Support » Plugin: Cue by AudioTheme.com » Ad Spam link to your website

  • It added some hidden code in my website that linked my logo to some spam website ad. Don’t download it.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Brady Vercher

    (@bradyvercher)

    Hi Ben,

    I can assure you that we never have and never will incorporate third-party advertisements or spam in any of our plugins. The code is available here on WordPress.org and on GitHub for anyone to review. Cue is used on over 10,000 sites and this is the first and only report of a problem like this.

    We do take this seriously and would like to determine why you think Cue is the root of the issue. If you could respond to the email you sent after leaving this review with the additional information and code I requested, I’d be happy to take a look.

    Thanks,
    Brady

    Plugin Author Brady Vercher

    (@bradyvercher)

    Hi Ben,

    We haven’t received a reply here or follow-up to your email. Could you give us an update and let us know if you still think you’re having issues with Cue?

    Thanks,
    Brady

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    *Removes modlook and installs plugin and looks*

    OK, this is 30 minutes of my life that I won’t get back.

    @bradyvercher Your plugin does add a link and that’s not cool. It’s also against the plugin guidelines.

    Read item #10.

    https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/#10-plugins-may-not-embed-external-links-or-credits-on-the-public-site-without-explicitly-asking-the-user%E2%80%99s-permission

    *Looks at SVN revisions*

    It looks like you have been doing that for 4 years. Here’s the SVN diff.

    This is the unminified file.
    https://plugins.trac.wordpress.org/browser/cue/trunk/assets/js/cue.js

    This is the minified version.
    https://plugins.trac.wordpress.org/browser/cue/trunk/assets/js/cue.min.js

    See the “buildaudiothememark” part on the minified file? Your link is right after that.

    I’ve unminified what you are actually sending your users. Here you go.

    You load that minified js file on this line.

    https://plugins.trac.wordpress.org/browser/cue/trunk/classes/Provider/Assets.php#L73

    Here’s my favorite part. When I modified line 73 from

    
    $this->plugin->get_url( 'assets/js/cue.min.js' ),
    

    to now load the unminified version

    
    $this->plugin->get_url( 'assets/js/cue.js' ),
    

    Then the link magically goes away. The player still works without the link.

    That’s really bad. You uploaded a minified version that was different from the unminfied js file.

    Or to quote the reviewer:

    Ad Spam link to your website

    This is being reported to the plugins team.

    Plugin Author Brady Vercher

    (@bradyvercher)

    Hi @jdembowski,

    I believe you’ve misinterpreted the allegation in the review as well as misread the code. I wouldn’t have asked for a moderator to take a look if I thought we were doing anything that was suspect.

    The review mentioned that this plugin added hidden code that linked his logo to a spam website ad. This has nothing to do with the link to AudioTheme.com in the player itself and isn’t something Cue does or ever will do. The email we received has more context:

    After finding that when i click on my website logo it linked to some spam website. I tried to desactivate some plug-in. Surprise, when i desactived yours, the spam went away.. Website like [ spammy link redacted ] and others…

    In your review of the code, did you find anything that would cause that?

    Considering the account was created for the express purpose of leaving a review with an erroneous claim and has no other activity, I thought it was worth reviewing.

    Regarding our branding in the player, as you mentioned, that’s been there for four years with little complaint. That’s four years I’ve spent contributing to core, contributing to the media library used by core, and building and maintaining this plugin that anyone can install for free. I know how the code works and don’t appreciate your patronizing tone.

    As I’m sure you’re aware, code is minified for performance. It reduces the file size to make it faster to download and reduces the number of HTTP requests when concatenating multiple files. The snippet you embedded and accused me of hiding can actually be found in the unminified source for anyone to to view and freely modify as they see fit:
    https://plugins.trac.wordpress.org/browser/cue/trunk/assets/js/cue-mejs.js

    And here:
    https://plugins.trac.wordpress.org/browser/cue/trunk/assets/js/cue-media-classes.js

    There’s nothing nefarious about that. As I alluded to earlier, I’ve been a part of this community for awhile and would hope that we treat each other with more respect than you’ve shown me.

    Regards,
    Brady

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Ad Spam link to your website’ is closed to new replies.