
Mozilla stops distribution of WOT addon - mkesper
You cannot install the WOT addon anymore in Firefox. This is due to WOT selling all your browsing data to firms - easily de-anonymizable (containing e-mail addresses, usernames or identifying parts of URLs in cleartext).
Reporters of German broadcast NDR found out about this by inspecting a test dataset they acquired disguised as a company asking around to buy personal data.
======
bimmer44
Web of Trust is a browser extension that claims 140 million installs. The
marketing language on the home page [1] is all about how the extension will
help users decide which websites to trust.

Their privacy statement [2] includes a section that describes "Browsing usage,
including visited web pages, clickstream data or web address accessed;" as one
of the categories of "non-personal information" that they may disclose or
share with 3rd parties.

I'd imagine most users installing an extension to make their browsing safer
would not be happy to know they were also making their entire browsing history
available to 3rd party data brokers at the same time.

Unscrupulous business practices are definitely made easier when no one
actually reads Privacy Policies...

[1] [https://www.mywot.com/](https://www.mywot.com/)

[2]
[https://www.mywot.com/en/privacy/privacy_policy](https://www.mywot.com/en/privacy/privacy_policy)

~~~
raverbashing
Do you know what would be a great way to prevent this?

 _Every data_ send by an extension should be user viewable.

Here's the json file (or maybe something better) that we are posting, press
Agree to send it

~~~
byuu
They would just start obfuscating the data (with ciphers, word replacements,
encoding, minification, etc.)

They'd then claim it was for your security/privacy/protection. You know, like
how Microsoft encrypts your Windows 10 usage data it sends them.

At least you could use the presence of such obfuscation as a sign there's
probably something bad afoot. Presuming only a tiny number of extensions try
to encode the data they send.

~~~
jlgaddis
> _... you could use the presence of such obfuscation as a sign there 's
> probably something bad afoot._

So, that "if you have nothing to hide..." argument, basically?

~~~
singold
Similar but not the same, one thing is hiding your own information, but
another very different is you taking my information and hiding it from me

------
moppl
Here is the blog entry of the Journalist Mike Kuketz, explaining in detail how
he uncovered the fraud, unfortunately only in German. This includes samples of
the questionable GET and POST Requests, as well as a link to a commit to the
WOT sources on GitHub, which introduced the necessary changes ...

[https://www.kuketz-blog.de/wot-addon-wie-ein-browser-
addon-s...](https://www.kuketz-blog.de/wot-addon-wie-ein-browser-addon-seine-
nutzer-ausspaeht/)

The commit referenced in the blog:

[https://github.com/mywot/firefox-
xul/commit/0df107cae8ac1890...](https://github.com/mywot/firefox-
xul/commit/0df107cae8ac18901bd665acace4b369c244a3f9)

~~~
moppl
And by the way, he also suggests in his blog post that Ghostery and Adblock
Plus might as well sell browser histories as WOT does. There might be even
more.

~~~
aroch
Ghostery allows you to _OPT IN_ to sending your browsing data [1], which may
be sold as part of services offered by their parent company to improve ad ROI
for their customers. They also tell you that they're collecting the request
data [2].

I think knowingly sharing your data (with a positive affirmation) is
significantly different than having your data collected and sold without your
knowledge

[1] [http://imgur.com/a/ugglB](http://imgur.com/a/ugglB)

[2] [https://www.ghostery.com/support/faq/ghostery-add-on/What-
da...](https://www.ghostery.com/support/faq/ghostery-add-on/What-data-does-
Ghostery-collect/)

~~~
qznc
The problem is not the selling of browsing data. WOT tells you openly that
they do it.

The problem is that the data is _not anonymized enough_. The question is, if
this is actually possible.

------
therealmarv
I wanted to say: And Google did not removed it. But actually it is also gone
in Google extension store. Google also seriously needs to think about security
in their Chrome extension store. I've seen more than once ads injected by
extensions by the auto update (no real security there). Maybe I've been also
tracked in the past. Google needs to actively monitor all extensions for ad
injection and tracking code (where are their AI experts on that?) and also it
should react faster to reports. In the past, weeks and months go by before a
report has consequences for a extension. So the discovery of WOT is only
thanks to German reporters.... but it was longer known that WOT tracks you.

~~~
codedokode
There is nothing that can be done. Any moderation can be easily bypassed (for
example, obfuscated code, code loaded from external servers etc.). You just
should not install software that you don't trust.

