(Apr 20): Shareaholic 1.9.7 has the problematic tracking feature disabled by default.
I’ve been using Shareaholic for the last four months to share web content. This browser extension groups together almost all social networks and services and offers a comfortable unified sharing.
Today, while debugging a different browser extension, I fired up wireshark and started looking at my HTTP requests. Setting my browser to localhost I was surprised to see Firefox make two requests:
GET http://localhost/
GET http://dcs.consumerinput.com/fast-cgi/MI
?ver=3ss&userid=xxxx®istrar=shr&d=http%3A%2F%2Flocalhost%2F
This didn’t seem at all kosher. I suspected one of my Firefox addons was responsible for the extra request, and after turning off addon after addon – Shareaholic was the one to blame. To be 100% sure, I removed all of my social services from shareaholic, and it still made the suspicious request. The request ceased after disabling the addon.
Shareaholic claims to be 100% malware-free and even has a softpedia certificate for it. The certificate addresses version 1.9.5, while I have version 1.9.6.
A look at consumerinput.com reveals that it belongs to a company specializing in data collection. From their website:
What makes the Consumer Input Panel unique is that we utilize a small piece of software that resides on your PC which anonymously records your Internet browsing behavior. Your information gets merged with browsing histories of thousands of other consumers to help companies improve the way they do business.
Seems like I’ve been unwittingly contributing to this shady marketing firm for a while now (shareaholic 1.9.6 was released January).
It’s worth to note that as far as I can tell, the Shareaholic extension for Google Chrome doesn’t exhibit the same malicious behaviour.
I wouldn’t like to hurt Shareaholic’s reputation without being sure about this. Therefore, if you are a user of shareaholic on Firefox, I’d appreciate if you could confirm this behavior.
To test for yourself, get a Firefox extension called Tamper Data. Turn it on, browse to a website, and it should display all the HTTP requests being issued in a convenient manner. Turn Shareaholic on/off, restart Firefox, and see if there is a request for the consumerinput.com domain. You can post a comment here or tweet to @mshynar.
Read Jay Meattle’s comment on Hacker News.