Hello community. This is my first entry, even if it is not quite long - but an important message in the title.
There is such a service for authorization through social networks - uLogin. The developers have released a lot of free plugins for various CMS and here it is - the cheese in a mousetrap.
We see things did not go well, and users began to notice that the service loads strange scripts when the module is running. I am conducting an audit of my site - I noticed that counter.yadro.ru is loaded several times. In total, when loading the page, they loaded 18 resources (js, css, other requests) - that’s a lot for my project with only 47 requests. And their service adds another 18, including requests to third-party sites.
Here is their response in December 17th:
There are requests to our counter li.ru and to our website. Partner requests were previously, but we finally removed them a few months ago.
- but they were notorious - they sent a request to x01.aidata.io:
And on the resource did not respond to anyone.
So what is this aidata.io? This is a
data management platform for software marketing . So this service calls itself. But why me? Yes, I know: that social networking widgets, buttons to share, search engine counters - they all collect data from our site. But they send data to themselves. They use
their own proven scripts - the third party does not interfere with the script. And uLogin connects a third party and to me, as the site owner does not speak about it. Is that fair? I think no. Am I against? Of course against.
Since May 25, 2018, the General Regulations for the Protection of Personal Data of the European Union came into force: Data Protection Regulation (GDPR) and in the Russian Federation, previously - No. 152- “On Personal Data” - and uLogin does not notify my site visitors. I myself did not know that the data is being collected - how would I answer this question if someone knocked on my door? I did not control my site.
Did it cost them to believe that they finally removed the tracking? I believed it.
On January 24, 2018, I noticed errors in the site console:
and immediately sounded the alarm. Written off by mail with the uLogin team - answer:
This is a script tracker from our partner.
What a twist! A little more than a month ago, they assured me that they had removed this.
Meanwhile, on the Internet, at the reformal site, there was a movement in the subject. I do not know the rules of publications - allow you to insert a link? But I take the risk: the
topic of December 28, 2017There, I wrote and laid out for the bright heads the contents of the included script.
Ivan Pshenitsyn responded to the topic - and he was very surprised - "how can this happen?" At the end of March, he last appeared in the topic and abandoned his clients, who entrusted their websites to them - to their fate.
And even in May of 2018, new commentators came to the topic, at the end of April, a user with the nickname Maxim published a video - as a script from a form on the site, a completely personal site sends user personal data (phone number).
A month ago, the topic was raised in the WordPress plug-in's official support forum - two people complained about a leak. There was no official answer.
Should I trust the service team, who claimed in the mail correspondence that they removed the partner requests, and continue to send Trojan horses to our sites? If they allow a third party to load any js uncontrollably onto our sites, then what they want (these third parties) is this correct? Is it safe? Is it legal?
I publish this post - because from the service team uLogin did not receive a proper response.
ps when installing WordPress plugin uLogin does not require registration on their service. This means that the user agreement that they placed on their website is not legally binding.
If you have ideas and thoughts about this product and the current situation, welcome to comments.
upd. 2018-06-05 - Yesterday I wrote a letter to WordPress Security. They responded (but unfortunately the answer was not sent to me by mail yet) - the plugin in the official WordPress repository is not available for download. The visitor is met by the following inscription:
They either understand the question, or give the uLogin team time to eliminate this behavior.