Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Craig Hale

Top open source project Moq slammed for secretly collecting user data

Open Source

Popular open source (OS) project Moq just got updated to include a not-so-open-source addition in the form of a series of DLLs designed to collect hashes of user email addresses.

The changes were first reported on by BleepingComputer, which notes that the project sees around 100,000 daily downloads on average, having amassed more than 476 million since its inception.

From version 4.20.0, Moq started including SponsorLink, a project shipped as closed-source that takes away from one of Moq’s key benefits - the fact that it’s an OS project.

Moq bundles in a closed-source project

One of Moq’s owners, Daniel Cazzulino, noted by BleepingComputer to also be a maintainer of the SponsorLink project, quietly pushed the update earlier this month. While perfectly reasonable, the change went largely unannounced, and existing users committing themselves to the open-source project may not be aware without reading the small print.

The SponsorLink DLLs, which collect hashes of email addresses to send to SponsorLink's CDN, contain obfuscated code that goes against Moq’s open-source principles.

In the days that followed the update, GitHub became awash with criticism of the move, with many disgruntled users calling the update a GDPR breach. Others pointed out that an obfuscated package could potentially hide some activity from unaware users. One user called the move a “moqery.”

In light of the backlash, Cazzulino has confirmed that “the actual email is never sent when performing the sponsoring check,” which can be verified by “running Fiddler to see what kind of traffic is happening.”

Cazzulino continues: “The email on your local machine is hashed with SHA256, then Base62-encoded. The resulting opaque string (which can never reveal the originating email) is the only thing used.”

Furthermore, suspending or uninstalling the app deletes all records associated with a user’s account.

In a further update, version 4.20.2 looks to have reversed the change, though for many, the reputational damage could have been enough to put them off.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.