AuctionFun scary install code (Merged)

[Akumaownz]

I was looking for a Auction component for my site and found
AuctionFun
http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,795/Itemid,35/

After playing around a bit with it I found this in the install code

    // this is for service purposes only, no use will be made from this address, nor will it be sold, hired etc...
    $recipient="[email protected]"
    $body  = "$mosConfig_live_site";
    $body .= "\n
address = ".$_SERVER['SERVER_ADDR'];
    $body .= "\n
name = ".$_SERVER['SERVER_NAME'];
    $body .= "\n
doc_root = ".$_SERVER['DOCUMENT_ROOT'];
    $n=mosMail($my->email, $my->username, $recipient, "AuctionFun install", $body, 1, $mosConfig_mailfrom);
// please do not remove these lines, thank you!

What is this the "$my->username ?". I am hoping it is not my admin password, should I be worried??''


Mod Note: Added merged in the subject

[Tonie]

This sends the email address of the user you are logged in with ($my-email), username you are logged in with ($my->username), and your website address ($mosConfig_live_site).

[ianmac]

This is a little sketchy...  did the component indicate that it would send an email back home?

Live site wouldn't seem that strange to me - it is basically telling the developer that you are using their extension.  But why would they pass back the $_SERVER variables?  Shouldn't live site be enough?

Since the component is released under an Open Source/Free License, if I were to use it, I probably would comment out that code...  probably harmless, but why do they want to know what my DOCUMENT_ROOT is?

Ian

[LorenzoG]

I do agree with you Ian. The whole question is however a little complex. We have seen several components, both open source and commercial that "calls home" during the installation process. What is acceptable and what is not?

Personally, I don't have any problem with components that send back some basic and general information to the authour if it's stated very clear that the components do so and what they send and why. But we have components that don't inform about a such behaviour and in this case, what is acceptable in privacy point of view? that the domain is sent? that the users email address is sent? or even more sensitive information?

Should we do any difference in open source components vs commercial components (there the authour indeed have an interestest to keep an eye that the user don't breach the licence agreement). Should we differ between readable code and encrypted code there it's more difficult to find such behaviour. How to act with other hidden code like hidden metatag links etc. ?

We are monitoring this and we do discuss this.

[ianmac]

Yes...  agree about the complexities.

IMO, we shouldn't be looking at what is common, but about how things should be.

My concern is a little less with this component because at least on the product home page they tell you that it sends an email back for support purposes:

For service reasons an email will be sent to me from your server during installation. No use will be made of this unless you contact us for help.

Though it would be better if this were displayed more prominently (either on the JED itself, or at least on the download section of their site rather than just the info section.

I suppose there could be valid reasons for wanting the specified info for service reasons.  I still think that the author SHOULD add a confirmation with this and display the data that is being sent, but that isn't common.

I think the best thing that good component developers can do is to follow these practices of informing and using an opt-in type system for phone home features.  This way, it might become the standard and people's expectations of components will include this philosophy.

Ian

[ianmac]

P.S. I respect the decisions of the Extensions directory team and trust they are working hard and are making decisions in the best interest of the Joomla! community.

Ian.

P.s. Lorenzo - thanks for your work and keep it up!  It is appreciated by many!

[nyarnon]

I recently tried out AuctionFun for Joomla! (1.0.4). As it wouldn't run and reviews also pointed to serious problems I visited it's website. Here I found also a lot of problems with it. Being fluid in both php and xajax I had a look at the code and stumbled upon this in the install.auctionfun.php:

Code: Select all

       // this is for service purposes only, no use will be made from this address, nor will it be sold, hired etc...
       $recipient="[email protected]";
       $body  = "$mosConfig_live_site";
       $body .= "\n<br />address = ".$_SERVER['SERVER_ADDR'];
       $body .= "\n<br />name = ".$_SERVER['SERVER_NAME'];
       $body .= "\n<br />doc_root = ".$_SERVER['DOCUMENT_ROOT'];
       $n=mosMail($my->email, $my->username, $recipient, "AuctionFun install", $body, 1, $mosConfig_mailfrom);
   // please do not remove these lines, thank you!

