I decided to take a look at how GomezPeer works from a low level view. During my observations I was surprised how someone would very easily be able to grab username and login info from cooperate websites in a passive manner while running the application.
What is GomezPeer: (in brief)
For those of you who don’t know GomezPeer is a public peer application that is run in order for Dynatrace to test out website responsiveness. Dynatrace claims it is #1 in application performance management.
What gomezpeer does is pays clients to run the application and instruction sets on their own PC so that vendors can measure end user performance of their sites. Such examples could be log in and order plane tickets, or execute a database queries against a server to see how long it will take to return the data in different areas of the country or world. This allows them to test a large number of OSs and ISPs and locations without needing to have the cost of the infrastructure in place. Peers are compensated anywhere between 5$ and 40$ per month and can choose to donate the amount to charity. Over the last few months GomezPeer has been slowly re branding its application into Dynatrace. Both GomezPeer and Dynatrace are owned by Compuware.
Both GomezPeer and Dynatrace use the same addressing block.
Gomez Advisor PNAP-BSN-GOMEZ-RM-02 (NET-63-251-134-0-1) 220.127.116.11 – 18.104.22.168
How GomezPeer works:
Gomez peer is installed on a client and then activated by putting in a username that corresponds to a GomezPeerZone account. You can install as many peers as you like on as many physical hosts in order to increase your earnings.
The original documentation on it has been pulled at the request of the vendor.
After working with the vendor the exploit has been mitigated and GomezPeer has been hardened in order to be more resilient to such attacks. The Dynatrace team has been very quick to respond to the issue and let the affected clients know.
I also found working with the project managers at Dynatrace easy to communicate with while working out the specifics and I thank them for that.