two of

                            you. Then you say it is up to the developer to make it secure and you are

                            right? What gives? We both say the same thing but I am wrong? Please...

                            • 11. Re: Webviewer and Web Snoops

                              The WebViewer has a field for inserting ANY url on the Internet, it is used

                              for just that by some developers.

                               

                              FileMaker has functions to add the back and forth functions of the arrows

                              in a browser, etc.

                               

                              FileMaker has never marketed the function get(documentspath...) as a method

                              of secretely capturing a list of all of a users document folder files or

                              inserting them in a container field and yet that can be done.

                               

                              Please, better arguments...

                              • 12. Re: Webviewer and Web Snoops
                                mikebeargie

                                Sorry, nobody can make better arguments than you Jack.

                                 

                                raises hand

                                 

                                "Check, please..."

                                • 14. Re: Webviewer and Web Snoops
                                  wimdecorte

                                  JackRodgers wrote:

                                   

                                   

                                  FileMaker has never marketed the function get(documentspath...) as a method

                                  of secretely capturing a list of all of a users document folder files or

                                  inserting them in a container field and yet that can be done.

                                   

                                  Please, better arguments...

                                   

                                  Deep *deep* sigh...

                                   

                                  What kind of argument is that?  As stated before, a database is made to let data in and out and it is up to the designer of the solution to make sure it does not do what it is not supposed to do.  That applies to the web viewer and it applies to the Get(DocumentsPath).  And a few dozen other features that FM has.

                                   

                                  Pretty much all the vulnerabilities that you are hinting at would require someone to write their own scripts to take advantage of it or have layout mode access.   If that is so then THAT is where the risk is, not the functions of widgets.  You're taking about a badly designed system.

                                  1 2 3 4 Previous Next