Effectively this means it report home its complete location and account information being your username and emailaddress. Thit information is send to [email protected].

As this action is nowhere announced this makes this module spyware to me. I found it important to put this up on the forum as it is a good example as why joomla sends out its warning message before installing a component.

[brian]

Thank you for posting this warning i abhor this type of call home feature.

[Tonie]

Moving to extensions directory forum.

[LorenzoG]

Mod Note: Merged the thread "Auction scary install code" and "AuctionFun for Joomla (1.0.4) spyware" since the discussion and the thread subjects are identical.

[nyarnon]

Please be aware that the message I recieved with a notification on this does not point to a valid url. I had to use the search function to find back my posting, here's the messages content:

Code: Select all

A topic you are watching has been moved to another board by Tonie.

View the topic at: http://forum.joomla.org/index.php?topic=155799.new;topicseen#new

Unsubscribe to this topic by clicking here: http://forum.joomla.org/index.php?action=notify;topic=155799.0

Regards,
The Joomla! Community Forum Team.

On regards on the solution to the install code problem I point out, that this praxis it quit common in the *nix society but the software that uses this, always asks the users permission before sending feedback home. IMHO this is the only decent behavior.  Currently several legislators ar busy creating new laws that will eventually put an end to the praxis of retrieving information that can be regarded  as private, without prior consent.

[LorenzoG]

Sorry about it nyarnon. It's my fault since I merged your thread with an already existing thread and that did that the URL reference disappeared. I'm happy that you found your post again and that we can continue to discuss the subject 

[nyarnon]

No sweat, save that for the sauna :-)

[boswachter]

Hello All,

The AuctionFun component "calling home" was first introduced when I had a LOT of people complaining about "Files not found" in the Ajax module. Since I only use this Ajax code and not created it myself, I had to find a way to get more information about the users' environment.
In some cases this has helped the installation and the user. In all other cases this information is discarded and NO USE is made of this information.
The only way (for me) to get the corrct information is in the install part of the program.

This behaviour is clearly stated on the site and is by no means made secret. This is no spyware behaviour and I repeat NO use is made of this information unless the user has problems and contacts me about it.

Future versions, if any, will/may ask the user to send this information or not.

Henk von Pickartz, aka Boswachter

[nyarnon]

Hoi Boswachter,

Normal ethical behaviour would be a debug mode that a user could invoke on request. As it is now it's pretty stealth for most users, which is not good for you as much as for them. Just add a radio button in the setup to enable this behaviour. Then it's a clear users choise. As it should be. Untill then you can talk till this certain place freezes over, I will call it spyware.

Regards Nyarnon

[boswachter]

Ok, AuctionFun will be updated to comply with "your" scareware rules in a few days  (Done, commented out the "scary" lines). No more comments will be necessary on this topic.

However (off topic!) what I find more scary is that I get this kind of emails after subscribing to THIS (Re: AuctionFun scary install code (Merged) ) thread :

Code: Select all

A reply has been posted to a topic you are watching by urcoder.

View the reply at: http://forum.joomla.org/index.php?topic=149172.new;topicseen#new

Unsubscribe to this topic by clicking here: http://forum.joomla.org/index.php?action=notify;topic=*******

The text of the reply is shown below:

i found some good components and modules here www.joomlaaa.com may be other versions work with you thanks

More replies may be posted, but you won't receive any more notifications until you read the topic.

Regards,
The Joomla! Community Forum Team.

I see no post in this thread with this content, even more it is a simple invitation to get hosted... Without relationship to this thread.

[nyarnon]

Ok, AuctionFun will be updated to comply with "your" scareware rules in a few days 

Muito bom boswachter. Komt het programma ten goede.

[ot2sen]

I see no post in this thread with this content, even more it is a simple invitation to get hosted... Without relationship to this thread.

Hi boswachter,

Posts containing spam/selfpromoting content/or not meeting the forum rules in general, will be removed. This unrelated post was therefore removed.