Top open source project Moq slammed for secretly collecting user data

Moq started collecting hashes of email addresses

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Popularopen source(OS) project Moq just got updated to include a not-so-open-source addition in the form of a series of DLLs designed to collect hashes of user email addresses.

The changes were first reported on byBleepingComputer, which notes that the project sees around 100,000 daily downloads on average, having amassed more than 476 million since its inception.

From version 4.20.0, Moq started including SponsorLink, a project shipped as closed-source that takes away from one of Moq’s key benefits - the fact that it’s an OS project.

Moq bundles in a closed-source project

One of Moq’s owners, Daniel Cazzulino, noted byBleepingComputerto also be a maintainer of the SponsorLink project, quietly pushed the update earlier this month. While perfectly reasonable, the change went largely unannounced, and existing users committing themselves to the open-source project may not be aware without reading the small print.

These are the best identity theft protection tools>The EU’s Product Liability Directive could kill open source>Many open-source software components have worrying security risks

The SponsorLink DLLs, which collect hashes of email addresses to send to SponsorLink’s CDN, contain obfuscated code that goes against Moq’s open-source principles.

In the days that followed the update, GitHub became awash with criticism of the move, with many disgruntled users calling the update a GDPR breach. Others pointed out that an obfuscated package could potentially hide some activity from unaware users. One user called the move a “moqery.”

In light of the backlash, Cazzulino has confirmed that “the actual email is never sent when performing the sponsoring check,” which can be verified by “running Fiddler to see what kind of traffic is happening.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Cazzulino continues: “The email on your local machine is hashed with SHA256, then Base62-encoded. The resulting opaque string (which can never reveal the originating email) is the only thing used.”

Furthermore, suspending or uninstalling the app deletes all records associated with a user’s account.

In a further update, version 4.20.2 looks to have reversed the change, though for many, the reputational damage could have been enough to put them off.

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

7 myths about email security everyone should stop believing

Another reason to avoid edge-lit 4K TVs: they may fail faster than others, according to this report