Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

18 August 2014 | 4,164 views

Passera – Generate A Unique Strong Password For Every Website

Check Your Web Security with Acunetix

We’ve discussed password storage/generation solutions quite often, especially in the news stories about hacks and plain text password leaks, here’s a tool for the more paranoid who don’t want to store their passwords locally or in the cloud.

Passera is a simple tool written in Go that allows users to generate a unique strong password for each website, without the need to store them either locally or with an online service.

Passera - Generate A Unique Strong Password

Passera turns any entered text into a strong password up to 64 characters long and copies it to clipboard. Figure out a decent system for yourself that will allow unique passphases for every website, such as combining website name/url with a phrase that you would not forget. To login, fire up Passera and enter the password you chose and your real password will be copied to the clipboard.

Turn

into

This software is for privacy-aware people that understand the need to have strong unique passwords for each website, yet don’t want to use any password managing software or services. Relying on password managing software means trusting your passwords to be kept safe by a third-party company, or trusting them to a single file on your disk.

Passwords created with Passera are extremely difficult to bruteforce and impossible to revert back to the original regardless of attacker’s knowledge of the source code. If one of your passwords is compromised after an attack on you or a web service, all your other passwords are safe with you.

To make it somewhat more conspicuous, when you start Passera it copies a random password to clipboard. The real password is then only stored in clipboard for 10 seconds, before being overwritten by another random string.

You can download Passera here:

Linux
Mac OSX
Windows

Or read more here.



15 August 2014 | 2,658 views

Hiding A Bitcoin Mining Botnet In The Cloud

This is a pretty interesting story, and an interesting use (or mis-use) of cloud resources. We’ve covered similar stuff before like the case when Yahoo! was Spreading Bitcoin Mining Botnet Malware Via Ads, and then more recently when the Pirated ‘Watch Dogs’ Game Made A Bitcoin Mining Botnet.

Cloud Security

But this time it’s not malware based, a pair of researchers realised they could automate the sign-up to multiple cloud providers and leverage the free tier/free trial/freemimum accounts to mine Cryptocurrency (in this case Litecoin).

Hackers have long used malware to enslave armies of unwitting PCs, but security researchers Rob Ragan and Oscar Salazar had a different thought: Why steal computing resources from innocent victims when there’s so much free processing power out there for the taking?

At the Black Hat conference in Las Vegas next month Ragan and Salazar plan to reveal how they built a botnet using only free trials and freemium accounts on online application-hosting services—the kind coders use for development and testing to avoid having to buy their own servers and storage. The hacker duo used an automated process to generate unique email addresses and sign up for those free accounts en masse, assembling a cloud-based botnet of around a thousand computers.

That online zombie horde was capable of launching coordinated cyberattacks, cracking passwords, or mining hundreds of dollars a day worth of cryptocurrency. And by assembling that botnet from cloud accounts rather than hijacked computers, Ragan and Salazar believe their creation may have even been legal.

“We essentially built a supercomputer for free,” says Ragan, who along with Salazar works as a researcher for the security consultancy Bishop Fox. “We’re definitely going to see more malicious activity coming out of these services.”

Companies like Google, Heroku, Cloud Foundry, CloudBees, and many more offer developers the ability to host their applications on servers in faraway data centers, often reselling computing resources owned by companies like Amazon and Rackspace. Ragan and Salazar tested the account creation process for more than 150 of those services. Only a third of them required any credentials beyond an email address—additional information like a credit card, phone number, or filling out a captcha. Choosing among the easy two-thirds, they targeted about 15 services that let them sign up for a free account or a free trial. The researchers won’t name those vulnerable services, to avoid helping malicious hackers follow in their footsteps. “A lot of these companies are startups trying to get as many users as quickly as possible,” says Salazar. “They’re not really thinking about defending against these kinds of attacks.”

Other than mining Cryptocoins this distributed super computer could easily be used for other (more nefarious) purposes such as password cracking, DDoSing or doing any other large scale parallel task.

Mining Litecoins is a low hanging fruit though, low technical barrier and instant money – you don’t have to deal with other people in terms of renting out a DDoSing botnet etc. All you have to deal with is an exchange, and withdrawing your money.

