Popular open source (OS) project Moq just got updated to include a not-so-open-source addition in the form of a series of DLLs designed to collect hashes of user email addresses.
The changes were first reported on by BleepingComputer, which notes that the project sees around 100,000 daily downloads on average, having amassed more than 476 million since its inception.
From version 4.20.0, Moq started including SponsorLink, a project shipped as closed-source that takes away from one of Moq’s key benefits – the fact that it’s an OS project.
Moq bundles in a closed-source project
One of Moq’s owners, Daniel Cazzulino, noted by BleepingComputer to also be a maintainer of the SponsorLink project, quietly pushed the update earlier this month. While perfectly reasonable, the change went largely unannounced, and existing users committing themselves to the open-source project may not be aware without reading the small print.
The SponsorLink DLLs, which collect hashes of email addresses to send to SponsorLink’s CDN, contain obfuscated code that goes against Moq’s open-source principles.
In the days that followed the update, GitHub became awash with criticism of the move, with many disgruntled users calling the update a GDPR breach. Others pointed out that an obfuscated package could potentially hide some activity from unaware users. One user called the move a “moqery.”
In light of the backlash, Cazzulino has confirmed that “the actual email is never sent when performing the sponsoring check,” which can be verified by “running Fiddler to see what kind of traffic is happening.”
Cazzulino continues: “The email on your local machine is hashed with SHA256, then Base62-encoded. The resulting opaque string (which can never reveal the originating email) is the only thing used.”
Furthermore, suspending or uninstalling the app deletes all records associated with a user’s account.
In a further update, version 4.20.2 looks to have reversed the change, though for many, the reputational damage could have been enough to put them off.