Author Topic: WOT (Web Of Trust) privacy scandal  (Read 18175 times)

0 Members and 1 Guest are viewing this topic.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31345
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: WOT (Web Of Trust) privacy scandal
« Reply #30 on: November 07, 2016, 03:56:08 PM »
Quote
Reviewing our privacy policy to determine which changes need to be made in order to enhance and ensure that our users privacy rights are properly addressed.
That is like a train that doesn't arrive at the time mentioned in the time table. He, we can easily solve that. Let's change the time table. See everyone! It did arrived on time !
Quote
We will spend the coming weeks making the changes to WOT which will ensure we are back on the right track.
So yes, they where/are off-track.
« Last Edit: November 07, 2016, 04:01:01 PM by Eddy »

Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32617
  • malware fighter
Re: WOT (Web Of Trust) privacy scandal
« Reply #31 on: November 07, 2016, 11:40:38 PM »
With their code WOT could have done worse.  They could have been able to work arbitrairy code on webpages.
That is bad as it can be. But they had not abused that ability so far. Rob Wu a security analyzer found out for us.

Just see this analysis here: Analysis of WOT 20151208 by Rob Wu
https://gist.github.com/Rob--W/bda5f28a0ac3b877780c6665bbed2e1b

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 66060
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: WOT (Web Of Trust) privacy scandal
« Reply #32 on: November 08, 2016, 08:27:50 AM »
Just my 3-cents here - FWIW.  The link below shows the latest statement from the WOT folks, as of Sunday, November 6th @ 10:08 p.m (U.S. EST).  I also posted this over at the Wilder's Security Forums as well:
https://www.mywot.com/en/forum/70818-to-the-wot-community
(Link provided by Jeff at Esumsoft Forums)
Regards to all.
Thanks for the link.
I'm surprised to see that nobody really knows who owns WOT..!! :o
Win 8.1 [x64] - Avast PremSec 20.7.2421.B#1 [UI.544] - CC 5.70 - EEK - FF ESR 68.11 [NS/AOS/uBO/PB] - TB 68.11 - SB/CP/SL/DU.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32617
  • malware fighter
Re: WOT (Web Of Trust) privacy scandal
« Reply #33 on: November 08, 2016, 12:48:25 PM »
Hi Asyn,

To me that is clear now, as their main registration sponsor is .....tucows.
Do that ring a bell, with a main contact in Toronto, but myWOT operates from Wilmington, USA.
Probably that also declares  the initial  silence on the privacy abuse.
Also domainmonger dot com (spam experts) with 100% insecure IDs tracking seems involved.
A bit of shady and complicated connections there. Is there more information?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5416
  • Spartan Warrior
Re: WOT (Web Of Trust) privacy scandal
« Reply #34 on: November 08, 2016, 12:50:11 PM »
I've taken the step of uninstalling from all browsers I use.  I also removed the signature link to WOT I've had for several years now.

Thanks.
Windows 10 Home 64-bit 1909 Avast Premier Security version 20.1.2397 (build 20.1.5069.559) UI version 1.0.460.

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 43897
  • 60 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: WOT (Web Of Trust) privacy scandal
« Reply #35 on: November 08, 2016, 03:07:05 PM »

To delete your account, please go to your profile edit page. Then go to the bottom of the page and press "Delete account". ...


« Last Edit: November 08, 2016, 03:08:46 PM by bob3160 »
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v1909 64bit, 24 Gig Ram, 1TB SSD, AvastOmni 20.3.xxx, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1787
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re: WOT (Web Of Trust) privacy scandal
« Reply #36 on: November 08, 2016, 04:11:27 PM »
time for Mozilla foundation and Google and etc. to improve rules on Extensions ...

if the owner, author, main party changes and the source code isn't provided immediately
then the Extension will be moved down on the trusted layer to NOT-Trusted or Blocked ...

same applies if the 'changes' are actually kept in secrecy from extension oversight authority ...
« Last Edit: November 08, 2016, 04:13:09 PM by Dwarden »
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32617
  • malware fighter
Re: WOT (Web Of Trust) privacy scandal
« Reply #37 on: November 08, 2016, 04:42:27 PM »
Well the original developer of the code,Sami Tolvanen, now admits that there has been tampering with the original code
some one and half years ago, and also the Finnish ownership went over  into other hands (who was that??).

