(update: Since writing this post I’ve found some more info suggesting that Sweet Captcha have indeed started pushing ads on purpose and, although the ads script now appears to have been removed, their T&C’s page still includes a clause allowing them to show ads… more info towards the end of this post)
It’s saddens me to write this post!
For a long time now, I’ve loved the ‘Sweet Captcha’ plugin for WordPress. It’s a great little plugin that gives a visual captcha code with cute images to interact with to prove you’re human. The plugin’s drag-n-drop system is much easier the often ugly captcha codes that annoy us all! Moreover, the plugin worked great on mobiles too!
ADWARE & SPAM WARNING
However it appears that Sweet Captcha, that line of defence against spammy blog comments, is now responsible for spreading dodgy ad-ware in the form of pop-ups when a visitor first clicks on a page.
Sneakily done – So sneaky you may not have noticed!
Although I can’t confirm the exact functionality, from my observations, the ads show when a user first clicks on your website. However this appears to be cookie related as once an advert has shown, no further ads will show.
Refreshing the page and clicking again doesn’t show an advert either, however opening an incognito window, ads are shown again on first click (note; you must not have any incognito sessions open in other windows!). I don’t have the time to check cookies (perhaps someone else reading this does?) but it seems to follow that there are cookies involved.
Narrowing Down to Sweet Captcha
When popups were first reported on a site I was working on, my first thoughts were that the site had been hacked, so I began the usual tactics… maldet scans looking for usual dodgy code, grep / find in files for or base64 encoded content, checking last modified dates of files, running theme validity scans of plugin & theme files, checking for additional admin accounts – the usual tactics.
Whilst various scans were running, I also manually started disabling sets of plugins, clearing cache and re-checking the site. Through this manual trial & error, I found the source faster than the scans (elbow grease sometimes pays off and it gives me something to do whilst sat watching scan outputs… besides drinking too much coffee and swearing at the screen!).
I confirmed it was Sweet Captcha by:
- Disabling the plugin
- Clear server cache
- Open a new incognito window
- Confirm no ads
- Re-enable the plugin & repeat the above
- With the plugin enabled, ads show
Sweet Captcha Hacked or Gone to The Dark Side?
It could be that Sweet Captcha’s plugin has been compromised, however I’m not so sure as heading over to the WordPress plugin repository to grab the versions hosted there and look for file differences, I found that the plugin is no longer listed. To give Sweet Captcha the benefit for the doubt, it could still be that they were compromised, the plugin was removed, and will be reinstated in the WordPress repository once the problem is fixed. However, unfortunately I think it’s bets to err of the side of caution and disable the plugin then delete it.
UPDATE: Sweet Captcha’s Terms & Conditions UPDATED to Mention Ads
It appears others spotted this issue before I did. Denis Sinegubko, reported on this recently over on the Sucuri blog and included a snippet from Sweet Captcha’s T&C’s page, which states it may show additional content, including adverts. H
Mention of Ads is New
As Denis points out in his post, section 5.2 of Sweet Captcha’s T+Cs does mention that Sweet Captcha may show ‘additional content’, including ‘ads’.
This got me thinking, did I miss this previously? I didn’t think this was likely (I’m a cautious sort of chap!), so I decided to get my deerstalker hat on!
Checking their current T&C’s page, I find:
5.2 You acknowledge that within the sweetCAPTCHA service and/or sweetCAPTCHA API, There might be included 3rd party content which will be displayed for the purpose of user interaction. This content might include but will not be limited to ads, banners, links, search engine input fields and etc.
I love ‘waybackwhen’ machine, don’t you?
5.2 You agree to use the Services only for purposes (a) that are permitted by the Terms, any applicable law, regulation or generally accepted practices or guidelines in the relevant jurisdictions (including any laws regarding the export of data or software to and from the United States or other relevant countries), and (b) that do not violate the legal rights of any third party, including but not limited to copyrights, trademarks, rights of privacy, and rights against defamation.”
Not only is there no mention of ads on the T&Cs page in July 2014, I can’t find a mention of it anywhere on the page.
Now, I’ve had my email registered with the folks over at Sweet Captcha for longer than this, yet I can’t find any email from them mentioning this change to their terms & conditions since I signed up.
Update 2: Ads Removed
It appears that Sweet Captcha have now remove the ads from their plugin. However the script is still nowhere to be found on the wordpress repository and their terms & conditions page STILL includes the caveat that allows them to show ads, for that reason, I’d advise caution until Sweet Captcha confirm what the implications of this clause are and indeed, if they will remove it.
Ask Sweet Captcha
If you’d like to know if the folks at Sweet Captcha will remove the clause about showing ads, RT the tweet below. We really like Sweet Captcha, so let’s encourage them to remove the clause about ads!
— Mike Gracia (@MikeGracia_) June 19, 2015
Come on Sweet Captcha, you’re tool is great… make us all happy & do the right thing 🙂 (we will update this post if we get a response, of course).