News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Privacy warning – O&O FileDirect

    Posted on Rick Corbett Comment on the AskWoody Lounge

    Home Forums Code Red – Security/Privacy advisories Privacy warning – O&O FileDirect

    Viewing 7 reply threads
    • Author
      Posts
      • #2296337 Reply
        Rick Corbett
        AskWoody_MVP

        I installed O&O FileDirect v1.0.275 on 21/06/2020. I tried it, found it didn’t work properly, exited it and just left it. I have no files shared with it nor have I run it since. It is the only O&O software installed on my laptop.

        Today I noticed a file called oofdsecm.dll.log in C:\Temp (which is where I habitually redirect Temp/TMP files for both user and system). I opened the log file and found it was in plaintext and logging the full filepaths of files on my laptop and on network devices that I have personally ‘touched’ in some way (opened, deleted, etc.) from within Win 10’s File Explorer every day since installation. Just today it has logged 70 entries (so far).

        To give you an idea of the format, here’s a small screenshot:

        FileDirect

        I suspect that it’s some sort of debug file but still can’t work out why there would be any need to log the filepaths in the first place unless they were shared by FileDirect.

        I searched and found oofdsecm.dll is a file in
        C:\Program Files\OO Software\FileDirect. I also found an oofdag.exe process running and an O&O FileDirect service (with no description) running automatically. I’ve stopped and and disabled the service. This closed the process automatically.

        I’ve emailed support@oo-software.com to ask why O&O FileDirect is logging filepaths on my LAN and whether the log is uploaded to O&O.

        Attachments:
      • #2296453 Reply
        Rick Corbett
        AskWoody_MVP

        I’ve received an email reply back from an O&O Senior Technical Support Engineer. (An impressive speed of reply.)

        She confirmed that the oofdsecm.dll.log file is used for debugging. She also affirmed that the file does not leave my device.

        There was no further detail in the email, i.e. no information about how to turn the debugging off, so I decided to uninstall O&O FileDirect.

        2 users thanked author for this post.
        • #2296459 Reply
          satrow
          AskWoody MVP

          What about the data contained in the file?

      • #2296461 Reply
        Rick Corbett
        AskWoody_MVP

        What about the data contained in the file?

        No mention of the data itself nor any expansion on my obvious concerns.

        If was a very short email, quite abrupt… and said if I didn’t like it, to uninstall FileDirect.

        From the O&O website it’s very clear that backend support is primarily reserved for those who register… which I hadn’t as I was trialing a free product.

        (On a side note I was pleased to see that FileDirect’s communication with O&O servers uses WSS on HTTPS so no chance of any man-in-the-middle interception of data… if I had got it to work properly. I like the ease-of-use idea in principle so – now I’m aware of the debug log – I might look back into it in future if/when the product matures.)

        • #2296501 Reply
          satrow
          AskWoody MVP

          A little nudge about privacy concerns might be enough for them to put someone onto it and users might see FileDirect, and their computer, running better for it (many programs that arrive with a debugger issue warnings of a performance hit when enabled). Good press for their blog, win-win.

      • #2296506 Reply
        wavy
        AskWoody Plus

        O&O FileDirect make me nervous , seems like a back door in!

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
      • #2296531 Reply
        Rick Corbett
        AskWoody_MVP

        O&O FileDirect make me nervous , seems like a back door in!

        Do you mean like this? πŸ™‚

        In a way O&O FileDirect is a bit like TeamViewer’s built-in ‘File Transfer’ mode… but in reverse.

        With TeamViewer there’s an initial handshake with TeamViewer servers for authentication then you ‘push’ your data to the recipient’s filesystem, without TeamViewer’s servers getting a look in as the data transfer is encrypted end-to-end.

        If I’ve got it correct, O&O FileDirect allows you to mark data on your own filesystem for sharing, O&O’s servers set up the necessary web socket secure connection links to publish then your recipient uses the link in their browser to ‘pull’ the data from your filesystem, without O&O’s servers getting a look in because – again – the data transfer is encrypted end-to-end. All you have to do is leave your machine on.

      • #2296571 Reply
        wavy
        AskWoody Plus

        Rick I think it is the ‘pull’ part that gives me creeps..

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
      • #2296584 Reply
        Rick Corbett
        AskWoody_MVP

        Rick I think it is the ‘pull’ part that gives me creeps..

