I've had a look at the source and I can confirm the tracking code is present in
debian.
Please read this blog post first:
https://www.kuketz-blog.de/wot-addon-wie-ein-browser-addon-seine-nutzer-ausspaeht/
(German)
https://translate.google.com/translate?hl=en=auto=en=https%3A%2F%2Fwww.kuketz-blog.de%2Fwot-addon-wie-ein-browser-addon-seine-nutzer-ausspaeht%2F
(English)
It's worth a read, the tl;dr is: the author discovered the addon is
sending your browser history together with a unique identifier to mywot
servers. The author then setup a virtual machine with linux, firefox and
no addons besides WOT. Later, the canary dataset was found inside the
data dump that was acquired by the NDR.
This is the version >= stretch:
There's an event handler for `onLocationChange` that is passing the tab
location to `wot_stats.loc`:
```
if (tabUrl && wot_stats.isWebURL(tabUrl)) {
var ref = browser.contentDocument.referrer;
if (request && request.referrer &&
typeof(request.referrer) != undefined) {
ref = request.referrer.asciiSpec;
}
wot_stats.loc(tabUrl, ref);
}
```
https://sources.debian.net/src/wot/20151208-2/content/core.js/#L81
`wot_stats.loc` is then calling `wot_stats.query`, which is sending the
data to a server (https://secure.mywot.com at the point of writing. The
endpoint is remotely configurable, I'll cover that later). I've marked
the comments that are added by myself.
```
data = {
"s":WOT_STATS.SID,
"md":21,
"pid":wot_stats.getUserId(),
"sess":wot_stats.getSession()['id'],
"q":encodeURIComponent(url), //(kpcyrd): this is the current url
"prev":encodeURIComponent(wot_stats.last_prev), //(kpcyrd): this is
the previously seen url
"link":0,
"sub": "ff",
"tmv": WOT_STATS.VER,
"hreferer" : encodeURIComponent(ref), //(kpcyrd): this seems to be
a referer, but I didn't investigate further
"ts" : wot_stats.utils.getCurrentTime()
};
var requestDataInfo = this.utils.serialize(data);
var requestData = requestDataInfo.data;
var requestLength = requestDataInfo.length;
var encoded = btoa(btoa(requestData)); //(kpcyrd): base64 encode twice
if (encoded != "") {
var data = "e=" + encodeURIComponent(encoded);
var statsUrl = settings[this.urlKey] + "/valid"; //(kpcyrd): get
the endpoint from the config
this.utils.postRequest(statsUrl, data, requestLength); //(kpcyrd):
send data to the server, there's a unique identifier in the cookies
}
this.last_prev = url; //(kpcyrd): set the current url as previous url
for the next request
```
https://sources.debian.net/src/wot/20151208-2/content/stats.js/#L280
After decoding the base64, the resulting request looks like this:
https://media.kuketz.de/blog/artikel/2016/wot-addon/unmaskiert2.jpg
As far as I can tell, this is happening for every page load.
The endpoint for that data is dynamic, it's fetched from
https://secure.mywot.com/config when you provide the correct parameters:
```
$ curl 'https://secure.mywot.com/config?s=241=1478145149=1.0'
{"ok":1,"url":"https://secure.mywot.com"}
```
Not sure why it's working like this, I assume it's to obfuscate the
endpoint they're sending data to. The code between this fetch and the
usage quoted above is unnecessary complicated. It could also be used to
bypass firewalls trying to block this.
The data that is sent with this tracking script has huge implications on
privacy, but since these are full urls (hostname, path, querystring,
anchor/fragment) this causes significant implications on security,
especially for applications that store sensitive information in query
strings.
I've also had a quick look at the version in jessie and it looks like
it's "only" operating on hostnames, but when you actually look into some
of the util functions, this doesn't seem to be the case.
```
onLocationChange: function(progress, request, location)
{
if (progress.DOMWindow != this.browser.contentWindow) {
return;
}
if (location) {
wot_core.block(this, request, location.spec);
//(kpcyrd): this sends data to the server
}
wot_core.update();
},
```
https://sources.debian.net/src/wot/20131118-1/chrome/wot.jar%21/content/core.js/#L62
```
block: function(pl, request, url)
{
try {
if (!wot_util.isenabled() || !pl || !pl.browser ||
!url) {
return;
}
if (!wot_warning.isblocking()) {
