I found this very thing out as a result of a email-based survey I'd sent to about 500 people. Here's a copy of the email I'd sent out to those affected:
* The “Web of Trust” plugin is highly likely to be sending your browsing history, after it reaches the Web of Trust servers, to advertising companies.
* It’s likely that they’re _not_ sending personal details, but simply the list of URLs that you visit. This includes “private” urls such as what you received for the survey, but could also include things like the URLs you send when you share files via Dropbox, Hipchat, etc.
* If you’re not okay with this behaviour, I recommend you un-install the Web of Trust plugin.
* If you haven’t yet responded to my question of “do you have Web of Trust” installed, I’m still interested in hearing from you.
* Shortly after folk started to respond to the survey, by chance I noticed unusual requests hitting the web server. An hour or two after the flurry of requests that I’d consider normal, I saw another request to _just_ the main URL, all from the same IP address (18.104.22.168), and the same user agent (Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25)
To me, this implies that the supposedly secret URLs were not very secret.
* The address 22.214.171.124 has a DNS entry "nat-service.aws.kontera.com”. Kontera is an advertising company (remember those “in text” ads with the double underscore? Kontera was one of the players in that), which was bought by Amobee, a market research company. Amobee own the kontera.com domains and likely is related to the above activity.
* From some research, I discovered that others have seen these requests too, all to private URLs, and that the plugin “Web of Trust” was implicated.
* I saw 15 of these requests. I contact each of the 15 people and received 11 responses. 9 of the respondents were using the Web of Trust plugin.
* I don’t know what could explain the other 2. Certainly, Web of Trust can’t be the only company sending Kontera/Amobee data. Unfortunately attempts to replicate the issue for those two users have failed: it may be that Kontera have some kind of limit on how many URLs per domain they’ll probe per time period? I’d certainly want to do that if I wanted to stay under the radar, or thwart further analysis.
Given that 9/11 is far, far above the expected install base of Web of Trust. It is very likely that Web of Trust is indeed forwarding your browser history to at least one advertising company: Kontera/Amobee
What you do with the sites you visit is up to you. But if you don’t approve of what the company behind the plugin is doing, I suggest you uninstall this plugin. Apart from the risk of “private URLs” becoming non-private, I don’t think there’s any further security risk.
I am disinclined to make a wide announcement about this, especially not on WoT’s forums. From research, the company readily squashes any criticism against it, and a small but vocal fraction of its users have embarked on attacks against any persons or sites that have raised concerns against WoT’s activity. In many ways, WoT has become an extortion engine, such as offering a paid-for “badge of trust” to remove bad ratings.
(Remember, this is the Internet: Take everything with a ten-tonne block of salt.)
I’ll be sending my analysis to some security-industry friends of mine.
Also, I have blocked that IP address from querying my server (at the web server level, so I will still see the request if it is made it’ll just get back a “403 Forbidden” code every time), and also modified the survey page to only show first names. In the future I’ll make the URLs we distribute less shareable in some fashion, such as being “single use” or “locked to the first IP address that queries it”, or something similar. Having full fledged accounts, with a username/password, is also a possibility.