For example I don't use any browser extensions because I don't have time to
inspect their code after every update.

I wonder why both Google and Mozilla don't write this at the front page of
their extension stores?

~~~
paulryanrogers
Serious question: do you audit code changes in browser updates?

EDIT: I realize there are (probably) fewer authors involved there.

~~~
codedokode
Browsers are made by reputable organizations like Mozilla Foundation or (not
so reputable) Google. And extensions are usually written by some anonymous
person from Internet (or sold to anonymous person after gaining popularity).

------
mkesper
Did not find any english versions of this news yet, so here a translated heise
site:
[https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...](https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=de&ie=UTF-8&u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FAbgegriffene-
Browserdaten-WOT-Anbieter-will-Datenschutz-Vorwuerfe-
pruefen-3455466.html&edit-text=&act=url)

~~~
bimmer44
In the article you posted the WOT spokesperson appears to say that they'll be
making sure that data is better anonymized in future - not that they will stop
selling it. I don't think this type of response is going to work out well for
them...

"When there are cases where information has not been anonymized and protected,
we will, of course, review this and, if necessary, take steps to ensure
adequate protection for our users."

------
dacm
Bug report:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1314332](https://bugzilla.mozilla.org/show_bug.cgi?id=1314332)

------
sumlogp
What's interesting is how the story completely failed to make the news in the
English-speaking net for several days. The story broke on Tuesday (CET),
outside Germany it was only picked up by ghacks until now...

~~~
r721
Ghacks is shadowbanned on HN for some reason. I vouched for this particular
story, but it didn't get traction :(

[https://news.ycombinator.com/item?id=12850214](https://news.ycombinator.com/item?id=12850214)

~~~
user5994461
Could be because of the title: "Your browsing history may have been sold
already"

It's not remotely comparable to the situation. "WOT addon is banned from
browsers after selling users history to the highest bidder."

~~~
cooper12
Please don't use the word "retarded" as a casual adjective. It's a pejorative
term historically used for people with intellectual disabilities. Thanks for
understanding.

------
paulintrognon
It is a shame that Mozilla did not explain why they removed the addon on the
addon page, instead we just find a boring 404 page:
[https://addons.mozilla.org/en-US/firefox/addon/wot-safe-
brow...](https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-
tool/)

They could have taken the opportunity to show that they care about user
privacy and denounce WoT at the same time

~~~
rndgermandude
This is a breaking story, and currently mozilla is reacting.

I am confident they will release a public statement and maybe even an actual
post mortem for the tech crowd

------
0xmohit
Such innovation .. pure evil.

What's the takeaway? Not to install any browser add-on?

On a serious note, I guess that it might be safer to to run a browser in a
Docker container and use one instance to browser only site. The question is
that how feasible it would be?

~~~
jpalomaki
You can use Chrome profiles to create private "sandbox" for certain
extensions. Put for example webdev related to extensions in separate profile,
which you don't use for daily surfing.

~~~
trendia
You can also use Lynx if you want to go Full Stallman.

------
r721
I came to the conclusion that one should use only addons which are widely used
by netsec experts, because audit is a fairly rare thing these days and one has
to rely on when somebody sees something suspicious.

------
senorjazz
Good riddance, a vile site full of self appointed internet police with
handpainted badges with a sense of importance

They falsely flagged a a website I ran a while back (social media management
tools via approved APIs) as: pharmacy, scam and spam. Due to this mails from
our server were not getting through.

I tried contacting saying they are all false. They updated saying we sold
facebook likes and fake followers. We did nothing of the sort and did nothing
at all with facebook anyways. I tried contacting again to which I was told we
were a scam because the domain has privacy enabled nor had my personal name
and address on the site. I value my privacy and do not have my full name and
certainly not my address anywhere online.

I asked our customers via a support forum post if they could post an honest
review of our site and service which did nothing to the score - it seems a
couple of users have all the power. We then got branded as spammers for trying
to manipulate our rating (with actual reviews, but as it was against the power
users (who had never used our product) we were in the wrong.

~~~
jlgaddis
I "want to believe you" and I always try to extend the benefit of the doubt
whenever possible but it'd be interesting to hear the other side of the story
as well.

