Popular software changed to collect user info by new owners
The privacy of Nano Adblocker users has allegedly being compromised following the recent sale of the technology to new developers.
The adblocking software has been modified so that it collects the personal data of users, including IP addresses, sites visited, system config information, and much more.
Raymond Hill, developer of uBlock Origin, was among the first to flag up concerns about Nano when he published a technical post last week.
After examining the latest build of Nano Defender, Hill concluded that users should “uninstall now”.
“With those capabilities, it should be considered malware,” he added.
The controversial changes followed the recent sale of the technology by the previous developer, Hugo Xu (jspenguin2017). Xu said he sold the project after realizing he didn’t have enough spare time to develop the software properly and clear a mounting backlog.
A separate developer, LiCybora, is said to have control of the Firefox Nano extension, which is not currently subject to the same security risks.
Users of the native app or Chrome extension are, however, urged to switch to alternatives such as uBlock Origin.
Xu, the previous developer of the project, has distanced himself from the controversial changes in the software.
“The WebStore listings are no longer under my control,” he said in an update to the announcement of the sale on GitHub.
“I am not responsible for the actions of the new developer(s). If you feel concerned about the recent changes… please remember that you can uninstall the extensions and/or find alternatives at any time.”
Pi in the sky
Web security expert Troy Hunt, the researcher behind Have I Been Pwned?, urged privacy-conscious users to look for alternatives to ad blocking software.
“[This is] just one of the reasons I have a great distrust of ad blockers,” Hunt said in an update on Twitter. “They command enormous power within their position in the browser and there’s often pretty questionable behavior shown by the folks running them.”
Rather than relying on third-party software, web users would do better to filter out internet ads using technology from the Pi-hole project, according to Hunt.
Pi-hole is network-level ad and internet tracker blocker application that can be run on embedded devices, such as the Raspberry Pi or machines running Linux.
Other privacy watchers take different (perhaps wider) lessons from the Nano incident.
“Remember to audit your extensions frequently and remove any unused extensions,” writes blogger Resynth.
“In the case of Nano Defender, users were not notified before control of the extension was transferred to a third-party. That's not the right way to handle this.”