Firefox Extension Spying on Us? – Updated

Update: no more database logging. Details at bottom of this post…

The world of SEO went all smiling a few days ago with 97th Floor publishing their Social Media for Firefox extension. I think it’s a great idea; Chris thinks so too, and SEOMoz are terribly excited by it. But it’s spying on us. Let me explain.

Open up a new web page, say http://ekstreme.com/, make sure the SM for Firefox extension is in manual mode, and open the Live HTTP Headers extension. Now click the Manual button in the SM for Firefox extension and watch the headers scroll by.

You should see a few blocks of text: one for Digg, one for delicious, one for Stumble Upon, and one for reddit. The last request though is a request to the 97th Floor website. In eKstreme.com’s case, the URL is:

http://www.97thfloor.com/social-media-for-firefox/put.php?url=http%3A%2F%2Fekstreme.com%2F&service3=3&service1=2&service4=0&service5=0

and the full headers are:

Notice anything fishy? A filename called put.php (put where? A database?) on the 97th Floor website telling it the URL I just requested info for along with some service data. Surely you’re not spying on our social media activities 97th Floor… are you?

You’ll notice from the headers that the put.php file returns text/html. What is the HTML? Browsing to the URL returns a blank page with one word: "Done". Done what, my dear? Logged the data into the database have we?

And are you tracking the hits with Mint too? Very slick.

So with all due respect, the extension is now uninstalled untill we get a clear explanation from 97th Floor. Come on, the, errr, floor is all yours.

Update

After blogging the details above, I emailed a few people as a sanity check and to raise the alert. One of the people I emailed got in touch with Chris Bennett of 97th Floor, and so Chris emailed me and commented below. The summary of our discussions:

• Yes there was data logging, but it was error logging. The data being sent via the URL is consistent with this, an I see no other evidence to shed more light on the question.
• Chris emailed me a link to the database dump/report. It contained URLs and numbers associated with each of reddit, Digg, delicious, and SU for each URL. The download was huge – I stopped it at ~7MB.
• Most of the URLs I saw in the database are harmless: news sites, blogs, etc.
• Some of the URLs were bad to have in there: I didn’t know this, but Google apps apparently has some URLs with usernames attached. There are other web apps like that. It’s generally a bad idea to tie a username to a login URL (i.e., giving a cracker half the info they need…), but the system still won’t log you in automatically.
• Some URLs are really dangerous to have. Some login systems have a step in the login process that creates a unique URL associated with that session. Anyone who knows this (very hard to guess) URL, is logged in automatically, without a password being asked again. Yes, there was at least one URL on such a system in the database.
• The bad URLs were logged when people left the extension in automatic mode.

So what’s the conclusion: given what I know (all summed up above), how Chris reacted and how other people I know and trust said about Chris, my opinion is that this is an innocent mistake that had serious consequence. There is no evidence of malice that I know of, and regardless, it’s now fixed.

Less than 24 hours of me blogging the post, Chris has now released an updated extension and an apology for the whole thing. I installed the new extension and so no ‘phone-home’ activity in four different test URLs.

Chris should be commended for his quick and decisive response. I for one am happy to move on. But for everyone out there, the usual ‘keep your eyes open’ warning always applies. Next time it won’t be someone who fixes the problem.