Friday, May 31, 2013

Don't use Hubstaff, if not for the ethical issues, for the security issues

I was recently pointed to a software called Hubstaff. It is meant for virtual companies that do not trust their employees and want to see what their staff is doing. Two central features are to measure the activity and to regularly send screenshots.

Hubstaff does not respect copyright! Their software is installing various GNU GPL and GNU LGPL licensed libraries without respecting the license of these libraries. The sourcecode was not offered at the same place and I didn't see a written offer.

Hubstaff is using HTTP (not encrypted) for all the traffic! The application is sending the login and password in clear text. If you use Hubstaff at the airport, at a local coffee place, in a shared office, everyone can see your password and take over your account. The activities, notes and screenshots are transferred in clear as well. This means that everybody can look at potential confidential information sent from your employee to the Hubstaff server.

To make it worse, it appears trivial that your employees will send you wrong activity information and screenshots. In general this is a game your employees will win but Hubstaff gives a huge head start to your employees.

In short Hubstaff does not respect copyright law, they don't value your data and they have not the slightest clue about security/privacy. No sane business will trust them.

Update: Hubstaff claims that starting from version 0.8.0 SSL is used for the connection to their server, they also claim that their GPL violations have been addressed. I have not verified those claims.


Sourabh Kapoor said...

Another issue i see on HubStaff, It only captures time spend in typing on Keyboard. If you are testing something , browsing through some links to understand the issue. It wont be logged.

Abhigyan Mukherjee said...

I dont have any Admin/managerial rights.Is there a way I can bypass the screenshots taken from my by disabling any service ( may be) from the task manager...

Tafhim Ul Islam said...

There is another problem with this software. I use Linux and I could not find anywhere a single piece of instruction about how to remove Hubstaff or where is it installed in Linux. It's very easy to uninstall from Windows and the information is abundant around the internet but the Linux part is totally blank. Even in their support section, their is not a single article that contains the word "Uninstall", and the word "Remove" could be found in only one article that show how to remove a project from Hubstaff or something like that.

I feel really suspicious of their activity since even the installer file has no --help section that show how to uninstall this thing.