MTG Contains Software To Allow Admins (and others) To Read Your Private Messages

Discussion in 'News & Announcements' started by ChrisTurk, Mar 1, 2017.

  1. ChrisTurk

    ChrisTurk Administrator

    Messages:
    4,700
    Ratings:
    +13,449 / 61 / -2
    The title gives the general idea, but please read this entire post for important info on your past, current, & future account security on forums.

    Its important to know that I have absolutely no proof which admin regime installed this or who has access to read PMs. The addon allows any admin to grant access to pretty much any user, so really who knows. But the fact the add-on exists on the forum is a bad sign. I've debated on how/if I want to publicly post this for about 2 weeks now, because IMO its a huge deal, but I strongly dislike the whole witch hunt thing that tends to happen in reaction to stuff like this. However, I think everyone's security far outweighs the negative discussion that this will likely bring, but please try to remain civil.

    The Software/Add-On
    The add-on they use to accomplish this is called Conversations Access by Waindigo (now operated by ThemeHouse). Essentially it allows any admin to assign read AND edit privileges for the private messages of any user account on the forum. There is also another add-on that allows them to search your private messages just like you'd search regular posts, though I'm unsure that is installed.

    That's is its only function, there is absolutely no reason to install this without the intention of reading people's private messages. I feel like the name gives it away but some people I've spoken to privately about it were confused so who knows.

    Verification, how to see if TH or any XenForo forum is using this
    This add-on installs a small JavaScript file onto the server it is running on, it'll always be in the same place so you can simply take any domain, add on the path to the script file, and if it displays the script code you know the add-on is installed and your PMs on that site are probably being read/monitored.

    www.mturkgrind.com/js/waindigo/convaccess/remove_user.js
    https://turkerhub.com/js/waindigo/convaccess/remove_user.js

    You'll notice that on MTG it pops up w/ a bunch of code beginning with "!function(d,e,f,g)", on TurkerHub it simply says "Not Found" or some other 404 error.

    You can do this on pretty much any other forum you use that runs on XenForo software by replacing "otherForum" in the below link w/ wherever you usually peruse:
    otherForum.com/js/waindigo/convaccess/remove_user.js



    The Why
    Frankly, I don't know. Since I don't know who installed it, or why, I can't say with certainty. I have now read dozens of threads on why admins choose to install this kind of thing and I disagree with every avenue of "logic" I've seen. This is my opinion (and how TH will treat private messages):

    There is zero reason for any admin to be reading people's PRIVATE messages without 1) a court order 2) being party to the conversation (this kind of goes without saying lol) 3) a massive disclaimer on the website stating they're doing it and a really good explanation of why (because I can't think of one myself).

    As the sole administrator of this website I, and probably any employee at DO, have access to the DB records associated with this website. This is generally the case for anyone running a website you use to communicate on. That means that I do have access to your data, but that doesn't mean I go around installing add-ons so I can easily snake my way through it. The closest I've come to the PM data in the DB is scrolling past the tables, and AFAIK the data is split into multiple places to make reading it through it difficult, maybe impossible, but I haven't and will not look to confirm - I just know there are a bunch of tables labeled as convos. I have not, and will not, give access to those portions of the DB to anyone else (mods included, sorry homies). DB accounts created for things like the Daily HITs Log are heavily restricted in which portions of the database they are allowed to read (and none of them are given write access). All of that is to say that I take my privacy and security seriously, and I do my absolute best to take care of y'all the same way.

    That's my view on this. Maybe there is some "good" reason for this add-on to be installed, I guess you could argue it could be used to prevent folks cheating qual tests and/or buying/selling accounts, but again, why not put up a disclaimer that states this? Frankly it makes absolutely no sense to covertly install this add-on with no prior warning / acknowledgement of what its for. Even those explanations are, IMO, unacceptable reasons to install something like this. But now you know and can take care of yourselves in the future.

    Unfortunately in the case of MTG what damage is done is done, this is mostly so you can be aware and prevent joining communities who use this kind of crap in the future & secure any data you may have shared back there (and ffs, stop going there to PM, I see lots of people still doing this! haha). If you've shared private data on MTG or other sites with this please take the time to secure it.

    Archived MTG link in case it is removed at some point.
     
    • Useful / Informative Useful / Informative x 14
    • Love Love x 1
  2. Jagdpanzer

    Jagdpanzer Well-Known Member

    Messages:
    2,594
    Gender:
    Male
    Ratings:
    +2,620 / 7 / -58
    Okay @ChrisTurk

    The work thread is way to chaotic to address this so I am doing it here. Is there a way to delete these messages? I was on the site a couple days ago after the Cloudflair data breach post and I could find no way to extract myself and my info from that site. Is there a way to delete/remove our accounts?

    Also, feel free to just bow out as this a the potential of becoming a huge time sink for you.
     
  3. ChrisTurk

    ChrisTurk Administrator

    Messages:
    4,700
    Ratings:
    +13,449 / 61 / -2
    Nope, everything there is permanently there pretty much. Unless whoever currently controls the site comes back and offers to delete the data for you. Not even the old mods can do anything, unfortunately.
     
  4. Jagdpanzer

    Jagdpanzer Well-Known Member

    Messages:
    2,594
    Gender:
    Male
    Ratings:
    +2,620 / 7 / -58

    Thanks for confirming what I thought I knew. :ay:
     
    • Like Like x 1
  5. jdzane

    jdzane Well-Known Member

    Messages:
    2,740
    Gender:
    Female
    Ratings:
    +2,826 / 1 / -1
    Is there anyway that you know of to just delete our accounts at MTG? With all the sketchy stuff going on there, I just want to be done with it, but I can't seem to find a way to close my account. Do I have to contact the russian in charge?

    edit: nvm, refreshing before posting is important, I see I'm screwed. I'll still try contacting them and asking them to delete my account.
     
