# Pastebin 7gSw2Brc
5. Information Exposure To 3rd Parties Via Media Scraping (CWE-200)

The QNAP QTS 'media' scraping functionality connects to
ajax.googleapis.com without proper certificate validation, and to
www.imdb.com and akas.imdb.com without transport layer security. An
attacker in a privileged network position can Man-in-The-Middle the
connections and learn the titles of the media files stored on the NAS.

The /mnt/ext/opt/medialibrary/lib/libscrap.so library performs insecure
TLS connections by enabling insecure mode (-k):

# strings libscrap.so | grep 'curl -k'
/sbin/curl -k -L '%s' --connect-timeout 30 --

The library also performs insecure connections to various sites without transport layer security: