Avast WEBforum

Other => General Topics => Topic started by: RejZoR on November 02, 2016, 11:21:15 PM

Title: WOT (Web Of Trust) privacy scandal
Post by: RejZoR on November 02, 2016, 11:21:15 PM
https://rejzor.wordpress.com/2016/11/02/web-of-trust-wot-privacy-scandal/

I'm not going to copy all the data here, you can read it on my blog with all the external original links and news. WOT is quite popular here if I remember correctly and I thought people will be interested in reading this...

I've now turned to avast! Online Security as primary rating tool. I really miss saving of existing ratings and comments with avast!, but it has other goodies and at least avast! team is more open when privacy concerns are raised.
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: Rednose on November 02, 2016, 11:36:19 PM
Personally I have never used WOT, Avast rating or any other rating tool, except for testing.
As I don't think user ratings/opinions add anything significant to a good configured security setup.

Greetz, Red.
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: Eddy on November 02, 2016, 11:43:14 PM
Almost no user has a clue what he is talking about when it comes to security and things like that.
And since comments are not checked for accuracy, you can say they are worthless.
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: RejZoR on November 02, 2016, 11:45:58 PM
Maybe so, but I found it to be interesting resource. Individual comments maybe didn't mean much, but you could often see a trend and then form your own opinion.
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: DavidR on November 03, 2016, 12:34:59 AM
I too used it, not as a slavishly following its rankings, but as guidance.

But that has now ended.
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on November 03, 2016, 12:38:28 AM
Hi RejZor,

Big thing with WOT canvas fingerprinting and selling your profile to the highest bidder.
Is not Ghostery just doing the same and loads of others. Difference they are upfront about it.

Only sin for WOT was they forgot to mention it in their eula. (vanished from their 2011 add-on edition).

Who was there first and no-one reacted? Wasn't that and isn't that  Big Data-slurper  nr. 1, Google,
and who moans about Facebook's ridiculous 'polycor' censorship? Too big to fail?
(without any rules nor even trying to defend their policies).

I know there is a big Russian userbase out there on WOT, and isn't that again the "Big Evil Empire" now?

polonus
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on November 03, 2016, 01:18:47 AM
RejZor is right however about the 100% insecure tracking there.
100% of the trackers on this site could be protecting you from NSA snooping. Tell mywot.com to fix it.

Identifiers | All Trackers
 Insecure Identifiers
Unique IDs about your web browsing habits have been insecurely sent to third parties.

6142544 api.mywot.com

And for my.WOT your also dependant on CloudFlare security (a service that I cannot and won't trust fully with e2e):
Unique IDs about your web browsing habits have been securely sent to third parties.

 wXw.mywot.com authid
d00b1cddd5a06799XXXXXXXXXXf85dd281476740859  cdnjs.cloudflare.com __cfduid (anonymized by me - pol)

And the canvas fingerprinting: CanvasFingerprintBlock
Blocked 1 potential HTML canvas fingerprinting attempt on this page
Prevented a script on -https://www.mywot.com from capturing the following 32px × 32px canvas (via toDataURL):

And just as I thought, here they are shown to be security dilletants, a meagre F-Status  ::)
Re: https://sritest.io/#report/a25ada39-6bff-4513-8b6c-eca48f5096e6

Scripts 2 issues
Tag   Result
<script type="text/javascript" src="-https://cdn-cf.mywot.net/files/js/a62c3c71189e6e035766d20b917784f1.js"></script>    Missing SRI hash
<script src="-https://cdnjs.cloudflare.com/ajax/libs/bxslider/4.2.5/jquery.bxslider.min.js"></script>    Missing SRI hash

Stylesheets 2 issues
Tag   Result
<link rel="stylesheet" href="-https://cdn-cf.mywot.net/files/css/7ed1941a63bcf84b0aa89e6644c3fc26.css" type="text/css" media="all">    Missing SRI hash
<link href="-https://fonts.googleapis.com/css?family=Open+Sans:400,300,300italic,400italic,600,600italic,700,700italic,800,800italic&amp;subset=latin,latin-ext" rel="stylesheet" type="text/css">    Missing SRI hash

