Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Spyware Proof

edited October 2010 in Vanilla 2.0 - 2.8
Vanilla sends back the following information about your install without permission. That is a violation of privacy and that is what makes it spyware.


jQuery(document).ready(function($) {

// Phone-home to the VanillaForums server to check for updates
var updateChecks = gdn.definition('UpdateChecks', '');
if (updateChecks != '') {
var webroot = gdn.definition('WebRoot', '');
var data = 'source='+webroot
+ '&users=' + gdn.definition('CountUsers', 0)
+ '&conversations=' + gdn.definition('CountConversations', 0)
+ '&messages=' + gdn.definition('CountConversationMessages', 0)
+ '&discussions=' + gdn.definition('CountDiscussions', 0)
+ '&comments=' + gdn.definition('CountComments', 0)
+ '&updateChecks=' + updateChecks

type: "POST",
url: gdn.url('/dashboard/utility/updateproxy'),
data: data,
dataType: 'json',
success: function(json) {
if (json.messages != '' || json.response != '') {
// Save the message
type: "POST",
url: gdn.url('/dashboard/utility/updateresponse'),
data: 'Messages='+json.messages+'&Response='+json.response+'&TransientKey='+gdn.definition('TransientKey'),
success: function() {
// After the responses have been saved, re-fill the
// #Content with this page's view (in case there are any
// messages to be displayed)
if (json.messages != '')


  • Options
    you cant be serious

    "// Phone-home to the VanillaForums server to check for updates"
    This is a normal process that practically all web based apps, linux distros, cell phone operating systems use..... if it has automatic updates, it has to check for the updates. If it didnt check for updates and offer you to install them, this could be a security threat, staying up to date is one of the easiest ways to protect ones self against exploits/malware.

    I like Marks Response to your other three threads regarding the same topic, if you want to submit code improvements, you may do so. Possibly including an option to turn off automatic updates.. though, they aren't fully automatic yet so ..

    to be honest i think vanilla should have an option to send the developers more information for site statistics relevant to development. What apps are installed, how many apps are installed, tracking errors, site stats, etc etc ... this is a feature request ive been needing to post in GIT.
  • Options
    Upon further investigation I found a script in /applications/dashboard/js/settings.js that calls home and sends back private data to Vanilla servers. It is collecting data about source, users, conversations, messages, comments and updates.
    Google, your mobile operator, your neighbors - they know a lot more really private data about you, while Vanilla just wants to know simple statistics about your installation such as total number of discussions, number of users etc. If you or your client consider it a threat nowadays, then turn your PCs, MACs, mobiles off IMMEDIATELY OR YOU'LL DIE!!!

    Are you trying to get some cheap glory spreading yellow stuff around? You are just presenting yourself as either a retard or idealist - you choose.
  • Options
    MarkMark Vanilla Staff
    edited October 2010
    Here's some info for those who want to disable update checks (from our documentation):

    Although we highly recommend you don't use it as you will no longer be notified of important security updates, we've added a permanent solution for disabling this feature:
  • Options
    can you please reiterate that the application is not collecting any personal identifying information and its purpose is non malicious in any shape or form. If not others will be asking.
  • Options
    MarkMark Vanilla Staff
    edited October 2010
    @bobtheman - Sure!

    Vanilla phones home, reporting a summary of the number of discussions, comments, and users, as well as the name and versions of any add-ons installed. We use this information to (a) figure out what needs to be updated on the client installation and (b) help us promote our product usage.

    Vanilla does not collect any personal identifying information and its purpose is non-malicious. Instructions to disable this feature can be found here:

    Have a great day!
  • Options
    Thank you Mark.
  • Options
    Very professional response, 10 points.
Sign In or Register to comment.