WOT (Web Of Trust) privacy scandal

[Asyn]

Web of Trust (WOT) Add-on taken down by Google and Mozilla after reports of selling Users browsing history
http://techdows.com/2016/11/web-of-trust-add-on-removed.html

It's still available for Mobile devices. Wonder if that also sells your browsing history

I wouldn't take a chance Bob.

My recommendation is to remove it if you have it. Not to consider it if it's not currently installed.
http://bob3160.blogspot.com/2016/11/11-3-2016-wot-web-of-trust-not-so.html

Way to go Bob. Good advice.

[abruptum]

This is a total fiasco. I am still using WOT, but I blocked data collecting server by adding this to My Filters in uBlock Origin :
52.5.242.93
52.205.103.6
52.73.240.213
52.44.121.119
107.21.18.47
107.21.49.33
prod-mywo-mywotpop-175cqrplyb0n9-2133581242.us-east-1.elb.amazonaws.com

Maybe I am wrong and by blocking this addresses I am actually doing nothing at all.

[DavidR]

This is a total fiasco. I am still using WOT, but I blocked data collecting server by adding this to My Filters in uBlock Origin :
52.5.242.93
52.205.103.6
52.73.240.213
52.44.121.119
107.21.18.47
107.21.49.33
prod-mywo-mywotpop-175cqrplyb0n9-2133581242.us-east-1.elb.amazonaws.com

Maybe I am wrong and by blocking this addresses I am actually doing nothing at all.

Personally, when you have to start going to these degrees to stop something like this you really have to consider why you should keep it. Not to mention, what is to stop them adding more IPs, it could be a constantly moving target.

Also as has been mentioned Google and Mozilla have taken down the WOT add-on.

[polonus]

My idea is to disable the add-on/extension in the browser as long as we haven't heard anything from the alleged perpetrators.
It is a shame my alter-alias has a Silver Membership there (now I am not gonna tell his name).

@ Asyn: "Wer einmal lügt, dem glaubt man nicht, und wenn er auch die Wahrheit spricht.
Das gilt jetzt auch und vor allem für WOT."

Mozilla now made the WOT add-on unavailable for downloads:
-https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/
You will get a no- found.

WOT users brought angry reactions up at the WOT forum:
-https://www.mywot.com/en/forum/70396--virus-spyware-do-not-install-uninstall-as-soon-as-possible
It now even spilled over to Wikipedia: It's now mentioned in Wikipedia:
hxxps://en.wikipedia.org/wiki/WOT_Services#Privacy_issues
This is the server (someone has beaten me to it):

Name: -prod-mywo-mywotpop-175cqrplyb0n9-2133581242.us-east-1.elb.amazonaws dot com
Addresses: 52.5.242.93
52.205.103.6
52.73.240.213
52.44.121.119
107.21.18.47
107.21.49.33
Aliases: -secure dot mywot dot com

I saw the wot api cookie disappear suddenly to-day -

The WOT reaction: https://www.mywot.com/en/forum/70476-user-update-from-wot

WOT extension also vanished from the Google Webstore.
My advice try Webutation: chrome-extension://nfclfmabiojpommfcalfdgjjeaahnjbj/html/options.html

Look ups: http://www.webutation.net/

Yesterday I checked on WOT: Good, I had this being blocked for me on WOT: https://dev.visualwebsiteoptimizer.com/j.php?aXXXXXX&u=https%3A%2F%2Fwww.mywot.com%2F&r=0.XXXXXXXXXXXXXXX

Revealing also the results here: http://www.cookiechecker.nl/check-cookies.php?url=www.mywot.com%2F&cache=false
Retirable jQyery: -https://www.mywot.com/
Detected libraries:
jquery - 1.7.1 : (active1) -https://www.mywot.com/
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
1 vulnerable library detected

And what to think about this external link: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fcdnjs.cloudflare.com%2Fajax%2Flibs%2Fbxslider%2F4.2.5%2Fjquery.bxslider.min.js
working out through -counter.yadro.ru/hit;bgcheck2?r"+

And we should also analyze here, external link: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fconnect.facebook.net%2Fen_US%2Fsdk.js

And they are also into canvas fingerprinting profiling: CanvasFingerprintBlock
Blocked 1 potential HTML canvas fingerprinting attempt on this page
Prevented a script on -https://www.mywot.com from capturing the following 32px × 32px canvas (via toDataURL):

Finally a track the tracker result report: -https://tools.digitalmethods.net/beta/trackerTracker/?jobid=581a5e2512477&json=result&view=renderHtmlTable (analytics, trackers & widgets).

polonus (volunteer website security analyst and website error-hunter)

P.S. In hindsight: https://wyrdwolf.wordpress.com/2015/08/04/how-web-of-trust-can-ruin-your-credibility/

[Para-Noid]

From the WOT privacy policy "SHARING DATA WITH THIRD PARTIES

We do not share any Personal Information collected from you with third parties or any of our partners except in the following events:

Law Requirement: we will share your information, solely to the extent needed to comply with any applicable law, regulation, legal process or governmental request (i.e., to comply with courts injunction, comply with tax authorities, etc.)
Policy Enforcement: we will share your information, solely to the extent needed to enforce our policies (including our policies and agreements), including investigations of potential violations thereof, including without limitations, investigate, detect, prevent, or take action regarding illegal activities or other wrongdoing, suspected fraud or security issues;
Company’s Rights: we will share your information, solely to the extent needed to establish or exercise our rights to defend against legal claims;
Third Party Rights: we will share your information, solely to the extent needed to prevent harm to the rights, property or safety of us, our users, yourself or any third party; or (vi) for the purpose of collaborating with law enforcement agencies or in case we find it necessary in order to enforce intellectual property or other legal rights.
Affiliated Companies: We may share your data with our parent company, any subsidiaries, joint ventures, or other companies under common control ("Affiliated Companies") solely if and when applicable or necessary for the purposes described in this Privacy Policy.
Corporate Transaction: We may share Information, including Personal Information, in the event of a corporate transaction (e.g. sale of a substantial part of our business, merger, consolidation or asset sale). In the event of the above, our Affiliated Companies or acquiring company will assume the rights and obligations as described in this Privacy Policy.
If we combine Personal Information with Non-Personal Information, the combined information will be treated as Personal Information for as long as it remains combined."