Also $1750 a week isn’t bad money!

Ragan and Salazar created their automated rapid-fire signup and confirmation process with the email service Mandrill and their own program running on Google App Engine. A service called FreeDNS.afraid.org let them create unlimited email addresses on different domains; to create realistic-looking addresses they used variations on actual addresses that they found dumped online after past data breaches. Then they used Python Fabric, a tool that lets developers manage multiple Python scripts, to control the hundreds of computers over which they had taken possession.

One of their first experiments with their new cloud-based botnet was mining the cryptocurrency Litecoin. (That second-most-used cryptocoin is better suited to the cloud computers’ CPUs than Bitcoin, which is most easily mined with GPU chips.) They found that they could produce about 25 cents per account per day based on Litecoin’s exchange rates at the time. Putting their entire botnet behind that effort would have generated $1,750 a week. “And it’s all on someone else’s electricity bill,” says Ragan.

Ragan and Salazar were wary of doing real damage by hogging the services’ electricity or processing, however, so they turned off their mining operation in a matter of hours. For testing, however, they left a small number of mining programs running for two weeks. None were ever detected or shut down.

Aside from Litecoin mining, the researchers say they could have used their cloudbots for more malicious ends—like distributed password-cracking, click fraud, or denial of service attacks that flood target websites with junk traffic. Because the cloud services offer far more networking bandwidth than the average home computer possesses, they say their botnet could have funneled about 20,000 PCs-worth of attack traffic at any given target. Ragan and Salazar weren’t able to actually measure the size of their attack, however, because none of their test targets were able to stay online long enough for an accurate reading. “We’re still looking for volunteers,” Ragan jokes.

More disturbing yet, Ragan and Salazar say targets would find it especially tough to filter out an attack launched from reputable cloud services. “Imagine a distributed denial-of-service attack where the incoming IP addresses are all from Google and Amazon,” says Ragan. “That becomes a challenge. You can’t blacklist that whole IP range.”

I’m guessing after this a whole bunch of cloud providers might be adding additional security layers to their services to discourage this type of automated sign-up and botnet building activity, but then again a lot of the newer ones are concentrating on user growth – so adding barriers isn’t in their best interest.

We shall keep an eye on this and see if anyone else manages to take it any further.

Source: Wired


13 August 2014 | 3,706 views

ParanoiDF – PDF Analysis & Password Cracking Tool

ParanoiDF is a PDF Analysis Suite based on PeePDF by Jose Miguel Esparza. The tools/features that have been added are – Password cracking, redaction recovery, DRM removal, malicious JavaScript extraction, and more.

ParanoiDF - PDF Analysis & Password Cracking Tool

We have posted about a few PDF related tools before, including the one this tool is based on:

peepdf – Analyze & Modify PDF Files
PDFResurrect v0.9 Released – PDF Analysis and Scrubbing Utility
Origami – Parse, Analyze & Forge PDF Documents

Features

These are only the newly added features, not the original peepdf features which can be found here.

  • crackpw – This executes Nacho Barrientos Arias’s PDFCrack tool by performing an OS call. The command allows the user to input a custom dictionary, perform a benchmark or continue from a saved state file. If no custom dictionary is input, this command will attempt to brute force a password using a modifiable charset text file in directory “ParanoiDF/pdfcrack”.
  • decrypt – This uses an OS call to Jay Berkenbilt’s “QPDF” which decrypts the PDF document and outputs the decrypted file. This requires the user-password.
  • encrypt – Encrypts an input PDF document with any password you specify. Uses 128-bit RC4 encryption.
  • embedf – Create a blank PDF document with an embedded file. This is for research purposes to show how files can be embedded in PDFs. This command imports Didier Stevens Make-pdf-embedded.py script as a module.
  • embedjs – Similiar to “embedf”, but embeds custom JavaScript file inside a new blank PDF document. If no custom JavaScript file is input, a default app.alert messagebox is embedded.
  • extractJS – This attempts to extract any embedded JavaScript in a PDF document. It does this by importing Blake Hartstein’s Jsunpackn’s “pdf.py” JavaScript tool as a module, then executing it on the file.
  • redact – Generate a list of words that will fit inside a redaction box in a PDF document. The words (with a custom sentence) can then be parsed in a grammar parser and a custom amount can be displayed depending on their score. This command requires a tutorial to use. Please read “redactTutorial.pdf” in directory “ParanoiDF/docs”.
  • removeDRM – Remove DRM (editing, copying etc.) restrictions from PDF document and output to a new file. This does not need the owner-password and there is a possibility the document will lose some formatting. This command works by calling Kovid Goyal’s Calibre’s “ebook-convert” tool.

