Security posture and advisories of iMacros.

Support for iMacros. The iMacros software is the unique solution for automating every activity inside a web browser, for data extraction and web testing.

Moderators: Community Moderators, iMacros Moderators

Forum rules
Before asking a question or reporting an issue:
1. Please review the list of FAQ's.
2. Use the Google search box (at the top of each forum page) to see if a similar problem or question has already been addressed. This will search the entire contents of the forums as well as the iMacros Wiki.
3. We can respond much faster to your posts if you include the following information:

CLICK HERE FOR IMPORTANT INFORMATION TO INCLUDE IN YOUR POST

Answering your own posts (e.g. attempting to "bump" your topic) drops your topic from the list of unanswered threads, so it may actually receive less views.

Security posture and advisories of iMacros.

by MarlonBorba on Tue Oct 03, 2017 10:37 am

Dear sirs,

Where can I find documentation about iMacros security posture (secure development practices, security advisories, best practices and patches)?

TIA,

Marlon Borba.
MarlonBorba
 
Posts: 1
Joined: Tue Oct 03, 2017 10:31 am

Re: Security posture and advisories of iMacros.

by chivracq on Tue Oct 03, 2017 1:00 pm

MarlonBorba wrote:Dear sirs,

Where can I find documentation about iMacros security posture (secure development practices, security advisories, best practices and patches)?

TIA,

Marlon Borba.

Euh..., the "Dear sirs" sounds a bit misogynistic to me to be honest, ah-ah...!, we have Ladies on the Forum in even in iMacros TechSupport answering Qt's from both Men and Women...! :o

>>>

But OK..., hum, strange Qt a bit I find, I don't think anybody ever asked it before on the Forum, I will give you my "Thoughts" after a bit of "Thinking", ah-ah...!

Well, first about "Patches" (and "New Releases"), all Info and Announcements can always be found on the Ipswitch/iMacros Site, on the Forum in the 'News and Announcements' Sub-Forum (hum, which surprisingly didn't (and still doesn't) say anything about iMB v12.0 which was released about 1 month ago now...!) and of course in their respective 'Version History' Wiki-Page for the 4 Browsers supported by iMacros (iMB/IE/FF/CR), with direct Links to those Pages at the bottom of the Wiki-Page for the 'VERSION' Command...

>>>

OK, and then about the "Security" aspect... Hum, not sure if you mean the Code for iMacros itself, as Browser like for iMB or Add-on for the 3 other supported Browsers or if you mean the Content of a Macro/Script written in iMacros native Language ('.iim' Macros) or JavaScript ('.js' Scripts) that can be run in iMacros for FF using FF Native JavaScript Runtime Engine...

Concerning the Code of the Browser (iMB) or the 3 Add-ons, iMB is forked on IE and follows I guess its Security-Patch Process, so if a new Vulnerability is found in IE, iMB would probably be impacted as well, even if hum, you are right, there are much fewer Updates for iMB than for IE, but is IE still being maintained btw...?
For the Add-ons for IE/FF/CR, they simply automate Tasks that you do in their respective Browser, with Click-Click-Click, Copy&Paste, Fill a Form, Extract and Download, Upload, they inherit the "Security" and "Vulnerability" of your Browser if your Script takes you to some hacked/phishing Site exactly like if you clicked manually on some "dangerous" Link or Button...

I'm not sure about IE, but for the iMacros for FF Add-on, its Code is "semi" Open Source, it's simply a bunch of '.js' Scripts wrapped in an '.XPI' File which is simply a compressed '.ZIP'/'.RAR' File and can be easily decompiled and inspected like I explained in this Thread for example... And I mostly/only use (iMacros for) FF but I reckon Add-ons for CR can also be decompiled...
And for both Browsers, you can (or should...!) only download them from the Mozilla or Chrome Add-on Gallery or from the iMacros Version History Page which I guess are pretty safe "Places"...
If you download them from some "obscure" Hacking Forum/Site, then tja...!, yep, that's asking for trouble Darling, ah-ah...!, it's indeed possible to modify the Add-on, I run my own self modified Version of iMacros for FF (v8.8.2) for the "Fun"... :roll:

>>>

Now concerning the "Code" or rather "Content" of an '.iim' or '.js' iMacros Macro/Script...: Well, when you run a Macro that you either wrote yourself or got from Internet or from some Contractor, you can always inspect its Content and its Code, it's not like some "obscure" '.EXE' that you will execute blindly without knowing what happens "underneath"... Even embedded Macros or Base64 encoded Macros must first pass your Approval and Inspection as the User before before they will run...
Tja..., and in case of any "Doubt", then don't run them and first ask for some Advice or Review from some Programmer or on the Forum as well...

Now in Macros themselves, you can have a few "dangerous" Commands that I can think of...:
- '!ENCRYPTION': When logging into some Website, if you've included your Login and Password into your Macro, you can use the 'ENCRYPTION' Command and Tool to encrypt them (well the Password at least, I've never used it actually).
- 'SAVEAS' and 'ONDOWNLOAD': Tja..., downloading Files from Internet can always be "unsafe", ah-ah...! The 'ONDOWNLOAD' Command offers a Mechanism to check the 'CHECKSUM' and '!DOWNLOADED_SIZE' of the File.
- 'FILEDELETE': Yep, some other "potentially" dangerous Command is 'FILEDELETE' which is indeed able to delete Files on your Local HD... But tja...!, not difficult to spot if you inspected a bit your Macro, and most Browsers keep tightening this part to prevent/limit IO File Access on the local Drive from JavaScript.

Then still about Macro Code, using iMB and the Scripting Interface, it is possible to control any of the 4 Browsers and to run iMacros Scripts from practically every existing (Win32/64) Programming Language, including VB, Python, C++, C#, WShell, etc... And yep..., it's possible to reformat your 'C:\' Drive from a VB Program or even from a '.BAT' File, ah-ah...! But then, again...!, where did you get that Script from if you didn't write it yourself...!? :twisted:

>>>

Oh ja/yeah...!, and you were asking about "Best Practice", tja..., start by "Practice" and "Practicing" I would say, iMacros is not difficult to use, 10-14 year old Kids use it, when recording your Actions on some Site, iMacros already does 90% of the Job..., then read the Documentation, read a few Pages of Threads on the Forum and have a look at the Demos, just like I did when I discovered iMacros... (well I only came to/discovered the Forum a few years later to report a Bug that I found pitifully blocking then, still not solved but I finally found a Workaround about 1 year ago), and now my Scripts are smarter than me, oops...! :idea:
- (F)CIM = (Full) Config Info Missing: iMacros + Browser + OS with all 3 Versions...
- I usually don't even read the Question if that (required) Info is not mentioned...
- Script & URL usually help a lot for a more "educated" Help...
chivracq
 
Posts: 6479
Joined: Sat Apr 13, 2013 6:07 am
Location: Amsterdam (NL)


Return to General Support & Discussions

Who is online

Users browsing this forum: Google [Bot] and 6 guests

-->