Among other things, I manage a bunch of mail servers and I keep a close eye on
them. I "blacklist" IP addresses of "misbehaving senders" pretty often and the
rejection messages provide a way for the sender to get in touch with us. This
way, we can work with them to rectify whatever problem caused them to be
blacklisted by us -- many times it's that an e-mail account was compromised
and used to send out spam.

I can't even begin to count how many times I've had administrators of other
mail servers swear to me that they have _NEVER_ sent out any spam whatsoever
(or similar statements) and that blacklisting them is a mistake and absolutely
100% our fault.

Except that, in every case, I, personally, have looked at every single
message, determined it was spam, tracked down where it came from (verifying
Received: headers against Postfix logs), and manually added the IP address to
our list. In addition, the first time it happens they don't even get prevented
from sending mail to us; only upon the second incident are messages rejected.

Thus, for someone to say that they know absolutely positively 100% without a
doubt that their server never sent us spam just makes me laugh because I know
that not only did they send us spam but, as a matter of fact, they've done it
_at least twice_!

So, like I said, I _want_ to believe you but I'd want to hear it from the
other side before making a conclusion. There's _always_ another version of
events and experience has shown me that it's usually drastically different.

------
secmax
Here is a brief (and compared to the german sources not so great) english
language version of what happened:

[http://techdows.com/2016/11/web-of-trust-add-on-
removed.html](http://techdows.com/2016/11/web-of-trust-add-on-removed.html)

------
throwawayweb
This is more or less the same way SimilarWeb collects its data, so I wonder
when will they start being treated the same. They operate a number of inhouse
extensions and partner with other extension developers to collect the entire
click trail of the users. Internal links in your intranet, localhost,
"private" google drive links, all is collected and sold. It's beyond me how
this shady business is treated as legitimate, including major web and tech
publications citing their data reports.

------
cheiVia0
Details in the Debian bug report:

[https://bugs.debian.org/842939](https://bugs.debian.org/842939)

------
Narretz
WOT = Web of Trust

~~~
myf01d
It should be rebranded as WAT

------
consto
So basically I should uninstall it, correct? Does anyone know of anything to
replace it?

~~~
r721
I think you can use their bookmarklet, but personally I don't see any benefits
as somewhat similar Google Safe Browsing service is internally used by all
major browsers.

~~~
FT_intern
it was decently accurate at judging whether a random website contained "legal"
downloads of books

~~~
r721
Yeah, it is true that WOT is useful for some rare use cases, where it is
important whether some unknown website is a scam or not, but I don't think I
need it for casual browsing.

------
LinuxFreedom
All the other addons are completely trustable, of course.

It also really helps that Firefox never deletes cookies by default and never
tells you about this. We 'respect' your privacy, yes, we do! Really! Look, you
will have only one google cookie when you start a very new firefox.

We _really_ respect your privacy, yes! We will reiterate that until you
believe it, but never change our privacy destroying default settings, because
we 'respect' you!

~~~
sammoth
Do you really think being logged out of every website every time you start
your browser would be an acceptable default?

~~~
jlgaddis
I only browse in (incognito|private) windows. My browsers are configured to
startup that way automatically.

It "works for me" and it'd probably work for a lot of (perhaps even most)
other users so maybe it would be an acceptable default. I don't know.

I think there's a happy medium somewhere between these two extremes that
absolutely _would_ be an acceptable default, though. Firefox could certainly
come with better defaults if Mozilla truly valued privacy that high.

(FWIW, my mozilla.cfg -- pointed to by _general.config.filename_ \-- currently
has 127 settings in it. It's been added to over the years, though, so some of
those are certainly deprecated by now.)

------
r3dn3r
Those stories about Adblockers selling browsing history and private data, is
just a lame intent to make people stop using adblockers and make us digest all
that advertising crap.... Watch an ad is our choice....

~~~
trendia
While advertisers would benefit if people are afraid to use adblockers, it
doesn't necessarily mean that they did it themselves.

There was clearly a market for user browsing data (since WOT was able to find
customers), so if WOT is shut down, more will pop up. And the apps that mine
user data don't need to be adblockers, that's just the reason they give users
to install the extension.

------
dagiuth
on android i used to go pretty extreme and edit hosts file on a rooted phone.
you can find maintained lists for it they just zero out the address. for
security i would also make all the edits i wanted for different things and
then unroot.

for firefox there is also script blocker with the ability to white list
adresses also remove history on close.

