The popular open source (OS) project Moq has just been updated with a not-so-open source addition in the form of a set of DLLs designed to collect hashes of users’ email addresses.
The changes were first reported by Beeping computernoting that the project receives an average of about 100,000 daily downloads, with more than 476 million since its inception.
Starting with version 4.20.0, Moq began including SponsorLink, a project that ships as closed-source that takes away one of Moq’s main advantages: the fact that it is an OS project.
Moq bundles into a closed-source project
One of the owners of Moq, Daniel Cazzulino, noticed by Beeping computer to also be a maintainer of the SponsorLink project quietly pushed through the update earlier this month. While perfectly reasonable, the change went largely unannounced, and existing users committed to the open-source project may not have been aware without reading the fine print.
The SponsorLink DLLs, which collect email address hashes to send to SponsorLink’s CDN, contain obfuscated code that violates Moq’s open source principles.
In the days following the update, GitHub was flooded with criticism of the move, with many disgruntled users calling the update a GDPR breach. Others pointed out that an obscured package could potentially hide certain activities from unwitting users. One user called the move a “moqery.”
In the face of the backlash, Cazzulino has confirmed that “the actual email is never sent when running the sponsorship check,” which can be verified by “running Fiddler to see what kind of traffic is going on.”
Cazzulino continues: “The email on your local computer is hashed using SHA256 and then Base62 encoded. The resulting opaque string (which can never reveal the original email) is all that is used.”
In addition, suspending or deleting the app deletes all records associated with a user’s account.
In a subsequent update, version 4.20.2 appears to have reverted the change, although for many the reputational damage could be enough to put them off.