Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Spyware Proof

whywhy
edited October 2010 in Vanilla 2.0 - 2.8
Vanilla sends back the following information about your install without permission. That is a violation of privacy and that is what makes it spyware.

\applications\dashboard\js\settings.js

jQuery(document).ready(function($) {

// Phone-home to the VanillaForums server to check for updates
var updateChecks = gdn.definition('UpdateChecks', '');
if (updateChecks != '') {
var webroot = gdn.definition('WebRoot', '');
var data = 'source='+webroot
+ '&users=' + gdn.definition('CountUsers', 0)
+ '&conversations=' + gdn.definition('CountConversations', 0)
+ '&messages=' + gdn.definition('CountConversationMessages', 0)
+ '&discussions=' + gdn.definition('CountDiscussions', 0)
+ '&comments=' + gdn.definition('CountComments', 0)
+ '&updateChecks=' + updateChecks

$.ajax({
type: "POST",
url: gdn.url('/dashboard/utility/updateproxy'),
data: data,
dataType: 'json',
success: function(json) {
if (json.messages != '' || json.response != '') {
// Save the message
$.ajax({
type: "POST",
url: gdn.url('/dashboard/utility/updateresponse'),
data: 'Messages='+json.messages+'&Response='+json.response+'&TransientKey='+gdn.definition('TransientKey'),
success: function() {
// After the responses have been saved, re-fill the
// #Content with this page's view (in case there are any
// messages to be displayed)
if (json.messages != '')
$('#Content').load(
gdn.url('/dashboard/settings/index'),
'DeliveryType=ASSET&DeliveryMethod=XHTML'
);
}
});
}
}
});
}
});
Tagged:

Comments

  • you cant be serious

    "// Phone-home to the VanillaForums server to check for updates"
    This is a normal process that practically all web based apps, linux distros, cell phone operating systems use..... if it has automatic updates, it has to check for the updates. If it didnt check for updates and offer you to install them, this could be a security threat, staying up to date is one of the easiest ways to protect ones self against exploits/malware.

    I like Marks Response to your other three threads regarding the same topic, if you want to submit code improvements, you may do so. Possibly including an option to turn off automatic updates.. though, they aren't fully automatic yet so ..

    to be honest i think vanilla should have an option to send the developers more information for site statistics relevant to development. What apps are installed, how many apps are installed, tracking errors, site stats, etc etc ... this is a feature request ive been needing to post in GIT.
  • Upon further investigation I found a script in /applications/dashboard/js/settings.js that calls home and sends back private data to Vanilla servers. It is collecting data about source, users, conversations, messages, comments and updates.
    Google, your mobile operator, your neighbors - they know a lot more really private data about you, while Vanilla just wants to know simple statistics about your installation such as total number of discussions, number of users etc. If you or your client consider it a threat nowadays, then turn your PCs, MACs, mobiles off IMMEDIATELY OR YOU'LL DIE!!!

    Are you trying to get some cheap glory spreading yellow stuff around? You are just presenting yourself as either a retard or idealist - you choose.
  • MarkMark Vanilla Staff
    edited October 2010
    Here's some info for those who want to disable update checks (from our documentation):

    http://vanillaforums.org/page/updates

    Although we highly recommend you don't use it as you will no longer be notified of important security updates, we've added a permanent solution for disabling this feature:

    http://github.com/vanillaforums/Garden/commit/490ccfb844d9f35874bb1187b5f71487ee0a6800
  • @Mark
    can you please reiterate that the application is not collecting any personal identifying information and its purpose is non malicious in any shape or form. If not others will be asking.
  • MarkMark Vanilla Staff
    edited October 2010
    @bobtheman - Sure!

    Vanilla phones home, reporting a summary of the number of discussions, comments, and users, as well as the name and versions of any add-ons installed. We use this information to (a) figure out what needs to be updated on the client installation and (b) help us promote our product usage.

    Vanilla does not collect any personal identifying information and its purpose is non-malicious. Instructions to disable this feature can be found here: http://vanillaforums.org/page/updates

    Have a great day!
  • Thank you Mark.
  • Very professional response, 10 points.
Sign In or Register to comment.