And almost ashamed to present these mediocre results F-I-C-I-X with a few A's in between:
https://observatory.mozilla.org/analyze.html?host=www.mywot.com

RejZoR, the facts are in your favor, man. It's a drama, I have to admit.... :'(

polonus (volunteer website security analyst and website error-hunter)
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: Asyn on November 03, 2016, 06:52:50 AM
More here... (German only)
https://mobilsicher.de/hintergrund/datenhandel-aufgedeckt
https://mobilsicher.de/hintergrund/die-spur-der-daten
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on November 03, 2016, 02:34:57 PM
Hi Asyn,

WOT has now been catched almost red-handedly to do this. But Mike Kuketz says Ghostery is probably into this too and they are known to even ask their extension user permission to do this on installing the extension.
I see that it is a wide-spread issue on mobile platforms, think of AdMob and MoPub collecting location information and device or mobile network information, seems all Avast apps are AdMob driven now.

So I wonder how many of our Google Chrome extension api's are "kosher" or "hallal" in this respect.
There is a lot of temptation out there for developers and owners of extensions and it is all about big money.

Again the controversy around WOT never went away and was there from the start.
Read: https://forums.malwarebytes.org/topic/107753-web-of-trust-trusted/

It is the api that is spying on you too. Just install Nirsoft's WebCookieSniffer and you get an api.mywot.com cookie with authid, a session id cookie and  like Kuketz told a language cookie, and all of them are user identifiable. So first thing that happens when I start WebCookieSniffer is an api.mywot.com cookie is being set for all of my existing browsing session.
This is much as what Kuketz describes in a nutshell.

It is not unique as all extensions in Google Chrome are worked that way going first to https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js.
This is so for instance with DrWeb's URL checker .

There DrWEb is not involved,Google does this and whenever Google cannot do this,
the extensions are not allowed to be on their platform and are thrown out because of some dreamt-up violation of terms.

So actually we have to get accustomed to this situation going on behind our backs all of the time,
 and that there is no escape from this really

Now poor fanboyish WOT is being put into the hall of shame, when almost all and every Google or firefox extension/add-on,
for that matter is into this game in one way or another.

Sad, but it is the situation we have, we can no longer get away from this behavior
or are being asked to fill out CloudFlare captcha's all the time working tor or orbot to prove wer'e human sheeplings,
as RejZoR always so aptly classifies us as human beings.

polonus

 
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: bob3160 on November 03, 2016, 03:33:18 PM
Don't tell me your still crying about a lack of privacy ???
Remember, there isn't any privacy.
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on November 03, 2016, 04:17:49 PM
Hi bob3160,

You are so right there, bob3160.

Again there is more to it, than we might think at first hand.
But we really should make people aware.

These extensions are a marvellous way of drawing you further into the so-called "Internet Bubble", like Pokemon Go etc.

With this "Internet Bubble" we mean that, whenever you expose yourself to services that get more and more of your profile,
you risk being more and more "fenced in" by your Internet surfing history and habits.

Google for instance knows exactly how to do this.
They turned it into a real science, and the final conclusion should be that anyone profits from it -but you, as you are the product.
You make think otherwise. You are wrong again.

By getting to know more and more specifics about your Internet profile, they will more and more confront you with what you already think about yourself.

More and more of your own preferences and likings are "mirrored back" to you to get you hooked into that tunnel vision of yourself further.

And so you may loose sight on what is outside, and that may just be what they want you to do.
That way you only pay attention to issues, that they want you to watch out for,
and you might miss what they do not want you to see.

Try to use a search engine that does not profile you like Duch duck go.
Send an old-fashioned card again once in a while.
Read an online e-book.
Oh, ...... and turn that screen resolution somewhat down at night in the bedroom,
you may sleep better!

