Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Web of Trust (WOT) scandal

November 7th 2016 in safety and privacy on the Internet

Originally reported in Germany (http://www.ndr.de/nachrichten/netzwelt/Nackt-im-Netz-Millionen-Nutzer-ausgespaeht,nacktimnetz100.html) and picked up by PCMag (http://www.pcmag.com/news/349328/web-of-trust-browser-extension-cannot-be-trusted).

From the German site (apologies for the translation errors): “In the background, however, the extension also logs and transmits the data for the surfing behavior of the user to a server abroad. A profile is created where the date, time, location, and controlled web address are stored together with a user ID.

Further: “These data then go to intermediaries. From one of these intermediaries, Panorama and ZAPP got their record.”  It is unclear to me whether the ‘data’ that is shared with ‘intermediaries’ includes that user ID.

And: “Reporters from the NDR have been able to personally identify more than 50 users, for example via e-mail addresses in which the name is located, logins, or other components of the called URLs.

And: “To reach the information, the NDR Reporters have founded a dummy company, which is supposedly active in the “big data” business. Several companies were ready to sell the web data of German Internet users – a company offered the data now evaluated as a free sample. Data packages like this offer countless companies.

According to pogowasright, WOT have stated that “We take our users’ privacy rights very seriously, and for that reason we go to great lengths to anonymize and aggregate the data we collect to run our service, and we of course never license or disclose user registration information.

This is a timely reminder that if you collect and share information about web sites visited, you need to be cautious about the inadvertent collection and sharing of PII that may be embedded in a URL.

It’s also a timely reminder that a unique ID may not actually be anonymous. All depends on what that unique ID can potentially be combined with.


One comment to...
“Web of Trust (WOT) scandal”


They better take their users’ privacy right seriously or there will be repercussions regarding that.

It works a treat:


Previous Entry

This morning I have read about four extensions, all of which have now been removed from the Chrome Store and which should have been automatically disabled if installed to Chrome: “Live HTTP Headers”, “Tab Manager”, “Appspector” and “Give Me CRX”.

The common thread is the extensions started injecting code into webpages pointing to “s3.eu-central-1.amazonaws.com/forton/*****.js”.  The goal seems […]

Next Entry