You can download ParanoiDF here:

master.zip

Or read more here.


11 August 2014 | 2,666 views

XML Quadratic Blowup Attack Blows Up WordPress & Drupal

This was a pretty interesting piece of news for me last week as I was actually affected by it (I think?). It’s an XML Quadratic Blowup Attack that affects both WordPress and Drupal and is quite serious as rather than just crashing the software, it can take down the whole server.

It didn’t completely take down my server, but it did make it crash every time you loaded the page once, after a reboot it was ok. I also read about this shortly after, and quickly upgraded the WordPress version.

WordPress & Drupal DoS Attack

It didn’t actually affect any of my personal sites, as by default I block any access to the XML-RPC library as I find it has been the weak link in WordPress many times. You can try here – xmlrpc.php.

Nir Goldshlager, a security researcher from Salesforce.com’s product security team, has discovered an XML vulnerability that impacts the popular website platforms WordPress and Drupal.

The vulnerability uses a well-known XML Quadratic Blowup Attack — and when executed, it can take down an entire website or server almost instantly. This is a big deal because WordPress and Drupal are used by millions of websites WordPress and Drupal are used by millions of websites. The latest statistics from W3Techs shows WordPress alone powers nearly 23% of the web.

The XML vulnerability Goldshlager discovered affects WordPress versions 3.5 to 3.9 (the current version) and works on the default installation. It affects Drupal versions 6.x to 7.x (the latest version) and also works on the default installation. The good news is that both WordPress and Drupal have released patches for their applications. Users and web hosts simply need to upgrade to the latest version to protect against the vulnerability.

When the vulnerability is exploited, the results can basically render a website or web server unusable. The vulnerability can cause 100% CPU and RAM usage, cause the server to become unavailable and also create a Denial of Service attack on the MySQL database program. In other words, your website and web server can become totally inaccessible.

Fortunately this was disclosed responsibly by Nir Goldshlager, so it didn’t take down half of the Internet. The patched versions of both WordPress and Drupal were out before the news hit, and with the newer branch of WordPress small patches like this are easily automatically applied.

It’s quite a simple attack, but could potentially be extremely disruptive – I would think it most likely exists in other CMS systems too, but it could be limited to only these two as they do share the same XML-RPC library.

I believe the changes related to this vulnerability can be found here – Changeset 29404.

This vulnerability uses what is called an XML Quadratic Blowup Attack. This type of attack is similar to a Billion Laughs attack, which can allow a very small XML document to totally disrupt the services on machine in a matter of seconds.

The Quadratic Blowup Attack is similar; however, instead of using nested entities inside an XML document, it just repeats one large entity with tens of thousands of characters over and over again.

With this type of attack, an XML document that might be a few hundred kilobytes in size can end up requiring hundreds of megabytes or even gigabytes of memory. That will easily bring down an entire website or web server.

“If an attacker defines the entity “&x;” as 55,000 characters long, and refers to that entity 55,000 times inside the “DoS” element, the parser ends up with an XML Quadratic Blowup attack payload slightly over 200 KB in size that expands to 2.5 GB when parsed. This expansion is enough to take down the parsing process.”

This is the PoC:

Simple but very effective.

Source: Mashable


06 August 2014 | 2,557 views

HoneyDrive 3 Released – The Premier Honeypot Bundle Distro

A new version of HoneyDrive, HoneyDrive 3 has been released codenamed Royal Jelly, Honeypots in a box is a great concept if you want to deploy a honeypot quickly without too much hassle.

HoneyDrive 3

HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients and more. Additionally it includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Lastly, almost 90 well-known malware analysis, forensics and network monitoring related tools are also present in the distribution.