polonus
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: Asyn on November 04, 2016, 01:16:37 PM
Web of Trust (WOT) Add-on taken down by Google and Mozilla after reports of selling Users browsing history
http://techdows.com/2016/11/web-of-trust-add-on-removed.html
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: bob3160 on November 04, 2016, 01:42:13 PM
Web of Trust (WOT) Add-on taken down by Google and Mozilla after reports of selling Users browsing history
http://techdows.com/2016/11/web-of-trust-add-on-removed.html (http://techdows.com/2016/11/web-of-trust-add-on-removed.html)
It's still available for Mobile devices. Wonder if that also sells your browsing history ???
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: Asyn on November 04, 2016, 01:48:42 PM
Web of Trust (WOT) Add-on taken down by Google and Mozilla after reports of selling Users browsing history
http://techdows.com/2016/11/web-of-trust-add-on-removed.html (http://techdows.com/2016/11/web-of-trust-add-on-removed.html)
It's still available for Mobile devices. Wonder if that also sells your browsing history ???
I wouldn't take a chance Bob. ;)
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: bob3160 on November 04, 2016, 02:11:09 PM
Web of Trust (WOT) Add-on taken down by Google and Mozilla after reports of selling Users browsing history
http://techdows.com/2016/11/web-of-trust-add-on-removed.html (http://techdows.com/2016/11/web-of-trust-add-on-removed.html)
It's still available for Mobile devices. Wonder if that also sells your browsing history ???
I wouldn't take a chance Bob. ;)
My recommendation is to remove it if you have it. Not to consider it if it's not currently installed.
http://bob3160.blogspot.com/2016/11/11-3-2016-wot-web-of-trust-not-so.html
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: Asyn on November 04, 2016, 02:15:33 PM
Web of Trust (WOT) Add-on taken down by Google and Mozilla after reports of selling Users browsing history
http://techdows.com/2016/11/web-of-trust-add-on-removed.html (http://techdows.com/2016/11/web-of-trust-add-on-removed.html)
It's still available for Mobile devices. Wonder if that also sells your browsing history ???
I wouldn't take a chance Bob. ;)
My recommendation is to remove it if you have it. Not to consider it if it's not currently installed.
http://bob3160.blogspot.com/2016/11/11-3-2016-wot-web-of-trust-not-so.html
Way to go Bob. Good advice.
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: abruptum on November 04, 2016, 06:12:42 PM
This is a total fiasco. I am still using WOT, but I blocked data collecting server by adding this to My Filters in uBlock Origin :
52.5.242.93
52.205.103.6
52.73.240.213
52.44.121.119
107.21.18.47
107.21.49.33
prod-mywo-mywotpop-175cqrplyb0n9-2133581242.us-east-1.elb.amazonaws.com

Maybe I am wrong and by blocking this addresses I am actually doing nothing at all.
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: DavidR on November 04, 2016, 06:44:40 PM
This is a total fiasco. I am still using WOT, but I blocked data collecting server by adding this to My Filters in uBlock Origin :
52.5.242.93
52.205.103.6
52.73.240.213
52.44.121.119
107.21.18.47
107.21.49.33
prod-mywo-mywotpop-175cqrplyb0n9-2133581242.us-east-1.elb.amazonaws.com

Maybe I am wrong and by blocking this addresses I am actually doing nothing at all.

Personally, when you have to start going to these degrees to stop something like this you really have to consider why you should keep it. Not to mention, what is to stop them adding more IPs, it could be a constantly moving target.

Also as has been mentioned Google and Mozilla have taken down the WOT add-on.
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on November 04, 2016, 06:46:46 PM
My idea is to disable the add-on/extension in the browser as long as we haven't heard anything from the alleged perpetrators.
It is a shame my alter-alias has a Silver Membership there (now I am not gonna tell his name).

@ Asyn: "Wer einmal lügt, dem glaubt man nicht, und wenn er auch die Wahrheit spricht.
Das gilt jetzt auch und vor allem für WOT."

Mozilla now made the WOT add-on unavailable for downloads:
-https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/
You will get a no- found.

WOT users brought angry reactions up at the WOT forum:
-https://www.mywot.com/en/forum/70396--virus-spyware-do-not-install-uninstall-as-soon-as-possible
It now even spilled over to Wikipedia: It's now mentioned in Wikipedia:
hxxps://en.wikipedia.org/wiki/WOT_Services#Privacy_issues
This is the server (someone has beaten me to it):

Name: -prod-mywo-mywotpop-175cqrplyb0n9-2133581242.us-east-1.elb.amazonaws dot com
Addresses: 52.5.242.93
52.205.103.6
52.73.240.213
52.44.121.119
107.21.18.47
107.21.49.33
Aliases: -secure dot mywot dot com

I saw the wot api cookie disappear suddenly to-day -

The WOT reaction: https://www.mywot.com/en/forum/70476-user-update-from-wot

WOT extension also vanished from the Google Webstore.
My advice try Webutation: chrome-extension://nfclfmabiojpommfcalfdgjjeaahnjbj/html/options.html

Look ups: http://www.webutation.net/

Yesterday I checked on WOT: Good, I had this being blocked for me on WOT: https://dev.visualwebsiteoptimizer.com/j.php?aXXXXXX&u=https%3A%2F%2Fwww.mywot.com%2F&r=0.XXXXXXXXXXXXXXX

Revealing also the results here: http://www.cookiechecker.nl/check-cookies.php?url=www.mywot.com%2F&cache=false
Retirable jQyery: -https://www.mywot.com/
Detected libraries:
jquery - 1.7.1 : (active1) -https://www.mywot.com/
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
1 vulnerable library detected

And what to think about this external link: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fcdnjs.cloudflare.com%2Fajax%2Flibs%2Fbxslider%2F4.2.5%2Fjquery.bxslider.min.js
working out through -counter.yadro.ru/hit;bgcheck2?r"+

And we should also analyze here, external link: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fconnect.facebook.net%2Fen_US%2Fsdk.js

And they are also into canvas fingerprinting profiling: CanvasFingerprintBlock
Blocked 1 potential HTML canvas fingerprinting attempt on this page
Prevented a script on -https://www.mywot.com from capturing the following 32px × 32px canvas (via toDataURL):

Finally a track the tracker result report: -https://tools.digitalmethods.net/beta/trackerTracker/?jobid=581a5e2512477&json=result&view=renderHtmlTable (analytics, trackers & widgets).

polonus (volunteer website security analyst and website error-hunter)

P.S. In hindsight: https://wyrdwolf.wordpress.com/2015/08/04/how-web-of-trust-can-ruin-your-credibility/
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: Para-Noid on November 04, 2016, 08:35:49 PM
From the WOT privacy policy "SHARING DATA WITH THIRD PARTIES

We do not share any Personal Information collected from you with third parties or any of our partners except in the following events:

Law Requirement: we will share your information, solely to the extent needed to comply with any applicable law, regulation, legal process or governmental request (i.e., to comply with courts injunction, comply with tax authorities, etc.)
Policy Enforcement: we will share your information, solely to the extent needed to enforce our policies (including our policies and agreements), including investigations of potential violations thereof, including without limitations, investigate, detect, prevent, or take action regarding illegal activities or other wrongdoing, suspected fraud or security issues;
Company’s Rights: we will share your information, solely to the extent needed to establish or exercise our rights to defend against legal claims;
Third Party Rights: we will share your information, solely to the extent needed to prevent harm to the rights, property or safety of us, our users, yourself or any third party; or (vi) for the purpose of collaborating with law enforcement agencies or in case we find it necessary in order to enforce intellectual property or other legal rights.
Affiliated Companies: We may share your data with our parent company, any subsidiaries, joint ventures, or other companies under common control ("Affiliated Companies") solely if and when applicable or necessary for the purposes described in this Privacy Policy.
Corporate Transaction: We may share Information, including Personal Information, in the event of a corporate transaction (e.g. sale of a substantial part of our business, merger, consolidation or asset sale). In the event of the above, our Affiliated Companies or acquiring company will assume the rights and obligations as described in this Privacy Policy.
If we combine Personal Information with Non-Personal Information, the combined information will be treated as Personal Information for as long as it remains combined."

After reading Asyn's relpy (#11) I'm removing WOT from Firefox, Chrome and Vivaldi.
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: Para-Noid on November 04, 2016, 09:01:24 PM
I posted a link to RejZoR's article on the Vivaldi forums.
The more the word is spread the better.  ;)
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on November 04, 2016, 11:04:49 PM
Read this, very interesting discussing about the banning of "WOT" before the scandal broke out:
https://lists.gnu.org/archive/html/directory-discuss/2015-11/msg00003.html

So "WOT" was on a slippery slope from a long time on. We did not know that, did we avast user guys and gals?

Funny that the Anglo-American security media aren't picking this news up. Well, not to my knowing at least.
First German NRD-TV had a presentation on the scandal.
The lid came off and now it was also on a Dutch security site with various topics like: https://www.security.nl/posting/491610/Mozilla+verwijdert+Firefox-uitbreiding+Web+of+Trust
But I see nothing on U.K. the Reg. DavidR, do you know it gets any attention there?

Damian
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: Asyn on November 05, 2016, 06:29:56 AM
@ Asyn: "Wer einmal lügt, dem glaubt man nicht, und wenn er auch die Wahrheit spricht.
Das gilt jetzt auch und vor allem für WOT."
Stimmt. 8)
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on November 05, 2016, 01:27:58 PM
Is not it high time for checking with this free tool (free for personal & non-commercial use only): https://www.brightfort.com/eulalyzerdl.html

Many products also transmit a list of visited URLs, or web addresses — both malicious and non-malicious ones.
But question here is, what do they do with it the (de-anonymized) data?
Data may be open to intelligence agencies like the NSA, tapping the internet backbone,
or they can be sold to third parties as in mentioned case in this thread.

We certainly will need more transparency here, but will we get it, I highly doubt it,
and is not this rather a Trade Secret or State Secret even?

I think we will be stumbling around in the dark for quite some time to come.
As it looks now it is Greater Arcadia versus their end-users - 1:0.

polonus
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: bob3160 on November 05, 2016, 02:19:34 PM
Is not it high time for checking with this free tool (free for personal & non-commercial use only): https://www.brightfort.com/eulalyzerdl.html (https://www.brightfort.com/eulalyzerdl.html)

Many products also transmit a list of visited URLs, or web addresses — both malicious and non-malicious ones.
But question here is, what do they do with it the (de-anonymized) data?
Data may be open to intelligence agencies like the NSA, tapping the internet backbone,
or they can be sold to third parties as in mentioned case in this thread.

We certainly will need more transparency here, but will we get it, I highly doubt it,
and is not this rather a Trade Secret or State Secret even?

I think we will be stumbling around in the dark for quite some time to come.
As it looks now it is Greater Arcadia versus their end-users - 1:0.

polonus
Are you reviving one of my suggestions ???
https://forum.avast.com/index.php?topic=19387.msg889561#msg889561
This goes back to 2006:
https://forum.avast.com/index.php?topic=16849.msg176661#msg176661
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on November 05, 2016, 04:19:38 PM
Hi bob3160,

You see how you educate others now, and they later even come up with your own suggestions.....  ;)
Just joking, but it certainly is so that a close-knit group like ours come to share similar security views.
Yes, again, many, many thanks to avast who provided us with a platform to do this.
And all that is not surprising, also for those that benefit from the "fruits" our common security-quest.

Damian
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: Hermie on November 06, 2016, 10:42:47 PM
World of Trust or World of No Trust?
It seems that WOT is not a thrustworthly world, I feel deeply disappointed in that.
Which alternatives are available, if any?

I shall be looking forward to replies, thanks in advance.

Best, Hermie
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: bob3160 on November 06, 2016, 10:55:52 PM
World of Trust or World of No Trust?
It seems that WOT is not a thrustworthly world, I feel deeply disappointed in that.
Which alternatives are available, if any?

I shall be looking forward to replies, thanks in advance.

Best, Hermie
There have already been many replies and comments. :)
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on November 06, 2016, 11:36:22 PM
Yes, bob3160, but it also went unnoticed by me and many of us,
that WOT in 2015 changed from open source software to closed source,
and then the urls visited and the e-mail address were sent twice 64 base encoded
(but not encrypted and anonymised) see: -https://github.com/mywot/firefox-xul/blob/master/content/config.js#L404

The stats.js class is defined here: -https://github.com/mywot/firefox-xul/blob/master/content/stats.js
These stats seem to be sent in a post request to -secure.mywot.com when location changed (wot_stats.loc),
security should not rely on the knowledge of used function   Source: WOT user forum.

WOT staff made the big mistake not to reply in time against these accusations,
probably because of lack of understanding the Germanic languages
(first news appeared in German and Dutch and not in English).

By the time the proverbial cat was well up into the curtains together with
the proverbial manure beginning to hit the proverbial fan,
it was all closing the stable-door after the horse had bolted.

polonus
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: kls490 on November 07, 2016, 03:27:58 PM
Just my 3-cents here - FWIW.  The link below shows the latest statement from the WOT folks, as of Sunday, November 6th @ 10:08 p.m (U.S. EST).  I also posted this over at the Wilder's Security Forums as well:

https://www.mywot.com/en/forum/70818-to-the-wot-community

(Link provided by Jeff at Esumsoft Forums)

Regards to all.
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: Eddy on November 07, 2016, 03:56:08 PM
Quote
Reviewing our privacy policy to determine which changes need to be made in order to enhance and ensure that our users privacy rights are properly addressed.
That is like a train that doesn't arrive at the time mentioned in the time table. He, we can easily solve that. Let's change the time table. See everyone! It did arrived on time !
Quote
We will spend the coming weeks making the changes to WOT which will ensure we are back on the right track.
So yes, they where/are off-track.
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on November 07, 2016, 11:40:38 PM
With their code WOT could have done worse.  They could have been able to work arbitrairy code on webpages.
That is bad as it can be. But they had not abused that ability so far. Rob Wu a security analyzer found out for us.

Just see this analysis here: Analysis of WOT 20151208 by Rob Wu
https://gist.github.com/Rob--W/bda5f28a0ac3b877780c6665bbed2e1b

polonus
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: Asyn on November 08, 2016, 08:27:50 AM
Just my 3-cents here - FWIW.  The link below shows the latest statement from the WOT folks, as of Sunday, November 6th @ 10:08 p.m (U.S. EST).  I also posted this over at the Wilder's Security Forums as well:
https://www.mywot.com/en/forum/70818-to-the-wot-community
(Link provided by Jeff at Esumsoft Forums)
Regards to all.
Thanks for the link.
I'm surprised to see that nobody really knows who owns WOT..!! :o
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on November 08, 2016, 12:48:25 PM
Hi Asyn,

To me that is clear now, as their main registration sponsor is .....tucows.
Do that ring a bell, with a main contact in Toronto, but myWOT operates from Wilmington, USA.
Probably that also declares  the initial  silence on the privacy abuse.
Also domainmonger dot com (spam experts) with 100% insecure IDs tracking seems involved.
A bit of shady and complicated connections there. Is there more information?

polonus
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: mchain on November 08, 2016, 12:50:11 PM
I've taken the step of uninstalling from all browsers I use.  I also removed the signature link to WOT I've had for several years now.

Thanks.
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: bob3160 on November 08, 2016, 03:07:05 PM
(http://screencast-o-matic.com/screenshots/u/Lh/1478613882251-94875.png)
To delete your account, please go to your profile edit page. Then go to the bottom of the page and press "Delete account". ...


(http://screencast-o-matic.com/screenshots/u/Lh/1478614150784-3276.png)
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: Dwarden on November 08, 2016, 04:11:27 PM
time for Mozilla foundation and Google and etc. to improve rules on Extensions ...

if the owner, author, main party changes and the source code isn't provided immediately
then the Extension will be moved down on the trusted layer to NOT-Trusted or Blocked ...

same applies if the 'changes' are actually kept in secrecy from extension oversight authority ...
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on November 08, 2016, 04:42:27 PM
Well the original developer of the code,Sami Tolvanen, now admits that there has been tampering with the original code
some one and half years ago, and also the Finnish ownership went over  into other hands (who was that??).

After the time Tolvanen left, the original WoT code has been changed, and it became malware/ malicious spyware:
Bug 1314332 - Web of TrusT (WOT) Addon is malicious according to news reports
https://bugzilla.mozilla.org/show_bug.cgi?id=1314332#c6

This means that factually that the  WoT addon between 18-09-2009 and 08-12-2015 could have been able to change the Firefox "about:preferences" page and excecute arbitraily code onto your OS. This bug could and should have been patched a long, long time ago now. The browser developers also acted sloppy in this sense that they left the door open for abuse to take place.

