Privacy warning – O&O FileDirect

Topic

New Reply

I installed O&O FileDirect v1.0.275 on 21/06/2020. I tried it, found it didn’t work properly, exited it and just left it. I have no files shared with it nor have I run it since. It is the only O&O software installed on my laptop.

Today I noticed a file called oofdsecm.dll.log in C:\Temp (which is where I habitually redirect Temp/TMP files for both user and system). I opened the log file and found it was in plaintext and logging the full filepaths of files on my laptop and on network devices that I have personally ‘touched’ in some way (opened, deleted, etc.) from within Win 10’s File Explorer every day since installation. Just today it has logged 70 entries (so far).

To give you an idea of the format, here’s a small screenshot:

I suspect that it’s some sort of debug file but still can’t work out why there would be any need to log the filepaths in the first place unless they were shared by FileDirect.

I searched and found oofdsecm.dll is a file in
C:\Program Files\OO Software\FileDirect. I also found an oofdag.exe process running and an O&O FileDirect service (with no description) running automatically. I’ve stopped and and disabled the service. This closed the process automatically.

I’ve emailed support@oo-software.com to ask why O&O FileDirect is logging filepaths on my LAN and whether the log is uploaded to O&O.

Reply | Quote

Replies

I’ve received an email reply back from an O&O Senior Technical Support Engineer. (An impressive speed of reply.)

She confirmed that the oofdsecm.dll.log file is used for debugging. She also affirmed that the file does not leave my device.

There was no further detail in the email, i.e. no information about how to turn the debugging off, so I decided to uninstall O&O FileDirect.

2 users thanked author for this post.

wavy, satrow

Reply | Quote

What about the data contained in the file?

Reply | Quote

satrow wrote:

What about the data contained in the file?

No mention of the data itself nor any expansion on my obvious concerns.

If was a very short email, quite abrupt… and said if I didn’t like it, to uninstall FileDirect.

From the O&O website it’s very clear that backend support is primarily reserved for those who register… which I hadn’t as I was trialing a free product.

(On a side note I was pleased to see that FileDirect’s communication with O&O servers uses WSS on HTTPS so no chance of any man-in-the-middle interception of data… if I had got it to work properly. I like the ease-of-use idea in principle so – now I’m aware of the debug log – I might look back into it in future if/when the product matures.)

Reply | Quote

A little nudge about privacy concerns might be enough for them to put someone onto it and users might see FileDirect, and their computer, running better for it (many programs that arrive with a debugger issue warnings of a performance hit when enabled). Good press for their blog, win-win.

Reply | Quote

O&O FileDirect make me nervous , seems like a back door in!

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

wavy wrote:

O&O FileDirect make me nervous , seems like a back door in!

Do you mean like this? 🙂

In a way O&O FileDirect is a bit like TeamViewer’s built-in ‘File Transfer’ mode… but in reverse.

With TeamViewer there’s an initial handshake with TeamViewer servers for authentication then you ‘push’ your data to the recipient’s filesystem, without TeamViewer’s servers getting a look in as the data transfer is encrypted end-to-end.

If I’ve got it correct, O&O FileDirect allows you to mark data on your own filesystem for sharing, O&O’s servers set up the necessary web socket secure connection links to publish then your recipient uses the link in their browser to ‘pull’ the data from your filesystem, without O&O’s servers getting a look in because – again – the data transfer is encrypted end-to-end. All you have to do is leave your machine on.

Reply | Quote

Rick I think it is the ‘pull’ part that gives me creeps..

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

wavy wrote:

Rick I think it is the ‘pull’ part that gives me creeps..

Fair enough… but, looking at ‘how it works’ on the O&O website, I can’t see how any data could be pulled from my PC by O&O or by anyone else unless a) I had marked it to be shared and b) if I had sent the generated link to someone.

My brother composes music; I scan and edit the family’s photos… and we live 130 miles apart. Between us we are constantly sending stuff to-and-fro and to other family members, nearly all of it over the attachment limit size for email. (My mail provider limits attachments to 2MB, rarely enough for 1 good quality photo.)

