A reported vulnerability about getting paid apps for free is really about paying for free apps

Raymond Chen

A security vulnerability report arrived showing how it is possible to get paid apps for free from the Microsoft Store.

  • Open the Microsoft Store app and search for WinSCP.
  • Observe that there are three versions of WinSCP in the Store, one selling for $9.99 and another for $4.59, and another for $6.69.
  • Go to a command prompt and type winget install WinSCP
  • Observe that WinSCP is installed without requesting payment.

The vulnerability report was actually much longer, but it consisted mostly of breathless prose saying how this vulnerability could result in disclosure of confidential information by employees who use the program to transfer files, some of which might be malicious.

Okay, first, let’s address the breathless prose: It’s like saying, “The customer bought printer paper from your office supply store. The customer might use that paper to print a confidential document and then smuggle it out of the building. This is a security vulnerability in your office supply store!” I mean, the customer bought the paper fair and square. They used valid funds, not tied to a stolen credit card. It’s not the office supply store’s fault that the paper could be used to print a confidential document that is smuggled out of the building. And even without printer paper, the customer could use their camera to take a picture of a confidential document. And if the employees don’t install WinSCP, they can still disclose confidential information by emailing the documents instead of using WinSCP to transfer them. It’s not clear how it’s the fault of Windows that a rogue employee can use WinSCP to disclose confidential information.

As for the issue of installing paid software for free: Look again at the program in question. WinSCP is actually free software. Go to the home page, and right there top and center it says “Free Award-Winning File Manager”, and under it is a big green Download Now button.

What you’re seeing is people taking this free software, repackaging it, and trying to sell it. Repackaging WinSCP is explicitly supported, providing the redistribution adheres to the WinSCP license.

One of those repackaged WinSCP apps is in fact the official one from the author of WinSCP. You can buy it from Martin Prikryl to provide financial support to the WinSCP project.

The other two WinSCP apps look sketchier. For example, they list English as the only supported language, yet the privacy policy is written in Chinese. And looking at other offerings from those publishers suggests that their portfolios consist of repackaged free software. I didn’t do a thorough analysis, but I checked two other offerings from those publishers and they were both software that was already free to download directly from the original authors.

The finder should have been suspicious when there were three copies of the product in the Store from different publishers. Why would a piece of software have three publishers?

8 comments

Comments are closed. Login to edit/delete your existing comments

  • Mark Magagna 2

    The “breathless prose” wouldn’t have been AI-generated would it?

  • Antonio Rodríguez 1

    “It’s not clear how it’s the fault of Windows that a rogue employee can use WinSCP to disclose confidential information.”

    I don’t know why you bother to ask O:) . For certain kind of people, it’s always Windows’ fault. The printer is out of ink? Windows’ fault! The monitor breaks? Windows’ fault! My car fails to start? Windows’ fault! Blaming the usual suspect is easier than learning how things actually work.

  • John McPhersonMicrosoft employee 2

    I expect the “My product was mentioned in a TONT article” sticker shortly 🙂 Even better that it wasn’t all or part of an actual problem!

  • GL 1

    The pedantic classification is that WinSCP is free freeware (first free for freedom, second free- for price of zero). I think it’s also worth mentioning that `winget install WinSCP` does not install any of the three versions from Store but another version. It’s like “restaurant A offers a cup of water for $1 while coffee-shop B offers it for free, and the latter is a vulnerability of the former”.

  • Richard Deeming 2

    This doesn’t really say much for the MS Store vetting process! Lets just hope these paid-for versions of other people’s free software are only being used to profit off someone else’s work, and haven’t been modified to add spy/malware.

  • Joachim Otahal 2

    Personal opinion here.
    This post exposes another problems of the Windows Store and Winget, sharing issues with Android and Apple store:
    You don’t know what you get. You don’t know what winget will download an install. There is not much control in the Microsoft Store, and to real way to actually verify what you get is legit. “Publisher name” does not count here, and many official apps have weird publisher names. I see more sketchy apps than normal apps, so the trust is not there. Only when a program gives a direct link to the Microsoft store to the exact product id and I have no other way, then I use the Microsoft Store.
    This is the main reason what I am not using the powershell gallery the “nuget” way: I rather download the package manually and unpack-install it manually. You can call this a “Zero Trust”, if you will, but the store contents are not taken care enough for trust, whereas the powershell gallery is open enough for manual checking.

  • JAO 0

    I can imagine Microsoft gets a lot of those beg bounties every day

  • 韩明睿 0

    The “three versions of WinSCP” story reminds me of the early days of Apple App Store, when there were a good number of blank paid apps with fancy and attractive names but no content.

Feedback usabilla icon