Firefox Extension Spying on Us? - Updated
Update: no more database logging. Details at bottom of this post...
The world of SEO went all smiling a few days ago with 97th Floor publishing their Social Media for Firefox extension. I think it's a great idea; Chris thinks so too, and SEOMoz are terribly excited by it. But it's spying on us. Let me explain.
Open up a new web page, say http://ekstreme.com/, make sure the SM for Firefox extension is in manual mode, and open the Live HTTP Headers extension. Now click the Manual button in the SM for Firefox extension and watch the headers scroll by.
You should see a few blocks of text: one for Digg, one for delicious, one for Stumble Upon, and one for reddit. The last request though is a request to the 97th Floor website. In eKstreme.com's case, the URL is:
and the full headers are:
----------------------------------------------------------
http://www.97thfloor.com/social-media-for-firefox/put.php?url=http%3A%2F%2Fekstreme.com%2F&service3=3&service1=2&service4=0&service5=0
GET /social-media-for-firefox/put.php?url=http%3A%2F%2Fekstreme.com%2F&service3=3&service1=2&service4=0&service5=0 HTTP/1.1
Host: www.97thfloor.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: MintUnique=1; MintUniqueMonth=1188626400; MintUniqueWeek=1189317600
HTTP/1.x 200 OK
Date: Fri, 14 Sep 2007 23:10:41 GMT
Server: Apache/1.3.37 (Unix) mod_fastcgi/2.4.2 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2
mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b
X-Powered-By: PHP/5.1.6
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
----------------------------------------------------------
Notice anything fishy? A filename called put.php (put where? A database?) on the 97th Floor website telling it the URL I just requested info for along with some service data. Surely you're not spying on our social media activities 97th Floor... are you?
You'll notice from the headers that the put.php file returns text/html. What is the HTML? Browsing to the URL returns a blank page with one word: "Done". Done what, my dear? Logged the data into the database have we?
And are you tracking the hits with Mint too? Very slick.
So with all due respect, the extension is now uninstalled untill we get a clear explanation from 97th Floor. Come on, the, errr, floor is all yours.
Update
After blogging the details above, I emailed a few people as a sanity check and to raise the alert. One of the people I emailed got in touch with Chris Bennett of 97th Floor, and so Chris emailed me and commented below. The summary of our discussions:
- Yes there was data logging, but it was error logging. The data being sent via the URL is consistent with this, an I see no other evidence to shed more light on the question.
- Chris emailed me a link to the database dump/report. It contained URLs and numbers associated with each of reddit, Digg, delicious, and SU for each URL. The download was huge - I stopped it at ~7MB.
- Most of the URLs I saw in the database are harmless: news sites, blogs, etc.
- Some of the URLs were bad to have in there: I didn't know this, but Google apps apparently has some URLs with usernames attached. There are other web apps like that. It's generally a bad idea to tie a username to a login URL (i.e., giving a cracker half the info they need...), but the system still won't log you in automatically.
- Some URLs are really dangerous to have. Some login systems have a step in the login process that creates a unique URL associated with that session. Anyone who knows this (very hard to guess) URL, is logged in automatically, without a password being asked again. Yes, there was at least one URL on such a system in the database.
- The bad URLs were logged when people left the extension in automatic mode.
So what's the conclusion: given what I know (all summed up above), how Chris reacted and how other people I know and trust said about Chris, my opinion is that this is an innocent mistake that had serious consequence. There is no evidence of malice that I know of, and regardless, it's now fixed.
Less than 24 hours of me blogging the post, Chris has now released an updated extension and an apology for the whole thing. I installed the new extension and so no 'phone-home' activity in four different test URLs.
Chris should be commended for his quick and decisive response. I for one am happy to move on. But for everyone out there, the usual 'keep your eyes open' warning always applies. Next time it won't be someone who fixes the problem.
Subscribe to Things of Sorts
If you liked this post, please subscribe to the Things of Sorts RSS feed: 
September 15th, 2007 at 2:39 am
Pierre,
We don’t track any user data. We track errors as to what social site doesn’t respond. We have a lot of bugs with SU and Reddit because they don’t have API’s, and lately Del.icio.us. That DP reports errors to my programmer. I have no Idea why Mint would be showing up there other than I have mint stats on 97thfloors domain. But it is not tied to anything in the db.
We track queries and the pages so we don’t have to grab fresh data for it at all. We don’t track any social accounts, user data, nothing.
We have no problems of taken the db out, and letting our users report all the bugs. We want to be very proactive with this tool and make it very useful for a lot of people, thus we were pro actively tracking errors.
I got no problems taking it off if it helps some people rest easier.
I am even going to email you the report it creates you look at it and tell me if you have any issues with it. If so I will remove it, it is solely for the tool to run better with the mass amounts of usage and to watch for common errors.
September 15th, 2007 at 7:05 am
[…] This extension, the Social Media for Firefox extension, seems like a really great tool. Oh, but what did eKstreme discover about it? It’s spying on us??!! Pierre has all the details of his detective work. Go see it […]
September 15th, 2007 at 11:05 am
Hi Chris,
Thanks for your email. I just replied, and my recommendation is that the database logging functionality needs to be taken out completely. The email has a bit more elaboration.
Cheers,
Pierre
September 15th, 2007 at 5:23 pm
[…] new best friend Pierre Farr brought to my attention via a post last night that there may be some problems with our new Firefox extension Social Media for Firefox. He stated […]