Fix serious security issue with Shared Profile enabled by default

Discussion in 'Parallels Desktop for Mac Feature Suggestions' started by VladimirR2, Nov 5, 2018.

  1. VladimirR2

    VladimirR2 Bit Poster

    Messages:
    1
    I am new to Parallels Desktop but have vast experience with other virtualization systems (VMware and VirtualBox). Recently I downloaded Parallels Desktop for Mac and got into a stupid situation.

    I converted my existing Virtual Box Windows 2016 machine into Parallels format. I used this machine (among other purposes) to run doubtful software, namely software that raises red flag on virustotal.com or software that is known for its undesired and unasked side-effects (installing toolbars, trojans, malware). After conversion, Setup Assistant started performing some job and when it finished I discovered that I can see my Mac's documents and downloads. I decided that Setup Assistant copied my documents from the host Mac machine (it was doing something so long that I decided it made a copy). I deleted documents from guest machine and of course they got deleted permanently and irreversibly from Mac host. I was able to restore some documents from backups but others were lost completely.

    Besides losing important documents, more severe my concern is about exposing my private data to probable malicious software running on the virtual machine. Apparently all my documents were accessible under default user account of the VM (which was Administrator). Any application running on the virtual machine had full read/write access to my documents! I could not expect such a blunder from a serious company like Parallels...

    Though the things I am writing about are irreversible, I want to save future users of Parallels Desktop from similar issues. My profound persuasion is that Shared Profile feature should be disabled by default. User can be offered to enable it only after explanation regarding risks of using shared profile.

    This mentioned feature is nether asked for nor expected. A virtual machine remains a separate machine. If I installed Windows on another hardware I don't expect to see my documents on this device. While I admit that Shared Profile can be useful for some users, it can be dangerous and harmful for others.

    To sum up my suggestion:
    • On newly installed (from scratch) Virtual Machines the Shared Profile feature may be enabled but user must be warned about downsides of using it, which by the way includes irreversible deletes from guest machines.
    • On converted machines, the feature must be strictly disabled by default. A user may only be asked if he/she wants to enable it after proper explanation of all risks.
     
    DaryaT likes this.

Share This Page