Subj : Top open source project Moq slammed for secretly collecting user To : All From : TechnologyDaily Date : Thu Aug 10 2023 19:00:03 Top open source project Moq slammed for secretly collecting user data Date: Thu, 10 Aug 2023 17:56:48 +0000 Description: Moq developer quietly slipped in obfuscated code which compromised the nature of the open-source software. FULL STORY ====================================================================== Popular open source (OS) project Moq just got updated to include a not-so-open-source addition in the form of a series of DLLs designed to collect hashes of user email addresses. The changes were first reported on by BleepingComputer , which notes that the project sees around 100,000 daily downloads on average, having amassed more than 476 million since its inception. From version 4.20.0, Moq started including SponsorLink, a project shipped as closed-source that takes away from one of Moqs key benefits - the fact that its an OS project. Moq bundles in a closed-source project One of Moqs owners, Daniel Cazzulino, noted by BleepingComputer to also be a maintainer of the SponsorLink project, quietly pushed the update earlier this month. While perfectly reasonable, the change went largely unannounced, and existing users committing themselves to the open-source project may not be aware without reading the small print. Read more > These are the best identity theft protection tools > The EUs Product Liability Directive could kill open source > Many open-source software components have worrying security risks The SponsorLink DLLs, which collect hashes of email addresses to send to SponsorLink's CDN, contain obfuscated code that goes against Moqs open-source principles. In the days that followed the update, GitHub became awash with criticism of the move, with many disgruntled users calling the update a GDPR breach. Others pointed out that an obfuscated package could potentially hide some activity from unaware users. One user called the move a moqery. In light of the backlash, Cazzulino has confirmed that the actual email is never sent when performing the sponsoring check, which can be verified by running Fiddler to see what kind of traffic is happening. Cazzulino continues: The email on your local machine is hashed with SHA256, then Base62-encoded. The resulting opaque string (which can never reveal the originating email) is the only thing used. Furthermore, suspending or uninstalling the app deletes all records associated with a users account. In a further update, version 4.20.2 looks to have reversed the change, though for many, the reputational damage could have been enough to put them off. Check out a list of our best business VPN services for extra privacy ====================================================================== Link to news story: https://www.techradar.com/pro/top-open-source-project-moq-slammed-for-secretly -collecting-user-data --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .