404 to 301 Plugin Considered Harmful

It’s not a matter of looking into it… It’s in the TOS….

————
It turns out that this is not a hacked site. It is content that is injected by a plugin called 404 to 301 plugin which has 70,000 active installs and has a 4.5 star review from 56 reviewers. When you install the plugin it asks you to agree to a long agreement which includes parts of the GNU general public license. But at the end it also includes the following text (you have to scroll down to find it):

Third Party Text Links

Third party text networks supply text for display in 404 to 301. These networks may collect your visitors’ IP addresses, in native or hashed forms, for purposes of controlling the distribution of text links. 404 to 301 collects anonymous aggregated usage statistics.

By clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it. Your website’s layout, performance and interaction with human visitors should not be altered or affected in any way. Please note that this feature can be deactivated at any time under 404 to 301 Setting > Help & Info > Plugin Information > Disable UAN, without affecting any other feature available in 404 to 301.

Do the authors have a response to this claim?

It’s not a matter of a ‘claim’ when it’s in the TOS…read the second paragraph after “Third party links”… Those who’ve installed it actually gave permission to place those links.

@nes, 99% of users won’t ever read the TOS.

Just because it is disclosed in a TOS, doesn’t mean it is right.

Wow, that’s in the TOS? Cleverly diabolical – not a trust builder, is it?

Hi all,

I confirm this code injection issue and removed the entire script related to tracking feature. It was being handled by one of my partner developer who made this changes in tracking.

I rectified that it was not a hacking attempt but was inserting links after you accept the TOC. I will make sure to check each lines of code before committing to wp.org in feature.

Please update the plugin to latest version, if you still believe in my work. I am sorry for the confusions and lack of responsibility.

PS: I am copy pasting this comments everywhere since there are 100s of people posting about the same issue.

@nes – Native English Services

“It’s not a matter of looking into it.”
“It’s not a matter of a ‘claim’ when it’s in the TOS.”
??? Seriously? You’re the one who defines what’s a matter and what isn’t??
Come on!

As CFC states, 99% of users won’t ever read the TOS, and he’s 100% right.
This ‘not a matter of’ style is highly arrogant and pathetic.

And, as the WordFence article describes, “when you install the plugin it asks you to agree to a long agreement which includes parts of the GNU general public license. But at the end it also includes the following text (you have to scroll down to find it): (…)”
Practically this is malicious abuse of license documentation.

@joel James

If you’re a professional plugin author, you take responsibility of your plugin’s code quality and security, and this is ‘even more true’ if you’re partnering with other developers or simply outsource parts of the development.

Very much appreciated, Mr James.

Hopefully all the current users of this plugin will upgrade immediately.

Yes. I accept the mistake and I take the 100% responsibility. That is why I have immediately removed the entire tracking feature.

Sorry for the confusion and as I have mentioned, I will make sure that only I have the permission to commit the code in future.

And I hope that partner who is guilty of concocting this terrible idea is now history.

Duly noted, Joel, thank you and and we’ll assume that the agreement text is also coming out of the TOS ??

Yes. I assure that!

@scott,

No more agreement text for now! I removed the entire tracking feature.