WOT (Web Of Trust) privacy scandal

General Topics
21

I posted a link to RejZoR’s article on the Vivaldi forums.
The more the word is spread the better. :wink:

22

Read this, very interesting discussing about the banning of “WOT” before the scandal broke out:
https://lists.gnu.org/archive/html/directory-discuss/2015-11/msg00003.html

So “WOT” was on a slippery slope from a long time on. We did not know that, did we avast user guys and gals?

Funny that the Anglo-American security media aren’t picking this news up. Well, not to my knowing at least.
First German NRD-TV had a presentation on the scandal.
The lid came off and now it was also on a Dutch security site with various topics like: https://www.security.nl/posting/491610/Mozilla+verwijdert+Firefox-uitbreiding+Web+of+Trust
But I see nothing on U.K. the Reg. DavidR, do you know it gets any attention there?

Damian

23

Stimmt. 8)

24

Is not it high time for checking with this free tool (free for personal & non-commercial use only): https://www.brightfort.com/eulalyzerdl.html

Many products also transmit a list of visited URLs, or web addresses — both malicious and non-malicious ones.
But question here is, what do they do with it the (de-anonymized) data?
Data may be open to intelligence agencies like the NSA, tapping the internet backbone,
or they can be sold to third parties as in mentioned case in this thread.

We certainly will need more transparency here, but will we get it, I highly doubt it,
and is not this rather a Trade Secret or State Secret even?

I think we will be stumbling around in the dark for quite some time to come.
As it looks now it is Greater Arcadia versus their end-users - 1:0.

polonus

25

Are you reviving one of my suggestions ???
https://forum.avast.com/index.php?topic=19387.msg889561#msg889561
This goes back to 2006:
https://forum.avast.com/index.php?topic=16849.msg176661#msg176661

26

Hi bob3160,

You see how you educate others now, and they later even come up with your own suggestions… :wink:
Just joking, but it certainly is so that a close-knit group like ours come to share similar security views.
Yes, again, many, many thanks to avast who provided us with a platform to do this.
And all that is not surprising, also for those that benefit from the “fruits” our common security-quest.

Damian

27

World of Trust or World of No Trust?
It seems that WOT is not a thrustworthly world, I feel deeply disappointed in that.
Which alternatives are available, if any?

I shall be looking forward to replies, thanks in advance.

Best, Hermie

28

There have already been many replies and comments. :slight_smile:

29

Yes, bob3160, but it also went unnoticed by me and many of us,
that WOT in 2015 changed from open source software to closed source,
and then the urls visited and the e-mail address were sent twice 64 base encoded
(but not encrypted and anonymised) see: -https://github.com/mywot/firefox-xul/blob/master/content/config.js#L404

The stats.js class is defined here: -https://github.com/mywot/firefox-xul/blob/master/content/stats.js
These stats seem to be sent in a post request to -secure.mywot.com when location changed (wot_stats.loc),
security should not rely on the knowledge of used function Source: WOT user forum.

WOT staff made the big mistake not to reply in time against these accusations,
probably because of lack of understanding the Germanic languages
(first news appeared in German and Dutch and not in English).

By the time the proverbial cat was well up into the curtains together with
the proverbial manure beginning to hit the proverbial fan,
it was all closing the stable-door after the horse had bolted.

polonus

30

Just my 3-cents here - FWIW. The link below shows the latest statement from the WOT folks, as of Sunday, November 6th @ 10:08 p.m (U.S. EST). I also posted this over at the Wilder’s Security Forums as well:

https://www.mywot.com/en/forum/70818-to-the-wot-community

(Link provided by Jeff at Esumsoft Forums)

Regards to all.

31
Reviewing our privacy policy to determine which changes need to be made in order to enhance and ensure that our users privacy rights are properly addressed.
That is like a train that doesn't arrive at the time mentioned in the time table. He, we can easily solve that. Let's change the time table. See everyone! It did arrived on time !
We will spend the coming weeks making the changes to WOT which will ensure we are back on the right track.
So yes, they where/are off-track.
32

With their code WOT could have done worse. They could have been able to work arbitrairy code on webpages.
That is bad as it can be. But they had not abused that ability so far. Rob Wu a security analyzer found out for us.

Just see this analysis here: Analysis of WOT 20151208 by Rob Wu
https://gist.github.com/Rob--W/bda5f28a0ac3b877780c6665bbed2e1b

polonus

33

Thanks for the link.
I’m surprised to see that nobody really knows who owns WOT…!! :o

34

Hi Asyn,

To me that is clear now, as their main registration sponsor is …tucows.
Do that ring a bell, with a main contact in Toronto, but myWOT operates from Wilmington, USA.
Probably that also declares the initial silence on the privacy abuse.
Also domainmonger dot com (spam experts) with 100% insecure IDs tracking seems involved.
A bit of shady and complicated connections there. Is there more information?

polonus

35

I’ve taken the step of uninstalling from all browsers I use. I also removed the signature link to WOT I’ve had for several years now.

Thanks.