Features

  • Virtual appliance based on Xubuntu 12.04.4 LTS Desktop.
  • Distributed as a single OVA file, ready to be imported.
  • Full LAMP stack installed (Apache 2, MySQL 5), plus tools such as phpMyAdmin.
  • Kippo SSH honeypot, plus Kippo-Graph, Kippo-Malware, Kippo2MySQL and other helpful scripts.
  • Dionaea malware honeypot, plus DionaeaFR and other helpful scripts.
  • Amun malware honeypot, plus helpful scripts.
  • Glastopf web honeypot, along with Wordpot WordPress honeypot.
  • Conpot SCADA/ICS honeypot.
  • Honeyd low-interaction honeypot, plus Honeyd2MySQL, Honeyd-Viz and other helpful scripts.
  • LaBrea sticky honeypot, Tiny Honeypot, IIS Emulator and INetSim.
  • Thug and PhoneyC honeyclients for client-side attacks analysis, along with Maltrieve malware collector.
  • ELK stack: ElasticSearch, Logstash, Kibana for log analysis and visualization.
  • A full suite of security, forensics and anti-malware tools for network monitoring, malicious shellcode and PDF analysis, such as ntop, p0f, EtherApe, nmap, DFF, Wireshark, Recon-ng, ClamAV, ettercap, MASTIFF, Automater, UPX, pdftk, Flasm, Yara, Viper, pdf-parser, Pyew, Radare2, dex2jar and more.
  • Firefox add-ons pre-installed, plus extra helpful software such as GParted, Terminator, Adminer, VYM, Xpdf and more.

You can download HoneyDrive 3 here:

HoneyDrive_3_Royal_Jelly.ova

Or read more here.


04 August 2014 | 3,439 views

Windows Registry Infecting Malware Has NO Files

This is a pretty interesting use of the Windows Registry and reminds me a little of the transient drive-by malware used last year against Internet Explorer that left no files either – Another IE 0-Day Hole Found & Used By In-Memory Drive By Attacks.

The main difference being, that wasn’t persistent and as it lived in RAM, it wouldn’t survive a reboot. This time, it’s based in the Registry (which technically is stored on the file system) – so it does survive a reboot and is pretty well hidden.

Registry Based Malware

The malware itself is stored in the registry in a non-ASCII key (to hide it from autostart) and an encoded entry that can’t be properly read by Regedit.

Researchers have detailed a rare form of malware that maintains infection on machines and steals data without installing files.

The malware resides in the computer registry only and is therefore not easy to detect.

It code reaches machines through a malicious Microsoft Word document before creating a hidden encoded autostart registry key, malware researcher and black hat exterminator Paul Rascagneres (@r00tbsd) says. It then creates and executes shellcode and a payload Windows binary.

“All activities are stored in the registry. No file is ever created,” Rascagneres said in a post. “So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine] even after a system re-boot.

“To prevent attacks like this, anti-virus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer’s email inbox.”

Windows Regedit cannot read or open the non-ASCII key entry. Rascagneres said the feature set was akin to a Matryoshka Doll due to its subsequent and continual ‘stacked’ execution of code.

The researcher doing this work is pretty well known for tearing down blackhat/malware networks, you can follow him (Paul Rascagneres) on Twitter here, and should (he’s interesting): @r00tbsd.

It’ll be interesting to see if any even smarter variations are spawned from this, or if Microsoft does anything to stop it from working (although they rarely do anything related to malware unless it’s using an actual exploited vulnerability).

The non-ASCII trick is a tool Microsoft uses to hide its source code from being copied, but the feature was later cracked.

Security kit can alternatively detect the software exploit, or as a final step monitor the registry for unusual behaviour, he said.

Malware geeks on the KernelMode.info forum last month analysed one sample which exploited the flaws explained in CVE-2012-0158 that affected Microsoft products including Office.

Deviants distributed the malware under the guise of Canada Post and UPS emails purportedly carrying tracking information.

“This trick prevents a lot of tools from processing this malicious entry at all and it could generate a lot of trouble for incident response teams during the analysis. The mechanism can be used to start any program on the infected system and this makes it very powerful,” Rascagneres said.

