PracPlay is tracking all your clicks in TradeLink

[Dmitry Shevkoplyas]

hi all,

For those who not yet aware, there's a feature in TradeLink (not documented) which tracks when/what you've started, how many times and what you clicked etc.

[how to reproduce]

1. take src-pure.rev3754.07-Aug-2013.before-pracplay-crippled-tradelink

2. compile

3. download and install http://www.wireshark.org/ (best packet capture tool)

    and start traffic capture

4. run any Tradelink component (say, replay or kadina)

5. click some controls, close Tradelink app

6. stop packet capture, you'll see something like 

see attached screenshot-1.png

and saved packet capture, so you don't have to do all it over again:

right after starting replay.pcapng

For now the server side is crashing and instead of some 200 OK server sends:

--------------(server crashed reply - begin)----------------------------

HTTP/1.1 500 Internal Server Error

Content-Type: text/html; charset=utf-8

Cache-Control: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Vary: Accept-Encoding

Date: Mon, 14 Oct 2013 02:04:29 GMT

Server: Google Frontend

Alternate-Protocol: 80:quic

Transfer-Encoding: chunked

665

<pre>Traceback (most recent call last):

  File &quot;/base/data/home/runtimes/python/python_lib/versions/1/google/appengine/ext/webapp/_webapp25.py&quot;, line 716, in __call__

    handler.post(*groups)

  File &quot;/base/data/home/apps/tradelinkappstore/1.347311633263061126/main.py&quot;, line 135, in post

    track.put()

  File &quot;/base/data/home/runtimes/python/python_lib/versions/1/google/appengine/ext/db/__init__.py&quot;, line 1070, in put

    return datastore.Put(self._entity, **kwargs)

  File &quot;/base/data/home/runtimes/python/python_lib/versions/1/google/appengine/api/datastore.py&quot;, line 602, in Put

    return PutAsync(entities, **kwargs).get_result()

  File &quot;/base/data/home/runtimes/python/python_lib/versions/1/google/appengine/api/apiproxy_stub_map.py&quot;, line 612, in get_result

    return self.__get_result_hook(self)

  File &quot;/base/data/home/runtimes/python/python_lib/versions/1/google/appengine/datastore/datastore_rpc.py

--------------(server crashed reply - end)----------------------------

So I was curious to see what would be actually submitted during normal program work (say Kadina replaying 1 day of some ticker against one of my responses). Biggest fear was that response itself is submitted :))

I quickly run own http server and logged all the POSTed fields/values and then fixed tradelink, repuild and run Kadina. Here what I saw collected on the server:

--------------(server-side collected POST fields - begin)----------------------------

 moved to attached file: what-would-be-normally-tracked.txt

--------------(server-side collected POST fields - end)----------------------------

As you can see every mouse click, app start/stop, tab navigation - all would be sent to the server!

[how to disable tracking]

if you search by "tradelinkappstore.appspot.com" you'll immediately find file:

tradelink\TradeLinkAppKit\AppTracker.cs

        string _URL = @"http://tradelinkappstore.appspot.com/apptracker";

---------------------

Now if you find all the references to the class AppTracker, then you see that

lots of apps uses it as a parent class. 

I remember when I noticed this suspicious tracking activity about a year ago (they used ec2-instance (Amazon) as a server to collect all the data back then) I just excluded AppTracker like this:

(original line)

public partial class kadinamain : AppTracker

(now we excluded tracker)

public partial class kadinamain : System.Windows.Forms.Form

but now I see there can be some value (for example for debugging) so as a final soluton on "How to disable PlackPlay tracking of TradeLink usage" I'd suggest to edit 2 lines in "tradelink\TradeLinkAppKit\AppTracker.cs" file:

1) remove URL just in case it is used somewhere else

//string _URL = @"http://tradelinkappstore.appspot.com/apptracker"; // <- original value

string _URL = @"http://127.0.0.1/non/existing/app.php";             // <- replaced to non-existing

2) comment the place where they actually POST date to the server

// this is where actual upload of all tracked detail is happaning (wc stands for webClient). 

// Just comment next line to disable tracking:

//wc.UploadValues(TrackUrl, "POST", t.ToQuery()); // <-- this is where actuall tracking (upload) use to happen

enjoy,

[Wilhelm Stroods]

Excellent work Dima

--
You received this message because you are subscribed to the Google Groups "TradeLink-Free" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tradelink-fre...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Dmitry Shevkoplyas]

And also tradelink\TradeLinkAppKit\Version.cs

would make async web request each time you start anything.

It would compare registry key: "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TradeLinkSuite"

with response from remote server: "http://code.google.com/p/tradelink/"

to disable, comment two lines: calls to "wc.DownloadStringAsync" method (note semicolon before comment)

                    ;// wc.DownloadStringAsync(new Uri(ProgramUrl), new verstate(Program, ProgramUrl, current, pause));

--
с ч.гл.ув.,
Дима Ш.

[Jonathan Sadighian]

Yes! Great work!