        Fair enough… but, looking at ‘how it works’ on the O&O website, I can’t see how any data could be pulled from my PC by O&O or by anyone else unless a) I had marked it to be shared and b) if I had sent the generated link to someone.

        My brother composes music; I scan and edit the family’s photos… and we live 130 miles apart. Between us we are constantly sending stuff to-and-fro and to other family members, nearly all of it over the attachment limit size for email. (My mail provider limits attachments to 2MB, rarely enough for 1 good quality photo.)

        We’ve tried online services such as Google drive, etc… but having to upload to a third-party service’s servers is time-consuming and inconvenient. TeamViewer’s file transfer works brilliantly… but means we have to arrange a time when we’re both free at the same time.

        FileDirect appears to be an ideal service for us to use… if only I could get it to work properly. I think I might have another try soon. πŸ™‚

        • #2297255 Reply
          Speccy
          AskWoody Lounger

          Interesting tool (and the concept loosely “right”) but for now it seems a bit half-baked at the moment and, more importantly, poorly documented (security through obscurity is definitely not on the wish list of privacy-minded folks).

          On an isolated VM I allowed the stub to download the 9.56Mb setup and then did a few quick, straightforward and simple offline experiments:

          oofd1

          oofd ?
          oofd /add C:Temptest.txt
          oofd /delete C:Temptest.txt
          oofd /settings
          

          oofd2

          Looking at the (hidden?) settings, both the default connection server address ( wss://signal.file.direct ) and the API server address ( https://api.file.direct, redirecting to https://www.oo-software.com/en/filedirect ) appear to confirm the assumption that the tool might be using WSS on HTTPS and standard secure encryption protocols (AES, Camellia, etc) to communicate with the O&O servers and support its core functionality (establish a securely encrypted point to point connection). The other setting suggests the (optional?) use of a STUN/TURN Server and WebRTC communication.

          Proper documentation, further analysis of the tool and closer inspection on its behavior and the network traffic it generates would be useful and enlightening. IMHO the response “tone” (short, abrupt) of the support email you received, added to the fact that this is a proprietary, closed (not opensource) software doesn’t help to build user trust on it, either.

          In regards to possible alternatives to O&O FileDirect, although also proprietary consider taking a look at Send Anywhere:

          https://send-anywhere.com/product

          The current version (product/file version 20.8.200955/20.8.4347, build 1253, digitally signed Aug 20, 2020)) is less lightweight both on size and memory usage but on the plus side it seems a more mature product (cross-platform, uses the Electron framework) with a few more, interesting options (check the settings), a User Guide and some available online documentation:

          Support (KB):
          https://support.send-anywhere.com/hc/en-us

          Notices:
          https://support.send-anywhere.com/hc/en-us/sections/201021268-Notice

          Attachments:
          1 user thanked author for this post.
      • #2297334 Reply
        Rick Corbett
        AskWoody_MVP

        Interesting tool (and the concept loosely β€œright”) but for now it seems a bit half-baked at the moment and, more importantly, poorly documented

        @speccy… thank you for your analysis of O&O FileDirect.

        In my initial testing I had no end of problems and didn’t once make a successful FileDirect file transfer.

        Gah… and yet it was so promising on paper…

        No sign either of any sign-up to a beta testing program where I could have offered to work with the developers either on ‘real world’ testing. Oh well…

        I’ll look into Send Anywhere, even though my family and I continue to use TeamViewer’s tried-and-tested File Transfer method.

        1 user thanked author for this post.
        • #2297493 Reply
          Speccy
          AskWoody Lounger

          You’re welcome. πŸ™‚

          TeamViewer’s File Transfer works well and is perfectly fine (encrypted, peer-to-peer secure communication) as long as you have a stable UDP connection to support transfer speeds of up to 200 MBps. Otherwise, it will fallback to TCP and can only reach 120 Kb/s (on slow network connections even SFTP might be considered a better alternative).

          I must say I haven’t used Send Anywhere thoroughly (only once, briefly) but it sure looked interesting and worth mentioning here as an alternative to try: if you do, please report back and let us know how that went. For the sake of transparency (in case anyone has a problem with that) it might be worth mentioning it comes from a South Korean start-up based in Seoul:

          https://send-anywhere.com/about

    Viewing 7 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Privacy warning – O&O FileDirect

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.