Rascagneres has made a name ripping malware and bots to uncover and undermine black hat operations. He won last years’ Pwnie Award at Black Hat Las Vegas for tearing through the infrastructure of Chinese hacker group APT1.

The malware is technically pretty smart (And well obfuscated) as it has layers of execution, the initial code executed is JScript code and then it runs a PowerShell script which finally executes shellcode.

You can read the original post here: Poweliks: the persistent malware without a file

The Irony? This encoding technique was originally made by Microsoft themselves..to protect source code from being changed/tampered with.

Source: The Register


30 July 2014 | 3,139 views

XSSYA – Cross Site Scripting (XSS) Scanner Tool

XSSYA is a Cross Site Scripting Scanner & Vulnerability Confirmation Tool, it’s written in Python and works by executing an encoded payload to bypass Web Application Firewalls (WAF) which is the first method request and response. If the website/app responds 200 it attempts to use “Method 2″ which searches for the payload decoded in the web page HTML code if it confirmed get the last step which is to execute document.cookie to get the cookie.

XSSYA - Cross Site Scripting (XSS) Scanner Tool

XSSYA Features

  • Supports HTTPS
  • After Confirmation (execute payload to get cookies)
  • Can be run in Windows & Linux
  • Identifies 3 types of WAF (mod_security, WebKnight & F5 BIG IP)
  • XSSYA Continue Library of Encoded Payloads To Bypass WAF (Web Application Firewall)
  • Support Saving The Web HTML Code Before Executing the Payload Viewing the Web HTML Code into the Screen or Terminal

We have written about a couple of XSS related tools before:

XSS-Proxy – Cross Site Scripting Attack Tool
XSS Shell v0.3.9 – Cross Site Scripting Backdoor Tool

You can download XSSYA here:

xssya.py

Or read more here.


28 July 2014 | 2,256 views

Microsoft China Offices Raided By Government

There has been a lot of back and forth between the US government and China when it comes to cyber-terrorism or cyber-espionage, valuable secrets being sought out by both sides. For political and commercial purposes, and if you’ve watched any movies lately you’ll know the ‘China Hackers’ are almost super human.

Microsoft China

This time the Chinese government has targeted Microsoft China across all 4 regional offices as a part of a currently unnamed, unknown investigation.

A Microsoft spokesperson has confirmed its four offices in China have been raided as part of a surprise investigation by government officials most likely related to US-Chinese cyber tensions.

Both the US and Chinese governments have been engaging in tit-for-tat claims of cyberespionage, particularly when it comes to corporate affairs, and now China is looking to investigate one of the US’s largest tech companies to determine whether it is working with the US government to spy on its citizens and companies.

According to Reuters, the four Chinese offices Microsoft operates are in Beijing, Shanghai, Guangzhou and Chengdu. Tensions appeared to have eased somewhat when Microsoft announced last April it was about to begin selling the Xbox One gaming console in China, the first US gaming console allowed to be sold in the country in more than a decade.

Microsoft is obviously being very PR about the whole thing, and most analysts felt the situation was fairly good since the announcement that that Xbox One will be sold in China.

So really, a console can solve political tension and US-China digital conflict? Why didn’t we know that earlier!

The Microsoft spokesperson admitted the inspection was a surprise and did not go into the specifics of why it had been instigated.

“We aim to build products that deliver the features, security and reliability customers expect and we’re happy to answer the government’s questions.”

Despite its progress with the Xbox One, the Chinese government last May has increased its weariness of the Windows operating system, having requested that all of its central government offices must not use Windows 8 on new computers.

I’m not sure if any more news of this will come out, as this things tend to be fairly rapidly brushed under the carpet. But we shall keep an eye out and see if the Chinese government really have their heart set on disrupting Microsoft China.

Source: Silicon Republic


25 July 2014 | 4,037 views

Gauntlt – Security Testing Framework For Developers & Ops

Gauntlt provides hooks to a variety of security tools and puts them within reach of security, dev and ops teams to collaborate to build rugged software. It is built to facilitate testing and communication between groups and create actionable tests that can be hooked into your deploy and testing processes.

