WordPress plugin alert - Thousands of sites could expose users to adware
An update for the popular Simple Share Buttons plugin for WordPress allows them to use social media buttons to anonymously track users and serve targeted ads on third party sites. The update comes after social media tool maker ShareThis acquired the company that makes the plugin in June. As a result, the Simple Share Buttons now falls under ShareThis’ privacy policy.

ShareThis is straightforward in its privacy policy about how it gathers and uses information. Although the company’s data collection practices leave much to be desired, it isn’t misleading anyone.

Of greater concern is the means by which Simple Share Buttons requests users accept the new terms and conditions. A message appears prominently at the top of the WordPress editor page promising “great new features.” The message includes links to ShareThis’ privacy policy and terms of use, but there is no option to decline them. Without even the option to close the message, it continues to nag users until they either agree or remove the plugin altogether.

simply-share-buttons-new-privacy-policy

Whether it was the intent of ShareThis or not, the nature of the update coerces users into making a decision that sacrifices the privacy of readers. With over 100,000 active installs according to WordPress.org, the popular plugin is used by everyone from casual bloggers and small businesses to large publishers. Even if just a fraction of these users blindly hit the accept button in order to make the message disappear, that would lead to thousands of websites exposing visitors to adware and other threats.

In a WordPress.org forum thread, the company responded by saying the service message would be able to be closed in the next update.

“Version 6.2 brings new features, including analytics from Facebook and ShareThis. To enable analytics, non-personally identifiable browsing data is stored and aggregated, and also used for interest based targeting of ads elsewhere. This is similar to other popular analytics services, and is not spyware, and please read the privacy policy for more details at simplesharebuttons.com/privacy. Since you are updating from a previous version, these features are only activated if you click to accept the terms.”

The promise was made over two months ago when the new policy went into effect, but the service message can still not be closed without either agreeing or removing the plugin. ShareThis senior director Nigel Tunnacliffe gave the following statement to Comparitech:

We always appreciate feedback from our users, and we understand the inconvenience this update caused. It’s important to us that we ensure that the new privacy policy only applies to those who have accepted it. The next update, which will be available soon, will allow plugin users to close the notice without accepting the terms. I’ll let you know directly when that update is available.

The old Simple Share Buttons website does not appear to include a privacy policy, only terms of use.

Backgrading and removing the nag message

simple-share-buttons-settings
Another forum thread on WordPress.org instructs users on how to backgrade the plugin. Additionally users can install a separate plugin to block specific plugin updates, which can be used to prevent the nagging service message.

The older version 6.15 can also be found here. Simply remove the old plugin and install this one. When that’s done, install this plugin and check Simple Share Buttons and any other plugins for which you want to block updates.

Added permissions

So what information does the updated plugin gather if you click that update button? ShareThis’ privacy policy states the following:

We may share non-aggregate, non-personally identifiable Usage Information, including audience segments, with third party advertisers and publishers to assist us and them in delivering relevant, targeted advertising that is aligned with user interests. For example, these companies may use such information (e.g., click stream information, browser type, time and date, subject of advertisements clicked or scrolled over) in order to provide advertisements about goods and services likely to be of greater interest to you. Your preferences collected through this process may be used to influence which types of marketing messages you receive across sites that we work with. While using the ShareThis Services, We may place third party advertisers’ and publishers’ cookies and pixels on their behalf regarding Usage Information.

Additionally, the ShareThis terms of service note that the company may modify the terms at any time without notifying users. It is the responsibility of the users to review them regularly.