Topic on Extension talk:ULogin

Severe privacy concern

2
NiccoloR (talkcontribs)

I was asking myself how can this extension provide its services in just 4 kb of code. In the past I used the Facebook extension, which requires you to register to Facebook developers and to get an API key, this one surprisingly instead "just works" out-of-the-box.

I made some investigation, it turned out that this extension actually does use a remote service, hosted on the ulogin.ru host. So if you use this extension, your MediaWiki visitors will give the rights to look at their (e.g.) Facebook profiles to ulogin.ru, not to the MediaWiki installation. Beside that, the browser of the MediaWiki user will download and execute some javascript code from ulogin.ru. Moreover, the extension does not work if ulogin.ru service is down or unavailable.

It is not fair that documentation does not state this privacy implication clearly: for me this is a sufficient motivation to consider this code malicius, to be removed promptly. The users which used this service, should go into theri Facebook settings, App, and remove the uLogin access.

UksusoFF (talkcontribs)
Reply to "Severe privacy concern"