Gauntlt - Security Testing Framework For Developers & Ops

To use gauntlt, you will need one or more attack files. An attack file is a plain text file written with Gherkin syntax and named with the .attack extension. For more info on the Gherkin syntax, have a look at Cucumber. A gauntlt attack file is almost the same as a cucumber feature file. The main difference is that gauntlt aims to provide the user with predefined steps geared towards security and durability testing so that you do not have to write your own step definitions, whereas cucumber is aimed at developers and stakeholders building features from end to end. Gauntlt and cucumber can and do work together harmoniously.

Example attack file:

Features

  • Gauntlt attacks are written in a easy-to-read language
  • Easily hooks into your org’s testing tools and processes
  • Security tool adapters come with gauntlt
  • Uses unix standard error and standard out to pass status

Tools Supported

You will need to install each tool yourself before you can use it with gauntlt. However, if you try to use a tool that is not installed or that gauntlt cannot find, you will get a helpful error message from gauntlt with information on how to install and/or configure the tool for use with gauntlt.

The authors also include a generic attack adapter that allows you to run anything on the command line, parse its output and check its exit status.

You can download Gauntlt here (using the starter kit):

Pre-requisites

  • Virtual Box
  • Vagrant

Or read more here.


23 July 2014 | 3,803 views

Clear Your Cookies? You Can’t Escape Canvas Fingerprinting

So tracking is getting even trickier, it seems canvas fingerprinting would work in any browser that supports HTML5 and is pretty hard to stop as a user, as it’s a basic feature (a website instructing your browser to draw an image using canvas).

And it turns out, every single browser will draw the image slightly differently, so they can track you regardless of your cookie/privacy settings by asking your browser to redraw the image then I assume quickly scanning a database of image checksums for a match.

Canvas Fingerprinting

It wouldn’t exactly tie to your identity (unless you did it on a site that requires/supports login) but it would tie your usage together across sites, especially any sites using AddThis (which I could never stand).

A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.

The type of tracking, called canvas fingerprinting, works by instructing the visitor’s web browser to draw a hidden image, and was first documented in a upcoming paper by researchers at Princeton University and KU Leuven University in Belgium. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.

Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit — profiles that shape which ads, news articles or other types of content are displayed to them.

But fingerprints are unusually hard to block: They can’t be prevented by using standard web browser privacy settings or using anti-tracking tools

The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5% of the top 100,000 websites. Most of the code was on websites that use AddThis’ social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish. (A list of all the websites on which researchers found the code is here).

A lot of sites use AddThis, so a lot of users are being tracked, the article/research states 5% of the top 100,000 websites. So at least 5000 high traffic sites are capturing user data in this rather underhanded way.

I can foresee a lot of people removing AddThis from their sites if this news gets any kind of traction.

You can find a list of the sites with the fingerprinting code here – Sites with canvas fingerprinting scripts

Rich Harris, chief executive of AddThis, said that the company began testing canvas fingerprinting earlier this year as a possible way to replace “cookies,” the traditional way that users are tracked, via text files installed on their computers.

“We’re looking for a cookie alternative,” Harris said in an interview.

Harris said the company considered the privacy implications of canvas fingerprinting before launching the test, but decided “this is well within the rules and regulations and laws and policies that we have.”

He added that the company has only used the data collected from canvas fingerprints for internal research and development. The company won’t use the data for ad targeting or personalization if users install the AddThis opt-out cookie on their computers, he said.

Arvind Narayanan, the computer science professor who led the Princeton research team, countered that forcing users to take AddThis at its word about how their data will be used, is “not the best privacy assurance.”

It’s all pretty shady, but honestly we have to assume people are doing this type of stuff because one of those most valuable things you can create from the Internet is user data. Especially usage/consumption patterns, even if it doesn’t tie to specific humans – the data itself is very valuable to people making marketing decisions based on it.

Plus whatever AddThis is doing isn’t regulated in any way, so they can say they are gonna stop/change but just continue on anyway. If you wear a Tinfoil hat, you are probably already using Tor Browser anyway – so good for you.

The full paper is also available here – The Web Never Forgets [PDF]

Source: Mashable