36

http://screencast-o-matic.com/screenshots/u/Lh/1478613882251-94875.png

To delete your account, please go to your profile edit page. Then go to the bottom of the page and press “Delete account”. …

http://screencast-o-matic.com/screenshots/u/Lh/1478614150784-3276.png

37

time for Mozilla foundation and Google and etc. to improve rules on Extensions …

if the owner, author, main party changes and the source code isn’t provided immediately
then the Extension will be moved down on the trusted layer to NOT-Trusted or Blocked …

same applies if the ‘changes’ are actually kept in secrecy from extension oversight authority …

38

Well the original developer of the code,Sami Tolvanen, now admits that there has been tampering with the original code
some one and half years ago, and also the Finnish ownership went over into other hands (who was that??).

After the time Tolvanen left, the original WoT code has been changed, and it became malware/ malicious spyware:
Bug 1314332 - Web of TrusT (WOT) Addon is malicious according to news reports
https://bugzilla.mozilla.org/show_bug.cgi?id=1314332#c6

This means that factually that the WoT addon between 18-09-2009 and 08-12-2015 could have been able to change the Firefox “about:preferences” page and excecute arbitraily code onto your OS. This bug could and should have been patched a long, long time ago now. The browser developers also acted sloppy in this sense that they left the door open for abuse to take place.

Also Sami Tolvanen himself, confirmed that the WoT addon has been changed on purpose since April 20th of 2015 to log all URL-addresses visited by respective users, and logged these data in an insecure manner.

In his own words:

“This change adds logging of each visited URL and clearly attempts to obfuscate the traffic with double Base-64 encoding. Definitely sounds like something that should have been indicated to users.”

An explanation of the Base-64 code used one can find here: https://nl.wikipedia.org/wiki/Base64
There is no form of encryptioon used and anyone that wants to do this, can get to read it in clear text by simple de-encoding.

One may therefore safely assume that all your user data could have been sold onto the “grey” market from then on.

For instance a toy-firm may be interested in your meta-dat to know what your children’s interests are and wanna pay good money to obtain that info. And for the rest just use your imagination what they were paid for.

Users here are right that it is high time firefox and Google chrome and other browsers as well stop this abuse of extension, add-ons and
api’s on their platforms and clean up their acts, so they can garantuee your extensions are safe and secure and when an add-on fail, they should get an eternal ban. If self-regulation fails in the data-slurping industry other appropriate steps should be taken.

Abuse of Trust is a criminal act always.

polonus

39

Update:

Company that owned WoT was registered at 07-10-07- 2006 as TOW Software Oy .
See the rep digger report here: https://repdigger.com/reviews/tow-software-oy
It seems that the original company that held WoT went into liquidation at 09-02-2016.
The liquidation is now being handled by a Finnish law firm, AAtsto Lindfors & Co in Helsinki.

So it seems to me that the service of the firm that was left and finally went into liquidation was apparently being abused by the latest owner.
But by whom? Antti Elias Pekkanen was/is CEO at WoTs, and his website is here: http://inventure.fi/
and then we know that he is into a leading early-stage venture capital company for Finland, the Nordics and the Baltics, inventure.
And in his own words

We help you grow your start-up into a global superstar
.

I think for some this may be a revealing posting, folks,

polonus

40

Further Update:

More on the main players of what we may call now an almost ‘Shakespearian’ digital drama.

It could well have been that the main investors/stakeholders of hxtp://MyWoT.com
wanted their money back or wanted to convert from capital to cash.

  1. Antti Elias Pekkanen
    https://www.linkedin.com/in/anttipekkanen

Pekkanen became a hired ad interim CEO in order to clean up the mess after Sami Tolvanen left.
Apparently he was a puppet for -http://Inventure.fi, a firm contracted by the initial investors.

  1. Sami Tolvanen had left MyWOT.com 07-04-2014, which could be because of a conflict ,
    which arose with his former co-founder and silent-partner, Timo Ala-Kleemola,
    about where MyWOT had to go with the then proposed business model /selling MyWoT services.

Sami - Resignation
https://www.mywot.com/en/forum/46092-sami

We also find critical remarks from users in the WoT-forums in these days about the proposed paid service model.
Users of the first hour started to abandon ship, while loosing confidence in Timo.

  1. Timo Ala-Kleemola
    https://fi.linkedin.com/in/timoalakleemola

Where Tolvanen is now, is unknown. Rumour has it that he, after he left MyWoT.com, started to work for Google dot com.
Could also be another person by that name, as that surname is not very unique for Finland.

The homepage of his former private website (tolvanen.com) has been abandoned not so long ago,
and the website could not be archived by Archive.org, because of a robot.txt exclusion.
The existing LinkedIn account under that name became more or less locked:

Sami Tolvanen
https://www.linkedin.com/in/samitolvanen

We shall see where all these three actors in this drama are gonna present their next performance.
On Youtube we can find vids posted by people that lost money through their practices apparently
or were known insiders to the final fate of the sinking myWoT-Titanic.

Info source taken from a Dutch posting in a thread on https://www.security.nl/
I like to sincerely thank and give all info credits to the anonymous poster thereof,
(Anonymous source 15:18)

polonus