Friday, November 25, 2005

Limewire File sharing program exposes hard drives

11:39 PM CST on Tuesday, November 22, 2005
Click here to view video.

Users of LimeWire, a file sharing program used by millions of Americans, might be making their private financial and personal information vulnerable.

A major security flaw with LimeWire makes it easy to search the hard drive of anyone who is also using the program while sending files back and forth.

While News 8 won't expose how to do that, when showed to people who were running LimeWire on their computer they were shocked.

With a few clicks of the keyboard, in just a matter of minutes and with Chrystal Snow's permission, News 8 found out a lot about the Dallas business woman.

"Anything from my bank statements are on there, my resumes, personal information, photos, you name it," Chrystal Snow said about her computer.

She let News 8 try to search her private computer files using LimeWire, and it turned out to be amazingly easy.

News 8 found her credit card records, banking information and proprietary business information.

In an earlier era, the famous bank robber Willie Sutton once said he robbed banks because that's where the money was.

With LimeWire, it is possible to take someone's identity and money.

"I thought you got on LimeWire to share music, and I'm shocked my information is out there for anyone to find," Snow said.

The problem occurred from something written into the program, which was more than likely not an accident.

Dallas computer security consultant Ed Chiarini is one of many warning about the dangers of file sharing. He said what someone can find goes far beyond identity theft.

"There are national security issues when it comes to some files on there," said Chiarini, from

Experts said what makes LimeWire so dangerous is that anyone using the program can do a secret search of someone else's computer information without the victim knowing it.

"It's the equivalent of you walking into someone's house with their permission and noticing a pile of papers on the table, picking them up and looking at them and realizing I have got your social security number, your tax forms," said Paul Schmehl, University of Texas Dallas computer security expert. "I've got sensitive information you would never let me see."

LimeWire declined repeated requests for an on-camera interview. Instead, the company issued a statement insisting it fixed the problem last spring, and that no further action is needed because the company said the program is safe.

For her part, Snow took LimeWire off her computer immediately and vows never to use it again.

"You never know who it is, or where they are or what they're involved with," she said. "If you can sit down at a computer and in five minutes find really sensitive information, then someone who wants to find it will have already done so."

News 8 also did the same experiment using the most current LimeWire software. The company said you can customize the installation of the program on the computer to avoid making information vulnerable.

But experts said most people who download LimeWire would simply use the default settings.

As News 8 discovered, personal data is there for everyone to find.
(emphasis added).

According to LimeWire Features History, version 4.8.1 was released in March 2005, and in June 2005 version 4.9 was released. In the notes for 4.9 the following statement is made:

We've gone to great lengths to make sure that you don't accidentally share files you didn't mean to. LimeWire will now detect directories that are "sensitive", prompting the user to confirm that they really do want to share them. You can also now choose to stop sharing a single file from a shared folder, or stop sharing a subdirectory of a shared folder. For users who want to share files from arbitrary locations, you can also choose to share any individual file. These files will show in a special 'Individually Shared Files' item in the library. The Library tab has also been revamped to give you more control over what you're sharing while maintaining LimeWire's famous ease-of-use.

So the story is either out of date or not referring to what is normally known as a "security flaw".

original story | digg story | WFAA News Story: Flaws Exposed

No comments: