Author Topic: WOT (Web Of Trust) privacy scandal  (Read 13426 times)

0 Members and 1 Guest are viewing this topic.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 55257
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: WOT (Web Of Trust) privacy scandal
« Reply #15 on: November 04, 2016, 02:15:33 PM »
Web of Trust (WOT) Add-on taken down by Google and Mozilla after reports of selling Users browsing history
http://techdows.com/2016/11/web-of-trust-add-on-removed.html
It's still available for Mobile devices. Wonder if that also sells your browsing history ???
I wouldn't take a chance Bob. ;)
My recommendation is to remove it if you have it. Not to consider it if it's not currently installed.
http://bob3160.blogspot.com/2016/11/11-3-2016-wot-web-of-trust-not-so.html
Way to go Bob. Good advice.
Win 8.1 [x64] - Avast Premier 18.7.2354.BC - CC 5.47 - MCS - EEK - FF ESR 60.2.2 [NS/AOS/uBO] - TB 60.2.1 [EM] - ACP/ASB/ASL.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523

Offline abruptum

  • Super Poster
  • ***
  • Posts: 1722
Re: WOT (Web Of Trust) privacy scandal
« Reply #16 on: November 04, 2016, 06:12:42 PM »
This is a total fiasco. I am still using WOT, but I blocked data collecting server by adding this to My Filters in uBlock Origin :
52.5.242.93
52.205.103.6
52.73.240.213
52.44.121.119
107.21.18.47
107.21.49.33
prod-mywo-mywotpop-175cqrplyb0n9-2133581242.us-east-1.elb.amazonaws.com

Maybe I am wrong and by blocking this addresses I am actually doing nothing at all.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 80437
  • No support PMs thanks
Re: WOT (Web Of Trust) privacy scandal
« Reply #17 on: November 04, 2016, 06:44:40 PM »
This is a total fiasco. I am still using WOT, but I blocked data collecting server by adding this to My Filters in uBlock Origin :
52.5.242.93
52.205.103.6
52.73.240.213
52.44.121.119
107.21.18.47
107.21.49.33
prod-mywo-mywotpop-175cqrplyb0n9-2133581242.us-east-1.elb.amazonaws.com

Maybe I am wrong and by blocking this addresses I am actually doing nothing at all.

Personally, when you have to start going to these degrees to stop something like this you really have to consider why you should keep it. Not to mention, what is to stop them adding more IPs, it could be a constantly moving target.

Also as has been mentioned Google and Mozilla have taken down the WOT add-on.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 18.7.2354/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.8.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30768
  • malware fighter
Re: WOT (Web Of Trust) privacy scandal
« Reply #18 on: November 04, 2016, 06:46:46 PM »
My idea is to disable the add-on/extension in the browser as long as we haven't heard anything from the alleged perpetrators.
It is a shame my alter-alias has a Silver Membership there (now I am not gonna tell his name).

@ Asyn: "Wer einmal lügt, dem glaubt man nicht, und wenn er auch die Wahrheit spricht.
Das gilt jetzt auch und vor allem für WOT."

Mozilla now made the WOT add-on unavailable for downloads:
-https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/
You will get a no- found.

WOT users brought angry reactions up at the WOT forum:
-https://www.mywot.com/en/forum/70396--virus-spyware-do-not-install-uninstall-as-soon-as-possible
It now even spilled over to Wikipedia: It's now mentioned in Wikipedia:
hxxps://en.wikipedia.org/wiki/WOT_Services#Privacy_issues
This is the server (someone has beaten me to it):

Name: -prod-mywo-mywotpop-175cqrplyb0n9-2133581242.us-east-1.elb.amazonaws dot com
Addresses: 52.5.242.93
52.205.103.6
52.73.240.213
52.44.121.119
107.21.18.47
107.21.49.33
Aliases: -secure dot mywot dot com

I saw the wot api cookie disappear suddenly to-day -

The WOT reaction: https://www.mywot.com/en/forum/70476-user-update-from-wot

WOT extension also vanished from the Google Webstore.
My advice try Webutation: chrome-extension://nfclfmabiojpommfcalfdgjjeaahnjbj/html/options.html

Look ups: http://www.webutation.net/

Yesterday I checked on WOT: Good, I had this being blocked for me on WOT: https://dev.visualwebsiteoptimizer.com/j.php?aXXXXXX&u=https%3A%2F%2Fwww.mywot.com%2F&r=0.XXXXXXXXXXXXXXX

Revealing also the results here: http://www.cookiechecker.nl/check-cookies.php?url=www.mywot.com%2F&cache=false
Retirable jQyery: -https://www.mywot.com/
Detected libraries:
jquery - 1.7.1 : (active1) -https://www.mywot.com/
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
1 vulnerable library detected

And what to think about this external link: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fcdnjs.cloudflare.com%2Fajax%2Flibs%2Fbxslider%2F4.2.5%2Fjquery.bxslider.min.js
working out through -counter.yadro.ru/hit;bgcheck2?r"+

And we should also analyze here, external link: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fconnect.facebook.net%2Fen_US%2Fsdk.js

And they are also into canvas fingerprinting profiling: CanvasFingerprintBlock
Blocked 1 potential HTML canvas fingerprinting attempt on this page
Prevented a script on -https://www.mywot.com from capturing the following 32px × 32px canvas (via toDataURL):

Finally a track the tracker result report: -https://tools.digitalmethods.net/beta/trackerTracker/?jobid=581a5e2512477&json=result&view=renderHtmlTable (analytics, trackers & widgets).

polonus (volunteer website security analyst and website error-hunter)

P.S. In hindsight: https://wyrdwolf.wordpress.com/2015/08/04/how-web-of-trust-can-ruin-your-credibility/
« Last Edit: November 04, 2016, 07:17:44 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Para-Noid

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6711
  • Trust only what you test yourself!
Re: WOT (Web Of Trust) privacy scandal
« Reply #19 on: November 04, 2016, 08:35:49 PM »
From the WOT privacy policy "SHARING DATA WITH THIRD PARTIES

We do not share any Personal Information collected from you with third parties or any of our partners except in the following events:

Law Requirement: we will share your information, solely to the extent needed to comply with any applicable law, regulation, legal process or governmental request (i.e., to comply with courts injunction, comply with tax authorities, etc.)
Policy Enforcement: we will share your information, solely to the extent needed to enforce our policies (including our policies and agreements), including investigations of potential violations thereof, including without limitations, investigate, detect, prevent, or take action regarding illegal activities or other wrongdoing, suspected fraud or security issues;
Company’s Rights: we will share your information, solely to the extent needed to establish or exercise our rights to defend against legal claims;
Third Party Rights: we will share your information, solely to the extent needed to prevent harm to the rights, property or safety of us, our users, yourself or any third party; or (vi) for the purpose of collaborating with law enforcement agencies or in case we find it necessary in order to enforce intellectual property or other legal rights.
Affiliated Companies: We may share your data with our parent company, any subsidiaries, joint ventures, or other companies under common control ("Affiliated Companies") solely if and when applicable or necessary for the purposes described in this Privacy Policy.
Corporate Transaction: We may share Information, including Personal Information, in the event of a corporate transaction (e.g. sale of a substantial part of our business, merger, consolidation or asset sale). In the event of the above, our Affiliated Companies or acquiring company will assume the rights and obligations as described in this Privacy Policy.
If we combine Personal Information with Non-Personal Information, the combined information will be treated as Personal Information for as long as it remains combined."

After reading Asyn's relpy (#11) I'm removing WOT from Firefox, Chrome and Vivaldi.
Dell Inspiron, Win10x64--HP Envy Win10x64--Both systems Avast Free v17.9.2322, Comodo Firewall v8.2 w/D+, MalwareBytes v3.0, OpenDNS, Super Anti-Spyware, Spyware Blaster, MCShield, Unchecky, Vivaldi Browser and, various browser security tools.

"Look before you leap!" Use online scanners before you click on any link.

Offline Para-Noid

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6711
  • Trust only what you test yourself!
Re: WOT (Web Of Trust) privacy scandal
« Reply #20 on: November 04, 2016, 09:01:24 PM »
I posted a link to RejZoR's article on the Vivaldi forums.
The more the word is spread the better.  ;)
Dell Inspiron, Win10x64--HP Envy Win10x64--Both systems Avast Free v17.9.2322, Comodo Firewall v8.2 w/D+, MalwareBytes v3.0, OpenDNS, Super Anti-Spyware, Spyware Blaster, MCShield, Unchecky, Vivaldi Browser and, various browser security tools.

"Look before you leap!" Use online scanners before you click on any link.

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30768
  • malware fighter
Re: WOT (Web Of Trust) privacy scandal
« Reply #21 on: November 04, 2016, 11:04:49 PM »
Read this, very interesting discussing about the banning of "WOT" before the scandal broke out:
https://lists.gnu.org/archive/html/directory-discuss/2015-11/msg00003.html

So "WOT" was on a slippery slope from a long time on. We did not know that, did we avast user guys and gals?

Funny that the Anglo-American security media aren't picking this news up. Well, not to my knowing at least.
First German NRD-TV had a presentation on the scandal.
The lid came off and now it was also on a Dutch security site with various topics like: https://www.security.nl/posting/491610/Mozilla+verwijdert+Firefox-uitbreiding+Web+of+Trust
But I see nothing on U.K. the Reg. DavidR, do you know it gets any attention there?

Damian
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 55257
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: WOT (Web Of Trust) privacy scandal
« Reply #22 on: November 05, 2016, 06:29:56 AM »
@ Asyn: "Wer einmal lügt, dem glaubt man nicht, und wenn er auch die Wahrheit spricht.
Das gilt jetzt auch und vor allem für WOT."
Stimmt. 8)
Win 8.1 [x64] - Avast Premier 18.7.2354.BC - CC 5.47 - MCS - EEK - FF ESR 60.2.2 [NS/AOS/uBO] - TB 60.2.1 [EM] - ACP/ASB/ASL.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30768
  • malware fighter
Re: WOT (Web Of Trust) privacy scandal
« Reply #23 on: November 05, 2016, 01:27:58 PM »
Is not it high time for checking with this free tool (free for personal & non-commercial use only): https://www.brightfort.com/eulalyzerdl.html

Many products also transmit a list of visited URLs, or web addresses — both malicious and non-malicious ones.
But question here is, what do they do with it the (de-anonymized) data?
Data may be open to intelligence agencies like the NSA, tapping the internet backbone,
or they can be sold to third parties as in mentioned case in this thread.

We certainly will need more transparency here, but will we get it, I highly doubt it,
and is not this rather a Trade Secret or State Secret even?

I think we will be stumbling around in the dark for quite some time to come.
As it looks now it is Greater Arcadia versus their end-users - 1:0.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 38953
  • 58 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: WOT (Web Of Trust) privacy scandal
« Reply #24 on: November 05, 2016, 02:19:34 PM »
Is not it high time for checking with this free tool (free for personal & non-commercial use only): https://www.brightfort.com/eulalyzerdl.html

Many products also transmit a list of visited URLs, or web addresses — both malicious and non-malicious ones.
But question here is, what do they do with it the (de-anonymized) data?
Data may be open to intelligence agencies like the NSA, tapping the internet backbone,
or they can be sold to third parties as in mentioned case in this thread.

We certainly will need more transparency here, but will we get it, I highly doubt it,
and is not this rather a Trade Secret or State Secret even?

I think we will be stumbling around in the dark for quite some time to come.
As it looks now it is Greater Arcadia versus their end-users - 1:0.

polonus
Are you reviving one of my suggestions ???
https://forum.avast.com/index.php?topic=19387.msg889561#msg889561
This goes back to 2006:
https://forum.avast.com/index.php?topic=16849.msg176661#msg176661
Free avast! Security Seminar: http://www.authorstream.com/Presentation/bob3160-1425909-protecting-yourself/    -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v1809 64bit, 8 Gig Ram, AvastFree 18.7.2354, WinPatrol, Unchecky How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30768
  • malware fighter
Re: WOT (Web Of Trust) privacy scandal
« Reply #25 on: November 05, 2016, 04:19:38 PM »
Hi bob3160,

You see how you educate others now, and they later even come up with your own suggestions.....  ;)
Just joking, but it certainly is so that a close-knit group like ours come to share similar security views.
Yes, again, many, many thanks to avast who provided us with a platform to do this.
And all that is not surprising, also for those that benefit from the "fruits" our common security-quest.

Damian
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Hermie

  • Sr. Member
  • ****
  • Posts: 350
Re: WOT (Web Of Trust) privacy scandal
« Reply #26 on: November 06, 2016, 10:42:47 PM »
World of Trust or World of No Trust?
It seems that WOT is not a thrustworthly world, I feel deeply disappointed in that.
Which alternatives are available, if any?

I shall be looking forward to replies, thanks in advance.

Best, Hermie

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 38953
  • 58 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: WOT (Web Of Trust) privacy scandal
« Reply #27 on: November 06, 2016, 10:55:52 PM »
World of Trust or World of No Trust?
It seems that WOT is not a thrustworthly world, I feel deeply disappointed in that.
Which alternatives are available, if any?

I shall be looking forward to replies, thanks in advance.

Best, Hermie
There have already been many replies and comments. :)
Free avast! Security Seminar: http://www.authorstream.com/Presentation/bob3160-1425909-protecting-yourself/    -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v1809 64bit, 8 Gig Ram, AvastFree 18.7.2354, WinPatrol, Unchecky How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30768
  • malware fighter
Re: WOT (Web Of Trust) privacy scandal
« Reply #28 on: November 06, 2016, 11:36:22 PM »
Yes, bob3160, but it also went unnoticed by me and many of us,
that WOT in 2015 changed from open source software to closed source,
and then the urls visited and the e-mail address were sent twice 64 base encoded
(but not encrypted and anonymised) see: -https://github.com/mywot/firefox-xul/blob/master/content/config.js#L404

The stats.js class is defined here: -https://github.com/mywot/firefox-xul/blob/master/content/stats.js
These stats seem to be sent in a post request to -secure.mywot.com when location changed (wot_stats.loc),
security should not rely on the knowledge of used function   Source: WOT user forum.

WOT staff made the big mistake not to reply in time against these accusations,
probably because of lack of understanding the Germanic languages
(first news appeared in German and Dutch and not in English).

By the time the proverbial cat was well up into the curtains together with
the proverbial manure beginning to hit the proverbial fan,
it was all closing the stable-door after the horse had bolted.

polonus
« Last Edit: November 06, 2016, 11:39:12 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline kls490

  • Sr. Member
  • ****
  • Posts: 208
  • Queen of the house
Re: WOT (Web Of Trust) privacy scandal
« Reply #29 on: November 07, 2016, 03:27:58 PM »
Just my 3-cents here - FWIW.  The link below shows the latest statement from the WOT folks, as of Sunday, November 6th @ 10:08 p.m (U.S. EST).  I also posted this over at the Wilder's Security Forums as well:

https://www.mywot.com/en/forum/70818-to-the-wot-community

(Link provided by Jeff at Esumsoft Forums)

Regards to all.
« Last Edit: November 07, 2016, 03:30:14 PM by kls490 »
kls490