A Little Too chatty?
There’s a program called ChatSend currently doing the rounds on Facebook, and at time of writing just over 114,000 people have hit the “Like” button which no doubt means a high proportion of that tally have downloaded and installed it. Including one in my stream—
The link directs to the Facebookpage of ChatSend where one can readily download the app. Upon execution, it shows a GUI containing its Terms of Service and Privacy Policy. The GUI, however, is narrow and the text is not wrapped within the width of the text box, which makes it difficult for users to read as they need to scroll from left to the farthest right.
Note the pre-ticked boxes that will install the toolbar in all browsers, set web search as default and change the homepage.
After installing, a window pops up to inform users that there has been an error in installing the program; however, it installs just fine.
Not only does the program send the message seen in the first screenshot without notification, it also sends the same message via Facebookchat (if enabled) to all, too.
Interestingly, the EULA fails to detail the steps on how to uninstall the application should users change their mind about it when it was clearly stated:
“If you wish to withdraw your consent to any of ChatSend features as described herein, you should uninstall the Software from your computer. Uninstall instructions are detailed above.”
As far as we can see, there are no instructions “detailed above”. The uninstall steps are in their Facebook page (added yesterday) under the FAQ tabwhen clearly it should be included in the EULA. Despite this, uninstalling simply requires a visit to Add / Remove programs, or opening up the browser add on tabs in your browser of choice.
Do keep an eye on this one, Dear Reader, because Facebook blocks any URLs / links related to the ChatSend domain and there’s quite a few posts like thisstarting to appear on help pages.
Jovi Umawing (Thanks to Chris for the assist)
“the EULA does not require horizontal scroll” It doesn’t now, because you’ve updated the exe and removed the “bug” causing the unsolicited message spam AND amended the EULA box so the text no longer reaches beyond the first instance of the rightmost EULA box wall.
However, the original version of the program contains numerous instances where the user has to scroll right to continue reading the text, as per the following screenshot:
http://bitly.com/sVB1cl
Having to scroll back and forth, then down, while attempting to read the text does not make for a good experience in a box so short vertically while containing text that does not wrap around.
“instructions to how to remove been added to the T&C (and in FAQ)”
It’s great that you’ve added them now – but I’m sure you can appreciate the confusion caused by seeing a EULA state that removal instructions are “above” only to find they’re absent.
“In regards to GFI Labs’ assertion that ChatSend’s EULA is deliberately difficult to read, ChatSend told SecurityNewsDaily that it found no evidence supporting GFI Labs’ claim. “The EULA can be found both in our website and appears while downloading the software”
The EULA was incomplete and missing uninstall instructions, which we pointed out, and you’ve now fixed. The text in the EULA box went beyond the boundaries of said box, and you had to scroll horizontally every so often to read the text, which we pointed out, and you’ve now fixed. I’m struggling to see what the issue is.
The program sent various messages on Facebook via private message and also to chat if enabled with no notification or prior warning, which we pointed out, and you’ve now fixed. A post to Facebook saying “user x has installed application y” is not the same as unsolicited messages saying “installed chatsend to send files” with a link to an external website, which we pointed out, and you’ve now (hopefully) fixed.
I tried to use your file sending application, but after updating flash the blue icon vanished from my chat box and never returned. I can’t fix that.
Facebook blocks chatsend.com as a “spammy link”, and chatsnd.net is flagged by the Facebook Websense block as “abusive”. I can’t fix that either.
https://bitly.com/uRXIUm
You have users who are struggling to uninstall posting comments here:https://bitly.com/vkOiG2
Posting comments to every article covering this story that you’ve “fixed it” is one thing, but you may want to help those struggling with the original file. They never asked for this.
Chris Boyd, GFI Labs – Senior Threat Researcher