Say i have a win 7 host and Xubuntu in Virtualbox. d&d enabled i have Imgur open and drag a picture file from the host onto the Imgur page, it will now upload. I d like to know if any "host info" is being transferred to imgur with this file upload. I understand they are not keeping this data , but theoretically they could have a pipe going to the NSA with all this data. If i d&d into Xubuntu and then "browse for file"in Imgur i guess only guest file info would be present.
I never enable drag and drop between host and VMs. Or shared clipboard. Better to encrypt and share via some pastebin.
I realize drag and drop compromises security to a degree, ,but iḿ talking about an average usage scenario , where one needs to add some pictures to a forumpost, but still likes to be as anonymous as practically possible.
You're talking about attacks on Virtualbox and the extensions essentially. Given that Vb is open source, this means bugs more than backdoors - and since the host integration stuff is more code, that's more exposure if you have it enabled for the VM. In looking at Vmware bugs over the years, there were very very few (even with the guest additions), that allowed host-guest compromise. Most of them were guest-same-guest escalations and some host-host escalations. My take is that you have to be careful of your VMs really, to treat them as "real" machines, which can potentially pose a threat. Even if there were no guest additions, the guest would potentially be able to attack the host via the bridged network if you weren't careful, for example. But anyway, hardening your guest in various ways, using Firejail and so on, would be my normal approach but keeping the integration features for their convenience. Of course, it's potentially an improvement to share encrypted containers via the cloud as @mirimir suggests, that would work fine. Even there, if the guest were compromised and KSL became enabled, then the cloud-based files would be exposed.
quax, if you wireshark the traffic generated during the file upload, I expect you'll find that nothing surprising (related to VM guest/host) is "leaked". Although you didn't mention which brand/version web browser you're using, nearly all are configured with a "sane" default preference: formadata for POSTed files discloses filename only, not the full local path. VM context or not, the uploaded files might contain telling metadata (EXIF fields:values within imagefiles, headers:values within office documents, etc.) If you want something to (potentially) fret about, investigate whatall details are being leaked via file-embedded metadata.
I forgot to mention the host runs on vpn and the guest on a different vpn, although this is not relevant to the question ? @ inka, good tip about wireshark,will try that. exif and metadata are stripped. The same applies to youtube , if i drag a video file from host to a youtube upload page on the guest ,it starts uploading, so i could monitor this with wireshark as well i guess.
