I have seen the data the article talks about. For more than 99 % of the URLs, there was NO "cleaning" performed whatsoever, instead they just used the raw URL and made it thus accessible to anyone who bought the data. Some of these URLs included sensible session information, password reset tokens, e-mails or private links to content hosted on Dropbox / Google Calendar / Google Drive and similar web services.
Also, WOT is not the only extension doing this, the company behind it has hundreds of other extensions and mobile apps that perform the same kind of data collection, capturing several percent of the entire Web traffic in total (in Germany alone, almost 3 million people were spied upon using this technique).
Browser vendors really need to change their attitude towards extensions, as they basically allow users to install malware/spyware in their browsers without performing any real certification / auditing. At the very least there should be a way for users to see a full audit log of the information that an extension sends to remote servers, as this is usually already enough to tell if the extension is sending more data than it should.
Also, anonymization should NEVER be done on the remote end, but always at the source, as there is no way to guarantee that it will happen otherwise (as WOT proves).
> Browser vendors really need to change their attitude towards extensions, as they basically allow users to install malware/spyware in their browsers without performing any real certification / auditing.
Browser vendors have already increased restrictions on extensions to the point where it impedes the development and use of some security improving extensions. There may be some things that could be changed to improve transparency and end user control. But it is ultimately the end user's responsibility to determine what is and isn't appropriate for their use. Browser vendors don't have enough information to make that call.
> At the very least there should be a way for users to see a full audit log of the information that an extension sends to remote servers, as this is usually already enough to tell if the extension is sending more data than it should.
Which of the popular browser's don't have the ability to display network traffic? I've used the one in Chrome and the one in Firefox on multiple occasions.
Normally, the problem isn't detecting that an extension is sending data to a server. The problem is that people don't look for that and discover it. Or they discover it and tolerate it based on a hope that the data will never be misused. Cloudy judgement.
> Browser vendors really need to change their attitude towards extensions, as they basically allow users to install malware/spyware in their browsers without performing any real certification / auditing.
That's something I hear a lot in context of the WOT issue, but how should that work?
There are thousands (maybe millions) of extensions with new versions all the time. I see only one way: Shut down extensions and only allow a few selected ones that get audited by the browsers.
However do we really want this?
> At the very least there should be a way for users to see a full audit log of the information that an extension sends to remote servers, as this is usually already enough to tell if the extension is sending more data than it should.
That helps experts analyze extensions, but it doesn't fix the problem of thousands of users installing some shady extension nobody looked at. WOT was even open source, yet nobody seemed to have bothered to look into it until recently.
No, it is not necessary to shut down all extensions, you just need a better security model. Today, one click is sufficient to grant an extension unlimited access to all your request data (including form data) together with the ability to send that data anywhere. In addition, most of the problematic extensions try to trick the user by either not informing him/her at all about the data collection, or by misnoming it as anonymized collection of "usage statistics" (which is often a blatant lie).
Of course it's fine to argue that it's the users problem, but then I don't see why on one hand we're trying to harden browsers against all kinds of sophisticated attack vectors while at the same time giving malicious actors privileged access to all the users data via the App Store. And again, restricting the kind of access that an extension has to the users data would be a first step to amend the problem. Allowing users to report abuse in an effective way would be a second step. Being more strict with violators would be a third one, as today most extensions simply reapply for access after being deleted and often get included again (just wait and see, WOT will also make a reappearance).
Both Firefox[1] and Chrome[2] removed it from their stores. I don't know if we should expect an official announcement, but it seems that neither Mozilla nor Google commented on the issue. Many other sources reported it though[3][4][5].
If you are using WOT in either Firefox or Chromium/Chrome you can just remove it without replacing it with anything. Both browsers cover that for you with Google's Safe Browsing[6][7].
> Reviewing our privacy policy to determine which changes need to be made in order to enhance and ensure that our users privacy rights are properly addressed.
I spent the first 30 seconds or so reading this thread thinking that World Of Tanks must have some browser extension. Never heard of Web Of Trust before.
