search

thomaspark / snowball

A WordPress plugin for making immersive longform articles
https://snowball.openhtml.org/
GNU General Public License v2.0
90 stars 24 forks source link

Stop logging #231

Closed jstcki closed 5 years ago

jstcki commented 7 years ago

To my shock I noticed that your plugin's admin interface is phoning home whatever I put in, including my blog's URL, my username etc. This is extremely irresponsible and an invasion of privacy.

Also, your Parse API keys are hard-coded in your code, so anyone can access your complete log data.

The responsible code is https://github.com/thomaspark/snowball/blob/master/scripts/snowball-admin.js#L696-L756

I strongly suggest you stop doing this and that you delete your database. 😡

thomaspark commented 7 years ago

Hi @herrstucki, thanks for posting.

Snowball is a research project and we're upfront that we collect data about how people use Snowball in order to understand how people write code for the web and how we can improve the plugin for them. This is explained on the plugin homepage: https://wordpress.org/plugins/snowball/faq/

To reiterate, we only collect metadata on Snowball usage, such as the types of the blocks that are used, as well as information used to understand the number of unique organizations and users relying on Snowball. We do not collect any data on the actual content of the posts.

With that said, we'll likely be wrapping up data collection and removing this feature in a near release. I'll keep this issue open and let you know as soon as that happens.

jstcki commented 7 years ago

Thanks for your reply. I disagree that putting this at the bottom of a FAQ is "upfront". You neither mention it in this repo, in your blog post nor on your project site. I discovered the logging purely by accident.

I wouldn't mind if a) this were an opt-in option for your users, and b) if you did it in a way which didn't allow random people reading through your source code to access (and edit) the whole database.

thomaspark commented 7 years ago

Thanks for your patience. Will look into removing this with the next release.

jstcki commented 5 years ago

2.5 years later you still haven't removed this "feature" but rather modified it again https://github.com/thomaspark/snowball/commit/4c0ad241cd25f432692057f82a60dffdb8d90a35

And as before, all content you're logging is still publicly available: http://129.25.8.18:3030/tasks

Also, contrary to what you stated before, you are collecting actual content and user data, not just anonymous block type info.

thomaspark commented 5 years ago

Hi @herrstucki, thanks for the reminder. We've removed the logger and are pushing the update in v0.4.20.