Scorecard Research Survey (NSFW) - Ed. Wordpress hacked?

[Renegade]

<rant>

THOSE FUCKING DOUCHES!

I just ranted about my crappy Mac DVD drive, and then these douches (Scorecard Research) drop a survey on the site (http://kewlaid.net). It's hosted at Wordpress, so I'm pretty pissed with them as well.

Enraged that they'd put their crap on a site that I pay for, I had to use their contact form:

You dropped a survey into my site at http://kewlaid.net.

What the fuck makes you think that it's fucking ok to put your shit on MY FUCKING SITE THAT I FUCKING PAY FOR~!

I expect a fucking response.

Seriously. Isn't this criminal?

This is what they fucking did:

Scorecard Research Survey (NSFW) - Ed. Wordpress hacked?

Pissed. Very pissed.

</rant>

EDIT: Changed subject

[Renegade]

<rant>

I felt the overwhelming need to contact Wordpress as well...

I did:
I posted on my domain at http://kewlaid.net where I have paid for no ads.

I saw:
Scorecard Research posted a survey on MY SITE on MY DOMAIN.

I expected:
I expected that having paid for no fucking ads, that there would be no fucking ads.

I am fucking pissed. How the fuck do you think it is ok to post fucking ads and shit on MY FUCKING DOMAIN when I pay for NO FUCKING ADS?

YOU ARE POSTING ARBITRARY CODE THAT IS NOT A PART OF WORDPRESS ON MY SITE.

Normally this would be considered hacking or theft of services. It is at the very minimum spam. It is clearly using my domain and services that I have paid for to spam people, and sure as hell looks like criminal theft of services.

I have posted here with a screenshot of the Scorecard Research survey:

https://www.donation...ex.php?topic=24965.0

I'm not going to tell anyone about my online usage, but I'm sure as fuck going to ask why someone is polluting my site with spam!

</rant>

[Renegade]

<unrant>

Well, I got a response from Wordpress, and I'm satisfied that they're not slipping in crap. Still ticked at ScorecardResearch though.

</unrant>

[cyberdiva]

So what did Wordpress say?  And how DID ScorecardResearch put its garbage on your site?

[Renegade]

So what did Wordpress say?  And how DID ScorecardResearch put its garbage on your site?

-cyberdiva (December 21, 2010, 09:18 AM)

This was the WP response I got:

Hi,

I assure you, there are no ads on your blog.

I took a look at the screenshot you posted, and there is definitely cause for concern.

We are not affiliated with ScoreCardResearch in any way, but what you're seeing is a common bit of tracking malware that you may have picked up from any site.

I recommend clearing your cache and cookies immediately and running an anti-virus scan on your computer.

http://www.google.co...=en&answer=32050

Regards,

James | Happiness Engineer | WordPress.com and IntenseDebate

I ran 2 complete scans that turned up nothing, so I don't really know how it got there.

I DID install a few games though from a post in another thread. I'd never seen it before then, so it might be related. Not sure.

[app103]

I don't believe your computer is infected with anything, and this is why...

This is very clearly at the very bottom of your page code:

[Select]

<script type="text/javascript" src="http://b.scorecardresearch.com/beacon.js"></script><script type="text/javascript">try{COMSCORE.beacon({c1:2,c2:7518284});}catch(e){}</script><noscript><p class="robots-nocontent"><img src="http://b.scorecardresearch.com/p?cj=1c1=2&c2=7518284" alt="" style="display:none" width="1" height="1" /></p></noscript><script src="http://s.stats.wordpress.com/w.js?19" type="text/javascript"></script>
<script type="text/javascript">
st_go({'blog':'17744093','v':'wpcom','user_id':'0','post':'0','subd':'drinkthekewlaid'});
ex_go({'crypt':'RDZ8LFkxbXFNLFlqbmNuOUklLytJVjAuaD9Xa1RJL2tfLixtbVZqSlprY3Byem0yVVBQJWtna1ZTZ1ZdalMuTFQmNjJ1ckYrbVVKcE1zVklXS0VobDg2cXQtR0Q4L3JiOXBXLFA4MzFxXWdkQVRYd3xWYVJQVWpwZFdTSyslJjlsai01L25PaW40ZG5kRGx5cm50NVI9THE5b0NoSmFmWz9UfkZFaVVZUiU2QmUsNzUxc20yYkVXQm1oV0JCXUN+Q1lJQXpBMU9IKzFr'});
addLoadEvent(function(){linktracker_init('17744093',0);});
</script>

Wordpress does not allow users to insert javascript code into pages. The only javascript that should be in your page code should be either code that is part of Wordpress itself or code from widgets that they approve and make available to users.

In other words, unless this is some feature you selected from some menu, preapproved by Wordpress, then Wordpress had to have added it without you knowing, or Wordpress itself got hacked (not just your site) and someone has inserted it into their wordpress code that is being used on all sites they host.

[Renegade]

I don't believe your computer is infected with anything, and this is why...

This is very clearly at the very bottom of your page code:

[Select]

<script type="text/javascript" src="http://b.scorecardresearch.com/beacon.js"></script><script type="text/javascript">try{COMSCORE.beacon({c1:2,c2:7518284});}catch(e){}</script><noscript><p class="robots-nocontent"><img src="http://b.scorecardresearch.com/p?cj=1c1=2&c2=7518284" alt="" style="display:none" width="1" height="1" /></p></noscript><script src="http://s.stats.wordpress.com/w.js?19" type="text/javascript"></script>
<script type="text/javascript">
st_go({'blog':'17744093','v':'wpcom','user_id':'0','post':'0','subd':'drinkthekewlaid'});
ex_go({'crypt':'RDZ8LFkxbXFNLFlqbmNuOUklLytJVjAuaD9Xa1RJL2tfLixtbVZqSlprY3Byem0yVVBQJWtna1ZTZ1ZdalMuTFQmNjJ1ckYrbVVKcE1zVklXS0VobDg2cXQtR0Q4L3JiOXBXLFA4MzFxXWdkQVRYd3xWYVJQVWpwZFdTSyslJjlsai01L25PaW40ZG5kRGx5cm50NVI9THE5b0NoSmFmWz9UfkZFaVVZUiU2QmUsNzUxc20yYkVXQm1oV0JCXUN+Q1lJQXpBMU9IKzFr'});
addLoadEvent(function(){linktracker_init('17744093',0);});
</script>

Wordpress does not allow users to insert javascript code into pages. The only javascript that should be in your page code should be either code that is part of Wordpress itself or code from widgets that they approve and make available to users.

In other words, unless this is some feature you selected from some menu, preapproved by Wordpress, then Wordpress had to have added it without you knowing, or Wordpress itself got hacked (not just your site) and someone has inserted it into their wordpress code that is being used on all sites they host.

-app103 (December 21, 2010, 09:32 AM)

Very interesting. Thanks for that. I'll report it to them.

EDIT: Reported to Wordpress.

[app103]

Just took a quick look at a number of different blogs hosted at wordpress.com. They all have this code at the bottom of every page, including this rather famous blog.

[Renegade]

Just took a quick look at a number of different blogs hosted at wordpress.com. They all have this code at the bottom of every page, including this rather famous blog.

-app103 (December 21, 2010, 09:46 AM)

That simply stinks of WP being hacked. I can't see them being dirty as they have a good name.

[app103]

Just took a quick look at a number of different blogs hosted at wordpress.com. They all have this code at the bottom of every page, including this rather famous blog.

-app103 (December 21, 2010, 09:46 AM)

That simply stinks of WP being hacked. I can't see them being dirty as they have a good name.

-Renegade (December 21, 2010, 10:33 AM)

That's my thoughts, as well. I have contacted Lorelle, since her site is affected and if anyone can make WP take this issue seriously and investigate it, I know she can, pretty quickly.

[Bamse]

There is more than 1 3rd. party power here. http://support.mozil...-IE/questions/725177 so I would guess sharing or voting plugin is to blame. That problem was due to a Technorati script, see last post at link. Could be anything activated really. If you bought domain from Wordpress they have some cleaning up to do Their responsibility to check plugins.

[app103]

Just got a reply from Lorelle:

"Lorelle has contacted WordPress.com as requested details on this
issue and will get back to me. Until we hear directly from
WordPress.com, Lorelle has told me that she thinks this is just code
debugging and WordPress.com working with that service for surveys or
tracking, a non-offensive bit of code."

Edit: Lorelle contacted me again and was a bit upset that I quoted the text of her email and stated that I should have paraphrased her, instead. I promised I would change this post and I included the suggested paraphrase, quoted from her most recent email to me.

[Stoic Joker]

This was the WP response I got:

Hi,

...
Regards,

James | Happiness Engineer | WordPress.com and IntenseDebate

-Renegade (December 21, 2010, 09:23 AM)

So, I just gotta ask... WTF is a Happiness Engineer?!? Is his computer surrounded by brightly colored flowers and fluffy bunnies?

[Renegade]

Looks like this is "legal hacking"...

Got another response from Wordpress:

Hi,

You're absolutely right, I'm sorry about that!

We use comScore for internal analytics, and Scorecard Research appears to be one of their things.

At some point, probably very recently since you're the only one to have reported this so far, they changed their terms of service to allow themselves to "serve short surveys" to our users.

Fortunately, they have provided us with an opt-out, and we're currently in the process of doing just that.

We truly apologize for this inconvenience and thank you for reporting this to us!

James | Happiness Engineer | WordPress.com and IntenseDebate
 

Ahem... In short, Scorecard screwed Wordpress by changing their agreement. You know who does that? Darth Vader. That's who! What total douches...

[Renegade]

I checked and the code is gone. Looks like they've gotten rid of it.

[timns]

Looks like this is "legal hacking"...

Got another response from Wordpress:

Hi,

We truly apologize for this inconvenience and thank you for reporting this to us!

James | Happiness Engineer | WordPress.com and IntenseDebate
 

Ahem... In short, Scorecard screwed Wordpress by changing their agreement. You know who does that? Darth Vader. That's who! What total douches...

-Renegade (December 21, 2010, 08:06 PM)

If I were WordPress I would drop those mothers and warn the entire community away from them.

But then again, I'm not a Happiness Engineer. I'm a Bitter and Twisted Engineer.

[app103]

comScore is a known spyware company with a number of shady tracking products, among them browser plugins that present a security risk to the user, and scripts to track behaviors of your site visitors, not just across your site but other sites as well, with the data being sold to other companies. They are not new to the world of controversy, they don't always get the user's consent for tracking, and their privacy policy is not known to be too good. They have lobbied the anti-malware companies trying to get a new category of spyware to be recognized, calling it "researchware" in order to get their spyware products whitelisted. The anti-malware companies are not falling for it.

Information Week: Is ComScore Trafficking In Spyware?
SecurityFocus: comScore receives spyware allegations
Computer World: Sears/Kmart spyware scandal (and Falkirk Wheel)
Beta News: Sears found to be using spyware to track visitors
University of Maryland: Google to partner with researchware firm comScore
The Register: How ComScore can track your mouse clicks
ComScore Doesn't Always Get Consent

There are plenty more, but the ones from TechRepublic, Forbes, and the Washington Post won't load for me.

Just do a google search for "comScore spyware" if you want tons more reading material.

The fact that Wordpress would willingly team up with this shady company is disappointing, to say the least.

I checked and the code is gone. Looks like they've gotten rid of it.

-Renegade (December 21, 2010, 09:00 PM)

Glad to hear that, but keep your eyes on your page code from now on, any way.

[Bamse]

Post their screw up to Lorelle. If she screams may be higher powers tell the happy engineers to read and understand notes from 3rd party suppliers, like change of TOS.

[app103]

Post their screw up to Lorelle. If she screams may be higher powers tell the happy engineers to read and understand notes from 3rd party suppliers, like change of TOS.

-Bamse (December 21, 2010, 09:32 PM)

I did give her a link to this thread in my original email to her, inviting her input if she knows anything about this issue.

[app103]

A few related WOT links:

http://www.mywot.com....stats.wordpress.com
http://www.mywot.com...corecardresearch.com
http://www.mywot.com...corecardresearch.com

And SiteAdvisor:

http://www.siteadvis...research.com/msgpage
http://www.siteadvis...ordpress.com/msgpage

[Renegade]

This really is a textbook case in why "the cloud" is just a stupid idea in many ways.

I was softening on the issue, and using Wordpress was part of my experiment in getting things off of my own servers and into "the cloud". I just started using my Flickr account that I've had for years now.

But this really shows how all that is so widely open to abuse. It should be flat out illegal to include agreement terms that let a company change the agreement at any time. This is a perfect example. comScore/Scorecard Research changes their agreement and screws Wordpress along with all the Wordpress customers.

I really don't know if I want to use other services much when this kind of thing goes on. Still, I want to off-load things into the cloud more, but it just leaves a bad taste in my mouth.

The issue isn't about the actual services; it's about the legalese, privacy issues, and flat out abuse by unethical companies. Can I trust them? Apparently not.

I used to use Xoom many years ago, but the dotcom bust came along and it went under, and I lost everything I'd uploaded there, which was a significant amount of work. But with so many other "options" out there, companies can monetize with underhanded methods and save their necks if required.

There are just too many risks "in the cloud" for anything important.

[app103]

I checked and the code is gone. Looks like they've gotten rid of it.

-Renegade (December 21, 2010, 09:00 PM)

Nope, it's still there on your site as well as all other Wordpress.com blogs. They have not removed it at all.

[Renegade]

I checked and the code is gone. Looks like they've gotten rid of it.

-Renegade (December 21, 2010, 09:00 PM)

Nope, it's still there on your site as well as all other Wordpress.com blogs. They have not removed it at all.

-app103 (December 22, 2010, 01:49 AM)

Damn. You're right. They just moved the code up. I only checked the end where it was before. (Busy coding some imaging software right now and got lazy...)

[mouser]

Nice to watch you guys in action catching a bad guy, keep it up!

[Deozaan]

If it uses JavaScript, can't you code something up that erases the variables/object used by it? As I understand it, that's one of the major weaknesses of JS, there isn't a way to make objects/variables that can't be accessed by any other JS code on the site.