After reading Asyn's relpy (#11) I'm removing WOT from Firefox, Chrome and Vivaldi.

[Para-Noid]

I posted a link to RejZoR's article on the Vivaldi forums.
The more the word is spread the better. 

[polonus]

Read this, very interesting discussing about the banning of "WOT" before the scandal broke out:
https://lists.gnu.org/archive/html/directory-discuss/2015-11/msg00003.html

So "WOT" was on a slippery slope from a long time on. We did not know that, did we avast user guys and gals?

Funny that the Anglo-American security media aren't picking this news up. Well, not to my knowing at least.
First German NRD-TV had a presentation on the scandal.
The lid came off and now it was also on a Dutch security site with various topics like: https://www.security.nl/posting/491610/Mozilla+verwijdert+Firefox-uitbreiding+Web+of+Trust
But I see nothing on U.K. the Reg. DavidR, do you know it gets any attention there?

Damian

[Asyn]

@ Asyn: "Wer einmal lügt, dem glaubt man nicht, und wenn er auch die Wahrheit spricht.
Das gilt jetzt auch und vor allem für WOT."

Stimmt.

[polonus]

Is not it high time for checking with this free tool (free for personal & non-commercial use only): https://www.brightfort.com/eulalyzerdl.html

Many products also transmit a list of visited URLs, or web addresses — both malicious and non-malicious ones.
But question here is, what do they do with it the (de-anonymized) data?
Data may be open to intelligence agencies like the NSA, tapping the internet backbone,
or they can be sold to third parties as in mentioned case in this thread.

We certainly will need more transparency here, but will we get it, I highly doubt it,
and is not this rather a Trade Secret or State Secret even?

I think we will be stumbling around in the dark for quite some time to come.
As it looks now it is Greater Arcadia versus their end-users - 1:0.

polonus

[bob3160]

Is not it high time for checking with this free tool (free for personal & non-commercial use only): https://www.brightfort.com/eulalyzerdl.html

Many products also transmit a list of visited URLs, or web addresses — both malicious and non-malicious ones.
But question here is, what do they do with it the (de-anonymized) data?
Data may be open to intelligence agencies like the NSA, tapping the internet backbone,
or they can be sold to third parties as in mentioned case in this thread.

We certainly will need more transparency here, but will we get it, I highly doubt it,
and is not this rather a Trade Secret or State Secret even?

I think we will be stumbling around in the dark for quite some time to come.
As it looks now it is Greater Arcadia versus their end-users - 1:0.

polonus

Are you reviving one of my suggestions
https://forum.avast.com/index.php?topic=19387.msg889561#msg889561
This goes back to 2006:
https://forum.avast.com/index.php?topic=16849.msg176661#msg176661

[polonus]

Hi bob3160,

You see how you educate others now, and they later even come up with your own suggestions..... 
Just joking, but it certainly is so that a close-knit group like ours come to share similar security views.
Yes, again, many, many thanks to avast who provided us with a platform to do this.
And all that is not surprising, also for those that benefit from the "fruits" our common security-quest.

Damian

[REDACTED]

World of Trust or World of No Trust?
It seems that WOT is not a thrustworthly world, I feel deeply disappointed in that.
Which alternatives are available, if any?

I shall be looking forward to replies, thanks in advance.

Best, Hermie

[bob3160]

World of Trust or World of No Trust?
It seems that WOT is not a thrustworthly world, I feel deeply disappointed in that.
Which alternatives are available, if any?

I shall be looking forward to replies, thanks in advance.

Best, Hermie

There have already been many replies and comments.

[polonus]

Yes, bob3160, but it also went unnoticed by me and many of us,
that WOT in 2015 changed from open source software to closed source,
and then the urls visited and the e-mail address were sent twice 64 base encoded
(but not encrypted and anonymised) see: -https://github.com/mywot/firefox-xul/blob/master/content/config.js#L404

The stats.js class is defined here: -https://github.com/mywot/firefox-xul/blob/master/content/stats.js
These stats seem to be sent in a post request to -secure.mywot.com when location changed (wot_stats.loc),
security should not rely on the knowledge of used function   Source: WOT user forum.

WOT staff made the big mistake not to reply in time against these accusations,
probably because of lack of understanding the Germanic languages
(first news appeared in German and Dutch and not in English).

By the time the proverbial cat was well up into the curtains together with
the proverbial manure beginning to hit the proverbial fan,
it was all closing the stable-door after the horse had bolted.

polonus

[kls490]

Just my 3-cents here - FWIW.  The link below shows the latest statement from the WOT folks, as of Sunday, November 6th @ 10:08 p.m (U.S. EST).  I also posted this over at the Wilder's Security Forums as well:

https://www.mywot.com/en/forum/70818-to-the-wot-community

(Link provided by Jeff at Esumsoft Forums)

Regards to all.