Watch out: “Share this” plugin monitors your blog and your visitors

Alex Günsche · January 29, 2008

The popular “Share this” WordPress plugin monitors your blog and your visitors. Each time a visitor calls a page of your website containing the Share This widget, they will download a so-called webbug. It’s the image at the bottom of the Share This widget.

Although the unique identifier of the webbug is generated randomly (something like 775e8ba2-8ea3-48a9-a071-6ebdd986d676) on your blog at the first usage, the sharethis.com server (from which the image is loaded) is able to associate your site with this unique identifier by the HTTP referer a browser sends. Therefore, using similar techniques as e.g. Google Analytics, sharethis.com is able to see how many visitors you have and which of your pages they viewed. In my opinion, this is quite insolent, as it massively invades your and your visitors’ privacy.

How can you protect yourself from this? You need to modify the file share-this.php from the plugin. The easiest way is to simply delete line 702 (in “Share this classic”, v1.5.1) where the image code is generated:

<div id="akst_credit"><a href="http://sharethis.com"><img src="http://r.sharethis.com/powered-by?publisher=<?php print(get_option('st_pubid')); ?>" alt="Powered by ShareThis" /></a></div>

Another option would to beat sharethis.com at their own game: Replace (also in line 702) get_option('st_pubid') with ak_uuid() (their internal function to generate the unique identifier), thus messing up their database. ;) Just kidding — just remove the code as described.

Update: Looking a bit deeper into the plugin, I realized that it’s not only a webbug that the plugin loads, but also, each bookmarking is redirected to sharethis.com’s server! This means, whenever somebody clicks a bookmarking link, they are first sent to sharethis.com’s server and then redirected from there. You can overcome this, too, by a little modification: Change line 304 of share-this.php (in “Share this classic”, v1.5.1) to return base; — then you and your visitors are taken to the bookmarking service directly.

Update 2: More occurences of the offending technique are on the page which Share This displays when JavaScript is deactivated. Again, each bookmark link redirects to sharethis.com first, and the image in the footer is a webbug. To disable these items, change line 1132 in share-this.php to print('<li><a href="'.$link.'" id="akst_'.$key.'">'.$data['name'].'</a></li>'."\n"); and remove the footer (some lines deeper).

Feed for this post Categories: Software

7 comments on “Watch out: “Share this” plugin monitors your blog and your visitors”

  1. TwisterMc on January 31, 2008 at 00:53 #

    Wouldn’t this be needed for the stats service they are going to be releasing? They have to collect the data somehow. http://sharethis.com/example_report

  2. S.K on January 31, 2008 at 05:02 #

    Hi,

    I am scared of the mischievous “Share This” plugin after reading your post.

    Can you please advise me as to how to add a facility (by hard-coding) such that visitors can subscribe to only a few popular social bookmarking sites like Digg, del.icio.us etc.

    Thanks,

    S.K

  3. Alex Günsche on January 31, 2008 at 09:53 #

    TwisterMc: Yes, there is a stats service. But you have to register for it, and I reckon that most users of the WP plugin don’t even know about it. But the plugin tracks data for every user, while most users think this is just a tool to display social bookmarks links.

    I would expect this tracking feature to be optional, especially as the Terms of Service (and with that, the Privacy Policy) apply only to those who register for tracking — see their download page.

  4. Alex Günsche on January 31, 2008 at 10:07 #

    S.K: There tons of other social bookmarking plugins for WordPress.

  5. couchmouse on February 3, 2008 at 02:54 #

    The old ShareThis Classic plugin version 1.5.1 is standalone and does not contact the Share This servers like the new one does. It is also faster because it is a self contained plugin and does not download anything (js, images, etc.) from Share This server.
    It is avail Here

    The phone home feature of the new Share This is why I still use the original version.

  6. adam on March 13, 2008 at 20:46 #

    @couchmouse - from reading the post, it seems this IS included in share-this classic. you can still get version 1.4 (before alex sold the plugin) from wordpress.org - http://wordpress.org/extend/plugins/share-this/download/

  7. Gilberto Galea on June 7, 2008 at 21:31 #

    I thing that is an advantage, over a risk. Because you can see the reactions about your readers. If you think that “share this” project could be bad practices, you can use “add this” and problem result.
    Thanks by your concern.

Comment on this article

 (not published)


Comments can be revised for 30 minutes after publishing.