After the time Tolvanen left, the original WoT code has been changed, and it became malware/ malicious spyware:
Bug 1314332 - Web of TrusT (WOT) Addon is malicious according to news reports
https://bugzilla.mozilla.org/show_bug.cgi?id=1314332#c6

This means that factually that the  WoT addon between 18-09-2009 and 08-12-2015 could have been able to change the Firefox "about:preferences" page and excecute arbitraily code onto your OS. This bug could and should have been patched a long, long time ago now. The browser developers also acted sloppy in this sense that they left the door open for abuse to take place.

Also  Sami Tolvanen himself, confirmed that the WoT addon has been changed on purpose since April 20th of 2015 to log all URL-addresses visited by respective users, and logged these data in an insecure manner.

In his own words:
Quote
"This change adds logging of each visited URL and clearly attempts to obfuscate the traffic with double Base-64 encoding. Definitely sounds like something that should have been indicated to users."

An explanation of the Base-64 code used one can find here: https://nl.wikipedia.org/wiki/Base64
There is no form of encryptioon used and anyone that wants to do this, can get to read it in clear text by simple de-encoding.

One may therefore safely assume that all your user data could have been sold onto the "grey" market from then on.

For instance a toy-firm may be interested in your meta-dat to know what your children's interests are and wanna pay good money to obtain that info. And for the rest just use your imagination what they were paid for.

Users here are right that it is high time firefox and Google chrome and other browsers as well stop this abuse of extension, add-ons and
api's on their platforms and clean up their acts, so they can garantuee your extensions are safe and secure and when an add-on fail, they should get an eternal ban. If self-regulation fails in the data-slurping  industry other appropriate steps should be taken.

Abuse of Trust is a criminal act always.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32617
  • malware fighter
Re: WOT (Web Of Trust) privacy scandal
« Reply #38 on: November 08, 2016, 11:37:35 PM »
Update:

Company that owned WoT was registered at 07-10-07- 2006 as TOW Software Oy .
See the rep digger report here: https://repdigger.com/reviews/tow-software-oy
It seems that the original company that held WoT went into liquidation at 09-02-2016.
The liquidation is now being handled by a Finnish law firm, AAtsto Lindfors & Co in Helsinki.

So it seems to me that the service of the firm that was left and finally went into liquidation was apparently being abused by the latest owner.
But by whom? Antti Elias Pekkanen was/is CEO at WoTs, and his website is here: http://inventure.fi/
and then we know that he is into a leading early-stage venture capital company for Finland, the Nordics and the Baltics, inventure.
And in his own words
Quote
We help you grow your start-up into a global superstar
.

I think for some this may be a revealing posting, folks,

polonus
« Last Edit: November 08, 2016, 11:50:00 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32617
  • malware fighter
Re: WOT (Web Of Trust) privacy scandal
« Reply #39 on: November 09, 2016, 04:24:16 PM »
Further Update:

More on the main players of what we may call now an almost 'Shakespearian' digital drama.

It could well have been that the main investors/stakeholders of hxtp://MyWoT.com
wanted their money back or wanted to convert from capital to cash.

1. Antti Elias Pekkanen
https://www.linkedin.com/in/anttipekkanen

Pekkanen became a hired ad interim CEO in order to clean up the mess after Sami Tolvanen left.
Apparently he was a puppet for -http://Inventure.fi, a firm contracted by the initial investors.

2. Sami Tolvanen had left MyWOT.com 07-04-2014, which could be because of a conflict ,
which arose with his former co-founder and silent-partner, Timo Ala-Kleemola,
about where MyWOT had to go with the then proposed business model /selling MyWoT services.

Sami - Resignation
https://www.mywot.com/en/forum/46092-sami

We also find critical remarks from users in the WoT-forums in these days about the proposed paid service model.
Users of the first hour started to abandon ship, while loosing confidence in Timo.

