DiffusionToolkit icon indicating copy to clipboard operation
DiffusionToolkit copied to clipboard
verified publisher icon RupertAvery

Spying on users?

Open Tallestrom opened this issue 9 months ago • 3 comments

I used Hybrid-analysis to poke around at what ip's Diffusion.Toolkit was contacting and is doing in the background and was a very disturbed. Why is Diffusion.Toolkit using Microsoft Clarity that has the ability to record a users session while using the app??? I don't want my screen recorded and sent to Microsoft and I doubt other users do either. Is META Data being scraped as well?

Image

Tallestrom avatar Feb 20 '25 00:02 Tallestrom

Check your local environment, this might be something happening in your system - such as another process which is reaching out to Clarity.

I could not find any reference in Diffusion Toolkit's source to Microsoft Clarity, per the JavaScript snippet offered here:

https://learn.microsoft.com/en-us/clarity/setup-and-installation/clarity-setup

And when I run Diffusion Toolkit - including copies I've modified from the source and recompiled - the only time it attempts to make a network connection is when it attempts to find an updated version.

ooofest avatar Feb 22 '25 21:02 ooofest

TLDR: Highly unlikely to be related to DiffusionToolkit by more than a combination of luck and coincidence. Basically, it's a .NET app loaded on a Windows installation that doesn't have the right version of .NET installed - leading to Edge loading the .NET page for download.

There are a couple of issues here that make this a non-starter:

  • There seems to be a misunderstanding when interpreting the results of the screenshot supplied.
  • There is a misunderstanding of what Clarity is and what it does.
    • Clarity isn't designed to be utilised with a WPF/Windows Forms App (although there ARE insights platforms that are.)
    • Clarity does not record your screen, only your actions such as where you click, tap, scroll or navigate. No screenshots or actual images are gathered.
    • While to some extent I agree with not wanting telemetry data sent all over the place, it isn't inherently "evil".

Let's tackle the the details.

The included screenshot shows Microsoft Edge (In fact, a really bloody old version) being the one that is making the POST to Clarity, and from an origin of dotnet.microsoft.com

x.clarity.ms seems to be their collection endpoint, whereas c.clarity.ms is likely the actual content endpoint (for the analytics script and its resources).

Expected for an analytics tool like Clarity.

This would suggest to me, that the VM used by this particular Hybrid-Analysis run did not have the correct version of .NET installed, and Microsoft helpfully opens the appropriate web page to download it. The dotnet page uses Clarity to do its analytics, and since Edge is the default on all modern versions of Windows, we end up here with the report generated.

Because of the way EDR/XDR/Behaviour Analysis tracks launched processes, it's associated the Edge launch with the launch of DiffusionToolkit.

Expected when a computer doesn't have the right .NET version installed.

As for the first note in the screenshot regarding UDP traffic - It is highly likely related to the last entry. Port 443 on UDP is the QUIC protocol, and while it's usually a good idea to disable it in networks where you'd like to do SSL interception (which in itself is a terrible idea in a lot of cases for various reasons) in this instance is nothing to get excited about given it's an Akamai IP and would be expected when browsing a Microsoft site.

Not out of the ordinary, given the process making the connection and the IP it's connecting to, in context with the website/vendor in question (Microsoft)

While I applaud people for trying to be safe and secure, and an inherent level of mistrust (even with Open Source) is warranted for unknown applications - Please try to properly understand the tools you're using. Behavioural analysis of unknown applications requires a deep understanding of how it all ties together. Tools such as Hybrid-Analysis provide you information, not guarantees or direct answers.

I dislike the tone exhibited in the original issue description on principal. If you're not sure, you should be inquisitive rather than accusatory. You wouldn't accuse random people in the street of spying on you without more than "I saw they had a camera in their hand" would you?

aretokas avatar Mar 06 '25 15:03 aretokas

No, Diffusion Toolkot does not use Clarity or any tracking software nor does it collect your metadata and transmit it elsewhere. I have no desire to spy on anyone or their data. The source code is there for everyone to check.

RupertAvery avatar Mar 06 '25 16:03 RupertAvery