Shareaholic Contains Spyware?

(Apr 20): Shareaholic 1.9.7 has the problematic tracking feature disabled by default.

I’ve been using Shareaholic for the last four months to share web content. This browser extension groups together almost all social networks and services and offers a comfortable unified sharing.

Today, while debugging a different browser extension, I fired up wireshark and started looking at my HTTP requests. Setting my browser to localhost I was surprised to see Firefox make two requests:

GET http://localhost/
GET http://dcs.consumerinput.com/fast-cgi/MI
      ?ver=3ss&userid=xxxx&registrar=shr&d=http%3A%2F%2Flocalhost%2F

This didn’t seem at all kosher. I suspected one of my Firefox addons was responsible for the extra request, and after turning off addon after addon – Shareaholic was the one to blame. To be 100% sure, I removed all of my social services from shareaholic, and it still made the suspicious request. The request ceased after disabling the addon.

Shareaholic claims to be 100% malware-free and even has a softpedia certificate for it. The certificate addresses version 1.9.5, while I have version 1.9.6.

A look at consumerinput.com reveals that it belongs to a company specializing in data collection. From their website:

What makes the Consumer Input Panel unique is that we utilize a small piece of software that resides on your PC which anonymously records your Internet browsing behavior. Your information gets merged with browsing histories of thousands of other consumers to help companies improve the way they do business.

Seems like I’ve been unwittingly contributing to this shady marketing firm for a while now (shareaholic 1.9.6 was released January).

It’s worth to note that as far as I can tell, the Shareaholic extension for Google Chrome doesn’t exhibit the same malicious behaviour.

I wouldn’t like to hurt Shareaholic’s reputation without being sure about this. Therefore, if you are a user of shareaholic on Firefox, I’d appreciate if you could confirm this behavior.

To test for yourself, get a Firefox extension called Tamper Data. Turn it on, browse to a website, and it should display all the HTTP requests being issued in a convenient manner. Turn Shareaholic on/off, restart Firefox, and see if there is a request for the consumerinput.com domain. You can post a comment here or tweet to @mshynar.

Read Jay Meattle’s comment on Hacker News.

Be Sociable, Share!
Posted Sunday, April 4th, 2010 under Life 2.0.

6 comments

  1. Hi Michael,

    That API call is for the optional Stats Monitor feature which was introduced in January (the little stats icon in your task bar that shows you the Compete.com stats for the page you’re on).

    The call is intrinsic to the functioning of this feature. For example, only by knowing which web page you are viewing can the browser tool show you information about that web page or Web site from Compete.com. This is not spyware in any way. We wouldn’t have even thought about making this feature a part of Shareaholic if we didn’t believe Compete to be a reputable company, and that it improved the overall Shareaholic user experience.

    You can also disable the Stats Monitor. Just go to the Shareaholic options menu -> Display Options -> Uncheck the Stats Monitor options. This will make those API calls to return stats stop.

    That said, I completely agree with you that we could have done a much better job with being more clear about this behavior with our users, and we didn’t do the best job at this at first. To correct this, we soon after added a prominent notice to the welcome and upgrade pages:

    Example:
    http://www.shareaholic.com/tools/firefox/welcome
    http://www.shareaholic.com/tools/firefox/upgrade

    and in the next release we also plan to make this even clearer with messaging within the extension itself.

    I can assure you, your privacy is critically important to us. If it all we can do anything more, please do let me know and we’ll do it. Thanks so much for sticking with us!

    Jay

    • As far as I can tell, the “stats monitor” feature is not advertised on the front page. In fact, I tried navigating the site for a while but couldn’t hit the Firefox welcome/upgrade pages that contain the disclaimer.

      Most people upgrade their plugin via Firefox’s addon manager, and skip the “what’s new” page that opens up. This is because we trust whoever made the plugin to not introduce any malicious behavior in future updates.

      Judging by the intrusive nature of this feature, I believe it should be opt-in rather than opt-out.

      Placing an explicit confirmation message within the plugin, mentioning a unique user-id tracking will be enabled, seems like a satisfying solution.

  2. Yes, yes I can confirm this! I found your post after searching because I noticed the same website pulling in the URL of every single web page I go to. No doubt, Shareaholic is very sneaky. The new “feature” they are trying to hide behind is not why I started using something called SHAREaholic. “Website Stats Monitor” was snuck into one of their numerous updates and it obviously has nothing to do with sharing. The feature is a great excuse for spying on every single web page a user looks at.

  3. Found this through the compete site: “People are recruited to join Compete’s community through http://www.compete.com and http://www.consumerinput.com. Anonymous consumer data is also licensed from national ISPs and ASPs.” This is funny because I didn’t know Shareaholic “recruited” me, but more importantly look at this… “ASP” right there stands for “Application Service Provider”. So now it’s very obvious why Shareaholic has turned into spyware, because the spying is “licensed” from their application. Shareaholic is probably getting paid a killing for letting consumerinput spy on so many users. This is more than aggravating, and they need to be shut down for such sneaky behavior. Users should be notified. What is the process? How do we report these guys?

  4. I uninstalled this a year ago. Heres another website plugin called Sexybookmarks that Shareaholic destroyed with more spyware and crappy features that hurts security and performance:
    http://ineedhelpwithwordpress.com/sexybookmarks-performance/

    Shareaholic sucks! Do not use!

Leave a Reply