The same situation as it was with SEO links.
There are few places in code with hidden iframes used for statistics (I hope for statistics only), you should probably add some kind of disclosure about them.
You can replace it by any other way to collect installation/usage statistics (direct call of web service from php or through Kaltura player).
Two possible issues with this iframes are:
- it is way to steal admin's cookies (I know it's my paranoia only , but it looks like XSS exploit);
- it interference with iframes/AJAX based themes

I'm sure most users won't care about hidden iframe too much, but that information should still be made available so that users can make their own descision about it.

CommentFileSizeAuthor
#8 kaltura-392736-remove_install_uninstall_admin_tracking-DRUPAL-5.patch5.71 KBxurizaemon
#8 kaltura-392736-remove_install_uninstall_admin_tracking-DRUPAL-6--1.patch5.49 KBxurizaemon
#8 kaltura-392736-remove_install_uninstall_admin_tracking-DRUPAL-6--2.patch5.76 KBxurizaemon
#6 kaltura-392736-remove_install_uninstall_tracking-DRUPAL-6--1.patch1.68 KBxurizaemon
#6 kaltura-392736-remove_install_uninstall_tracking-DRUPAL-6--2.patch1.68 KBxurizaemon
#5 392736-remove_install_uninstall_tracking.patch822 bytesxurizaemon

Comments

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented

This is very unacceptable behavior and code if this is not disclosed to the user before it happens. As this is not the first time the module has had questionable code (see #350942: Disclose hidden link back to corp.kaltura.com), I am filing a webmasters issue to gather an opinion on suspending CVS access.

catch’s picture

catch
he/him
Primary language English
commented

Not only suspend cvs access but unpublish the project IMO.

pwolanin’s picture

pwolanin commented

If this was in the player I could see it as a mistake/upstream problem. But having it in the install code looks rather deliberate.

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented

#847952: Suspend CVS account for Kaltura (spyware)

xurizaemon’s picture

xurizaemon
he/him
Location Ōtepoti, Aotearoa 🏝
commented
Status: Active » Needs review
StatusFileSize
new 392736-remove_install_uninstall_tracking.patch822 bytes

Patch attached removes iframe from 1.4 codebase.

xurizaemon’s picture

xurizaemon
he/him
Location Ōtepoti, Aotearoa 🏝
commented
StatusFileSize
new kaltura-392736-remove_install_uninstall_tracking-DRUPAL-6--2.patch1.68 KB
new kaltura-392736-remove_install_uninstall_tracking-DRUPAL-6--1.patch1.68 KB

Current patches. Also patched in my Github fork.

xurizaemon’s picture

xurizaemon
he/him
Location Ōtepoti, Aotearoa 🏝
commented

for inclusion in #848826: Release co-ordination issue: 6.x-1.5

xurizaemon’s picture

xurizaemon
he/him
Location Ōtepoti, Aotearoa 🏝
commented
StatusFileSize
new kaltura-392736-remove_install_uninstall_admin_tracking-DRUPAL-6--2.patch5.76 KB
new kaltura-392736-remove_install_uninstall_admin_tracking-DRUPAL-6--1.patch5.49 KB
new kaltura-392736-remove_install_uninstall_admin_tracking-DRUPAL-5.patch5.71 KB

Updated patches which remove tracking code from includes/kaltura.admin.inc also.

xurizaemon’s picture

xurizaemon
he/him
Location Ōtepoti, Aotearoa 🏝
commented
Status: Needs review » Fixed

Fixed in 6.x-1.5

xurizaemon’s picture

xurizaemon
he/him
Location Ōtepoti, Aotearoa 🏝
commented
Title: Disclose hidden stats iframes » Remove hidden stats iframes

Retrospectively updating issue title.

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented

Thanks for getting all the ones I just noticed in the admin.inc file too.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.