We’ve tried online services such as Google drive, etc… but having to upload to a third-party service’s servers is time-consuming and inconvenient. TeamViewer’s file transfer works brilliantly… but means we have to arrange a time when we’re both free at the same time.

FileDirect appears to be an ideal service for us to use… if only I could get it to work properly. I think I might have another try soon. 🙂

Reply | Quote

Interesting tool (and the concept loosely “right”) but for now it seems a bit half-baked at the moment and, more importantly, poorly documented (security through obscurity is definitely not on the wish list of privacy-minded folks).

On an isolated VM I allowed the stub to download the 9.56Mb setup and then did a few quick, straightforward and simple offline experiments:

oofd ?
oofd /add C:Temptest.txt
oofd /delete C:Temptest.txt
oofd /settings

Looking at the (hidden?) settings, both the default connection server address ( wss://signal.file.direct ) and the API server address ( https://api.file.direct, redirecting to https://www.oo-software.com/en/filedirect ) appear to confirm the assumption that the tool might be using WSS on HTTPS and standard secure encryption protocols (AES, Camellia, etc) to communicate with the O&O servers and support its core functionality (establish a securely encrypted point to point connection). The other setting suggests the (optional?) use of a STUN/TURN Server and WebRTC communication.

Proper documentation, further analysis of the tool and closer inspection on its behavior and the network traffic it generates would be useful and enlightening. IMHO the response “tone” (short, abrupt) of the support email you received, added to the fact that this is a proprietary, closed (not opensource) software doesn’t help to build user trust on it, either.

In regards to possible alternatives to O&O FileDirect, although also proprietary consider taking a look at Send Anywhere:

https://send-anywhere.com/product

The current version (product/file version 20.8.200955/20.8.4347, build 1253, digitally signed Aug 20, 2020)) is less lightweight both on size and memory usage but on the plus side it seems a more mature product (cross-platform, uses the Electron framework) with a few more, interesting options (check the settings), a User Guide and some available online documentation:

Support (KB):
https://support.send-anywhere.com/hc/en-us

Notices:
https://support.send-anywhere.com/hc/en-us/sections/201021268-Notice

1 user thanked author for this post.

Rick Corbett

Reply | Quote

Speccy wrote:

Interesting tool (and the concept loosely “right”) but for now it seems a bit half-baked at the moment and, more importantly, poorly documented

@speccy… thank you for your analysis of O&O FileDirect.

In my initial testing I had no end of problems and didn’t once make a successful FileDirect file transfer.

Gah… and yet it was so promising on paper…

No sign either of any sign-up to a beta testing program where I could have offered to work with the developers either on ‘real world’ testing. Oh well…

I’ll look into Send Anywhere, even though my family and I continue to use TeamViewer’s tried-and-tested File Transfer method.

1 user thanked author for this post.

Speccy

Reply | Quote

You’re welcome. 🙂

TeamViewer’s File Transfer works well and is perfectly fine (encrypted, peer-to-peer secure communication) as long as you have a stable UDP connection to support transfer speeds of up to 200 MBps. Otherwise, it will fallback to TCP and can only reach 120 Kb/s (on slow network connections even SFTP might be considered a better alternative).

I must say I haven’t used Send Anywhere thoroughly (only once, briefly) but it sure looked interesting and worth mentioning here as an alternative to try: if you do, please report back and let us know how that went. For the sake of transparency (in case anyone has a problem with that) it might be worth mentioning it comes from a South Korean start-up based in Seoul:

https://send-anywhere.com/about

Reply | Quote

This is an old thread/topic… but I thought it worthwhile to note that Send Anywhere worked admirably between my brother and I whilst I waited for the TeamViewer backend staff to unblock the restriction it had put on my usage after its (presumably automated) assessment that my usage was ‘non-personal’.

Thanks to both Send Anywhere for helping me out of a hole and to TeamViewer‘s backend staff for rescinding the block once I had explained my usage was 100% personal, not business-related.

2 users thanked author for this post.

Speccy, RockE

Reply | Quote

Cool. Glad to know it worked well for you, Rick. 🙂

Reply | Quote