If you ask me to name the best Firefox add-on for sharing stuff online (on Facebook, Twitter, Google Buzz etc.), I will certainly answer – Shareaholic. The Shareaholic offers great convenience to the users with its brilliant capabilities.
Michael Shynar has discovered a serious issue with Shareaholic: It sends sensitive browsing data to the third part sites like Compete.com, and most of the users are unaware of this. Shareaholic is not even mentioning this malicious behavior on their homepage or as a privacy policy on Mozilla AMO.
Michael monitored HTTP requests sent by Shareaholic and concluded that it was sending a request to consumerinput.com, even when he removed all of social services from Shareaholic. This site is managed by a company to anonymously records Internet browsing behavior of users. Disgusting!!
Later, Jay Meattle (a developer from Shareaholic team) replied to Michael’s post and confirmed this tracking feature of Shareaholic. According to Jay, the request to the above site is for an API access, which brings (optional) Stats Monitor feature to the Shareaholic add-on. Jay says:
only by knowing which web page you are viewing can the browser tool show you information about that web page or Web site from Compete.com. This is not spyware in any way. [ … ]
You can also disable the Stats Monitor. Just go to the Shareaholic options menu -> Display Options -> Uncheck the Stats Monitor options. This will make those API calls to return stats stop.
The Stats Monitor is only available in Shareaholic for Firefox. Wish it was not needed, but Compete.com requires it from developers to prevent fraud usage of their API. Also making this behavior very clear in the next update within the extension itself (not just the welcome/upgrade pages). Privacy is critical.
I am very disappointed with this incident. When a user installs an approved add-on from Mozilla AMO, he/she should always feels safe. If an add-on is sending critical private data to third party sites (even anonymously), it should clearly mention this in privacy policy of the add-on.
:(
Thanks to Michael Shynar. Read more details on Michael’s blog.
Read More Articles:
thanks for the info. you’re incorrect. it is in their privacy policy – http://www.shareaholic.com/privacy (which AMO listing links to also), plus in a notice when you install the addon (just tried it).
how else are they supposed to display compete and digg stats if the addon has no way to tell what page you’re on?
@Tito:
1> The “privacy policy” page is not hosted on AMO.
2> Generally, “Privacy policy” appears before installing add-on & users need to agree with it before installing. In Shareaholic’s case this is not so.
I’m unable to see such notice when installing Shareaholic.
This seemed a little unusual to me but on quick check xmarks does the same. btw, it looks like someone at shareaholic may have read this and added it to the top too now.
Also from the Welcome page i got:
“Statistics Monitor (optional feature) – Please read this carefully
To be able to provide you with diverse and extensive URL and Web site related information the browser tool may exchange data with certain third-party service providers like …….. other Web statistics providers. For example, only by knowing which web page you are viewing can the browser tool show you information about that web page or Web site. When you use this feature, Shareaholic or a third-party statistics providers may receive the URL sent by the web sites you visit, including, any personal information inserted into those URLs by the web site operator.
Granted this could be clearer earlier, which I think Shareaholic alluded to be working on in the response?
Arpit, no clue. Maybe try installing in a new firefox profile? I got it when I installed (had never installed before).
This is the limit. Thanks for sharing information. I am disabling this feature.
this is not a big issue for individual users. I faith Shareaholic and Compete both. This is not hurting “Privacy”.
it’s silly. techraga should also have a privacy policy too (didn’t see one). by using Google Analytics and Clicky, you’re sending my “private” data to google and other 3rd parties.
Just illustrating a point :)
@sacag: It is an issue, at least for me.
@Tito: lol :) btw, I’m not tracking your every visit. Google Analytics & Clicky just gather general information like your browser, OS etc.
Arpit, google probably does a lot worse things with our data than anyone else. your privacy policy is hidden two pages deep + you’re sending data to Google. google analytics is on hundreds of thousands of websites — you don’t think they put it all together? they probably have more data ACROSS WEBSITES on us than anyone else out there. at least shareaholic screams and makes it obvious in their welcome page, privacy policy, etc. again, just illustrating a point.
How many people switch of their cookies? Analytics is critical to the functioning of your site, I get it and fine with it regardless. To show stats, Shareaholic needs to get the stats somehow, right?? they can’t possible store all that data on our computer locally.
“Shareaholic is not even mentioning this malicious behavior on their homepage or as a privacy policy on Mozilla AMO.” = this is simply incorrect.
Don’t get me wrong, I love your work! But I’d suggest, as responsible journalists, correcting this post with facts vs. heresy. I just don’t see sensationalism to be productive.
Sorry about so many comments, but this post hit a note.
@Tito: I agree with you. Google is the biggest spy on net. I love Shareaholic, but can’t compare it with Google. As an end user and add-on developer, I wish every Fx add-on should have clear policies.
Arpit, we’re all human, i’m sure no harm was intended, and that shareaholic will make any necessary changes. although it was very clear to me when i installed shareaholic today. I think they do a lot already with the welcome page notice, etc — most add-ons with similar behavior don’t do that (any addon that shows you data that is so large that it can’t possibly be stored locally). maybe you should contact them to clear all this up? we all would benefit.
yes, I hope Shareaholic will add a privacy policy page @ AMO as well – which will appear before installing add-on. Agree with “no harm was intended”. :)