Also  Sami Tolvanen himself, confirmed that the WoT addon has been changed on purpose since April 20th of 2015 to log all URL-addresses visited by respective users, and logged these data in an insecure manner.

In his own words:
Quote
"This change adds logging of each visited URL and clearly attempts to obfuscate the traffic with double Base-64 encoding. Definitely sounds like something that should have been indicated to users."

An explanation of the Base-64 code used one can find here: https://nl.wikipedia.org/wiki/Base64
There is no form of encryptioon used and anyone that wants to do this, can get to read it in clear text by simple de-encoding.

One may therefore safely assume that all your user data could have been sold onto the "grey" market from then on.

For instance a toy-firm may be interested in your meta-dat to know what your children's interests are and wanna pay good money to obtain that info. And for the rest just use your imagination what they were paid for.

Users here are right that it is high time firefox and Google chrome and other browsers as well stop this abuse of extension, add-ons and
api's on their platforms and clean up their acts, so they can garantuee your extensions are safe and secure and when an add-on fail, they should get an eternal ban. If self-regulation fails in the data-slurping  industry other appropriate steps should be taken.

Abuse of Trust is a criminal act always.

polonus
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on November 08, 2016, 11:37:35 PM
Update:

Company that owned WoT was registered at 07-10-07- 2006 as TOW Software Oy .
See the rep digger report here: https://repdigger.com/reviews/tow-software-oy
It seems that the original company that held WoT went into liquidation at 09-02-2016.
The liquidation is now being handled by a Finnish law firm, AAtsto Lindfors & Co in Helsinki.

So it seems to me that the service of the firm that was left and finally went into liquidation was apparently being abused by the latest owner.
But by whom? Antti Elias Pekkanen was/is CEO at WoTs, and his website is here: http://inventure.fi/
and then we know that he is into a leading early-stage venture capital company for Finland, the Nordics and the Baltics, inventure.
And in his own words
Quote
We help you grow your start-up into a global superstar
.

I think for some this may be a revealing posting, folks,

polonus
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on November 09, 2016, 04:24:16 PM
Further Update:

More on the main players of what we may call now an almost 'Shakespearian' digital drama.

It could well have been that the main investors/stakeholders of hxtp://MyWoT.com
wanted their money back or wanted to convert from capital to cash.

1. Antti Elias Pekkanen
https://www.linkedin.com/in/anttipekkanen

Pekkanen became a hired ad interim CEO in order to clean up the mess after Sami Tolvanen left.
Apparently he was a puppet for -http://Inventure.fi, a firm contracted by the initial investors.

2. Sami Tolvanen had left MyWOT.com 07-04-2014, which could be because of a conflict ,
which arose with his former co-founder and silent-partner, Timo Ala-Kleemola,
about where MyWOT had to go with the then proposed business model /selling MyWoT services.

Sami - Resignation
https://www.mywot.com/en/forum/46092-sami

We also find critical remarks from users in the WoT-forums in these days about the proposed paid service model.
Users of the first hour started to abandon ship, while loosing confidence in Timo.

3. Timo Ala-Kleemola
https://fi.linkedin.com/in/timoalakleemola

Where Tolvanen is now, is unknown. Rumour has it that he, after he left MyWoT.com, started to work for Google dot com.
Could also be another person by that name, as that surname is not very unique for Finland.

The homepage of his former private website (tolvanen.com) has been abandoned not so long ago,
and the website could not be archived  by Archive.org,  because of a robot.txt exclusion.
The existing LinkedIn account under that name became more or less locked:

Sami Tolvanen
https://www.linkedin.com/in/samitolvanen

We shall see where all these three actors in this drama are gonna present their next performance.
On Youtube we can find vids posted by people that lost money through their practices apparently
or were known insiders to the final fate of the sinking myWoT-Titanic.