3. Timo Ala-Kleemola
https://fi.linkedin.com/in/timoalakleemola

Where Tolvanen is now, is unknown. Rumour has it that he, after he left MyWoT.com, started to work for Google dot com.
Could also be another person by that name, as that surname is not very unique for Finland.

The homepage of his former private website (tolvanen.com) has been abandoned not so long ago,
and the website could not be archived  by Archive.org,  because of a robot.txt exclusion.
The existing LinkedIn account under that name became more or less locked:

Sami Tolvanen
https://www.linkedin.com/in/samitolvanen

We shall see where all these three actors in this drama are gonna present their next performance.
On Youtube we can find vids posted by people that lost money through their practices apparently
or were known insiders to the final fate of the sinking myWoT-Titanic.

Info source taken from a Dutch posting in a thread on https://www.security.nl/ 
I like to sincerely thank and give all info credits to the anonymous poster thereof,

(Anonymous source 15:18)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32617
  • malware fighter
Re: WOT (Web Of Trust) privacy scandal
« Reply #40 on: November 16, 2016, 06:49:39 PM »
Update: Michael ´Monty' Widenius, founder of MySQL, invests in WOT, Web of Trust (PRWEB, February 16, 2009)
https://web.archive.org/web/20090224182847/http://www.prweb.com/releases/Michael_Widenius/Web_of_Trust/prweb2009984.htm

It is shocking to find out that founders of fundamental open software, like MySQL in this case, were involved in such wheelings and dealings.

So the conclusion should be that users of open software are not protected against such big data-slurping trade deals with the data they share with such a tool, app, service, whatever. The impact of hidden commercialization on user-protection could be enormous and also this could 'pay out' in a negative sense to end-users. They are always at the wrong end of the stick.  :D

According to Englishspeaking Wikipedia WoT services are now being classified as a spyware. Who the present owners of the My.WoT dot com domain is hard to find out. (info source: Anonymous on the https://www.security.nl forum). Domain expired on May 17, 2016.

polonus
« Last Edit: November 16, 2016, 07:04:26 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32617
  • malware fighter
Re: WOT (Web Of Trust) privacy scandal
« Reply #41 on: November 19, 2016, 06:01:58 PM »
Update.

My dear avast forum friends,

Just to keep you updated, the following somewhat more optimistic news amidst all WoT tragedy.

Russian Adguard (adblock injection script solution)
makes use of WoT for his web rep results,
but it uses it's own specially developed version of the software,
this according to the follwoing statement from Adguard:

Read: https://blog.adguard.com/en/official-statement-on-web-of-trust-case/ 

A reaction from on the Adguard blog:
Quote
In our case extension doesn't do any shady stuff, and the reputation data is still valuable.
So, there could be a grace period.
 
Posted by Andrey Meshkov on Adguard Blog

So some see a grace period for adopted tracking free use of WoT results. 
Do they reserve that grace period?

polonus
« Last Edit: November 19, 2016, 06:03:33 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline kls490

  • Sr. Member
  • ****
  • Posts: 209
  • Queen of the house
Re: WOT (Web Of Trust) privacy scandal
« Reply #42 on: November 19, 2016, 06:59:18 PM »
Nice, detailed info, PolThanks for keeping us abreast!

IMO and experience, once trust has been lost, it is typically VERY difficult to regain it again.

Just my 2-cents, FWIW.
« Last Edit: November 19, 2016, 07:01:45 PM by kls490 »
kls490

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83545
  • No support PMs thanks
Re: WOT (Web Of Trust) privacy scandal
« Reply #43 on: November 19, 2016, 07:31:11 PM »
<snip>
IMO and experience, once trust has been lost, it is typically VERY difficult to regain it again.
<snip>

A bit like you only get one chance to make a first impression.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.6.2420 (build 20.6.5495.561) UI-1.0.544/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32617
  • malware fighter
Re: WOT (Web Of Trust) privacy scandal
« Reply #44 on: November 20, 2016, 02:00:10 PM »
Update:

Seems WoT is now being discontinued in Adguard as well,
and I do not know whether Webutation extention is gonna drop the WoT web rep report info also?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!