  6. ChrisTurk

    ChrisTurk Administrator

    Messages:
    4,700
    Ratings:
    +13,449 / 61 / -2
    Yeah pretty much everything at MTG is stuck at MTG. Its more so people know for the future (and God bless if you actually shared something you need to secure over there). I also always see people still PM'ing there whenever I get tagged for MTG Alum flair here lol.

    I know I sent people scripts & stuff that I wouldn't have had I known at the time. Plus all the shit I talked about Stanley in various PMs :emoji_joy::emoji_joy:
     
  7. jdzane

    jdzane Well-Known Member

    Messages:
    2,740
    Gender:
    Female
    Ratings:
    +2,826 / 1 / -1
    They've got my personal email in one pm and a link to my Facebook in another. I sent the email, maybe he won't be a douchebag and will respond. Also, I love how my plan was to call him a douche, but my phone automatically changed it to douchebag lol

    Sent from my Pixel using Tapatalk
     
  8. Laura

    Laura Well-Known Member

    Messages:
    785
    Gender:
    Female
    Ratings:
    +1,205 / 2 / -9
    I kind of assumed that they had installed the add on. I have found in the forum world, that many large sites that use xenforo use it and do not notify their members until a more savvy user points it out. I also assumed that you would not be the type to install it, and respect that you were willing to tell the members that this type of stuff does exist and is an option. #integrity.
     
  9. ChrisTurk

    ChrisTurk Administrator

    Messages:
    4,700
    Ratings:
    +13,449 / 61 / -2
    I consider myself pretty tech savvy, and had no clue this was a thing during my time on MTG :dunno:. I didn't find it until becoming an admin here after sifting through tons and tons of add-ons. Actually, if it hadn't been a featured topic of discussion on a forum-for-forum-owners (..confusing) I'd probably have never noticed it.

    Curious, have you ever seen a forum encrypt their PMs? I'd like to do that here so the possibility of anyone w/ DB access reading them is gone but I can't find a good resource on doing it. There is a resource for vBulletin to do it but I can't find one for XF when I google'd it. The only XF topic on it is utterly useless.
     
  10. Laura

    Laura Well-Known Member

    Messages:
    785
    Gender:
    Female
    Ratings:
    +1,205 / 2 / -9

    Oh no. I am technologically challenged. I just have no life. Haha. Not really funny because I am not joking. When my fiance took a job where he was home 4 days a month and I was left with 3 kids and no friends I used the internet to socialize. Forum splits are pretty common when one group doesn't agree and suddenly people reveal the dirty little secrets that exist.
     
    • Like Like x 1
    • LOL LOL x 1
  11. Jagdpanzer

    Jagdpanzer Well-Known Member

    Messages:
    2,594
    Gender:
    Male
    Ratings:
    +2,620 / 7 / -58
    @ChrisTurk

    So my technician trouble shooting/ problem solving/ find out how this works mode has been engaged..

    Are all of these crawler robots that scan the forum everyday able to retrieve the content of our PM and put it into their search engines? :dunno:
     
  12. ChrisTurk

    ChrisTurk Administrator

    Messages:
    4,700
    Ratings:
    +13,449 / 61 / -2
    I can say pretty confidently: no.

    You'd have to make massive changes to the way XF works for that to ever be possible.. and even then I think w/o the search engine's cooperation it'd still be impossible.

    The only way this even makes sense to do is if you were taking PMs and reposting them to public parts of the forum for the robots to peruse. There's just no way for an unauth'd visitor to get to that part of the XF software, and AFAIK there is no way to cooperate w/ Google (et al) crawlers in order to auth them anyway.

    ^ Semi-simplified, but accurate as per my understanding of the software / internet in general.
     
    • Useful / Informative Useful / Informative x 1
  13. RicanGuy86

    RicanGuy86 Well-Known Member

    Messages:
    2,933
    Ratings:
    +5,921 / 3 / -1
  14. aveline

    aveline New Member

    Messages:
    6
    Gender:
    Female
    Ratings:
    +10 / 0 / -0
    MTC actually doesn't currently have that addon installed. We did at one point because there was a very special situation that required it (no, we weren't snooping on any legit members), but it has since been uninstalled. Some files still exist on the server, even though it's been completely removed from our control panel.
     
    • Useful / Informative Useful / Informative x 2
  15. RicanGuy86

    RicanGuy86 Well-Known Member

    Messages:
    2,933
    Ratings:
    +5,921 / 3 / -1
    Thanks for the clarification!
     
    • Like Like x 1
  16. Melting Glacier

    Melting Glacier PE: $30.01 - That's over $1.25/hour! ┬┴┤( ͡° ͜ʖ├┬┴

    Messages:
    2,453
    Gender:
    Male
    Ratings:
    +4,416 / 2 / -0
    Kinda piggybacking off this post to address what mods can and can't do over there.

    Essentially, all we can do is hide posts from the public view (guests, members.). It's called 'deleting' but it's not like the post gets removed from the forum's master database. Db is solely controlled by the admin. Hiding posts from public view is still possible, but won't accomplish much. Mods/admins can still view a deleted post easily. If a member here has a post or two on MTG that they wish to be hidden, like pictures, you can come to me with a link to the post. However, wiping out an entire member's post history would take hours of painstakingly opening each post and 'deleting' so I can't really help ya there, lol.

    One strange thing that I noticed is that over at MTG, private messages in my inbox allowed me to edit the sender's messages. That doesn't exist here for the mod team (and shouldn't, imo). I'm not sure if it's related to the addon, but it's possible.
     
    • Useful / Informative Useful / Informative x 2