Info source taken from a Dutch posting in a thread on https://www.security.nl/ 
I like to sincerely thank and give all info credits to the anonymous poster thereof,

(Anonymous source 15:18)

polonus
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on November 16, 2016, 06:49:39 PM
Update: Michael ´Monty' Widenius, founder of MySQL, invests in WOT, Web of Trust (PRWEB, February 16, 2009)
https://web.archive.org/web/20090224182847/http://www.prweb.com/releases/Michael_Widenius/Web_of_Trust/prweb2009984.htm

It is shocking to find out that founders of fundamental open software, like MySQL in this case, were involved in such wheelings and dealings.

So the conclusion should be that users of open software are not protected against such big data-slurping trade deals with the data they share with such a tool, app, service, whatever. The impact of hidden commercialization on user-protection could be enormous and also this could 'pay out' in a negative sense to end-users. They are always at the wrong end of the stick.  :D

According to Englishspeaking Wikipedia WoT services are now being classified as a spyware. Who the present owners of the My.WoT dot com domain is hard to find out. (info source: Anonymous on the https://www.security.nl forum). Domain expired on May 17, 2016.

polonus
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on November 19, 2016, 06:01:58 PM
Update.

My dear avast forum friends,

Just to keep you updated, the following somewhat more optimistic news amidst all WoT tragedy.

Russian Adguard (adblock injection script solution)
makes use of WoT for his web rep results,
but it uses it's own specially developed version of the software,
this according to the follwoing statement from Adguard:

Read: https://blog.adguard.com/en/official-statement-on-web-of-trust-case/ 

A reaction from on the Adguard blog:
Quote
In our case extension doesn't do any shady stuff, and the reputation data is still valuable.
So, there could be a grace period.
 
Posted by Andrey Meshkov on Adguard Blog

So some see a grace period for adopted tracking free use of WoT results. 
Do they reserve that grace period?

polonus
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: kls490 on November 19, 2016, 06:59:18 PM
Nice, detailed info, Pol.  Thanks for keeping us abreast!

IMO and experience, once trust has been lost, it is typically VERY difficult to regain it again.

Just my 2-cents, FWIW.
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: DavidR on November 19, 2016, 07:31:11 PM
<snip>
IMO and experience, once trust has been lost, it is typically VERY difficult to regain it again.
<snip>

A bit like you only get one chance to make a first impression.
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on November 20, 2016, 02:00:10 PM
Update:

Seems WoT is now being discontinued in Adguard as well,
and I do not know whether Webutation extention is gonna drop the WoT web rep report info also?

polonus
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on December 20, 2016, 05:00:38 PM
Good news, WoT is back on Google Chrome: https://www.mywot.com/en/blog/were-back
Quote
We've just released a new version of WOT on the Chrome extension gallery which already has several major code updates in order to protect our users privacy and an opt-out option from the user Settings, for users who do not wish to share data with us but still want to have easy access to WOT.

polonus
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: DavidR on December 20, 2016, 05:31:24 PM
Good news, WoT is back on Google Chrome: https://www.mywot.com/en/blog/were-back
Quote
We've just released a new version of WOT on the Chrome extension gallery which already has several major code updates in order to protect our users privacy and an opt-out option from the user Settings, for users who do not wish to share data with us but still want to have easy access to WOT.

polonus

Regaining trust after what they did is going to be very tough, I know I shan't be bothering. Whilst I never took the ratings as gospel more for general advice, I can get along without it with the web shield and AOS.
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: bob3160 on December 20, 2016, 11:25:52 PM
Good news, WoT is back on Google Chrome: https://www.mywot.com/en/blog/were-back (https://www.mywot.com/en/blog/were-back)
Quote
We've just released a new version of WOT on the Chrome extension gallery which already has several major code updates in order to protect our users privacy and an opt-out option from the user Settings, for users who do not wish to share data with us but still want to have easy access to WOT.

polonus
That's nice, I'm NOT. :)
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: Para-Noid on December 21, 2016, 05:38:58 PM
"Good News"?  We'll see. Right now WoT does not have my trust. But we'll see.
Title: Re: WOT (Web Of Trust) privacy scandal
Post by: polonus on December 21, 2016, 09:54:45 PM
When it comes up on other browsers as well, we have to see whether it could deserve that last T of WoT again  ;)
For the moment 'once bitten, twice shy', folks.

polonus