Forum Feedback & Announcements forum

Alert

Running Gigya scripts required for CNet Login

by Alan Mintaka / June 19, 2012 2:59 PM PDT

Hello Everyone,
I'm using the NoScript add-on with FireFox 12. For those of you not familiar with it, NoScript allows you to disable embedded scripts from third-party websites. It's very effective for finding out what third-parties are running scripts on a website you're visiting.

Today I discovered that unless I allow scripts from Gigya.Com to run on Cnet web pages, I can't log in to my Cnet account.

Gigya is a "social infrastructure service provider". What they do is provide third-party scripts that allow users to log in to accounts like Cnet using their social networking IDs. Thus, a website like Cnet that uses Gigya services allows you to log in using your Facebook or other social networking ID.

The only problem here is... I wasn't trying to log in to my Cnet account with a Facebook ID, or with any other social networking ID. I was trying to log in with my Cnet userid/password. Through trial and error I found that unless I allowed Gigya scripts to run on Cnet webpages, I couldn't log into my Cnet account.

Thus, whether you want it or not, scripts that support social networking logins are running when you log into a Cnet account.

What else are the Gigya scripts doing? When they accept Facebook login info, are they also running Facebook scripts? They have to interface with Facebook somehow to get your profile info.

Do the scripts do anything else? Who knows? Cnet is supposed to have a privacy policy of some sort that protects your information. That's fine, but Cnet can't guarantee all of the the actions of third party scripts like the ones provided by Gigya. Such scripts could - and probably do - obtain usage statistics. Why not? What's to stop them? If you log into your Cnet account using your Facebook ID, Gigya obtains your profile info, has access to your usage activities on Cnet, and knows your IP address among other things.

The requirement to run Gigya scripts in order to log into Cnet accounts is forced on Cnet account holders, whether or not they have social network IDs and/or want to participate in sharing information of any kind with a social network "infrastructure service" like Gigya?

I ask that Cnet reconsider requiring its users to run Gigya scripts in order to log into their Cnet accounts with their dedicated Cnet userid and password info.

Note: boilerplate to the effect of "Private information for Cnet users who use their Cnet userid/password to login to their accounts is not shared with Gigya or any other social network service" will not suffice. How do you know? Gigya is running some kind of scripts when Cnet users login. How can you guarantee that login and profile information is not being obtained by those scripts? Because Gigya told you it wasn't?

Anyone else have views on this? Should we be required to run social networking login scripts when we login to Cnet accounts using our Cnet login information?

Post a reply
Discussion is locked
You are posting a reply to: Running Gigya scripts required for CNet Login
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Running Gigya scripts required for CNet Login
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Thank you providing us with this feedback Alan.
by Lee Koo (ADMIN) CNET staff/forum admin / June 20, 2012 10:22 AM PDT

I will talk to our engineers/business folks to look into and consider
your recommendation here: "I ask that Cnet reconsider requiring its
users to run Gigya scripts in order to log into their Cnet accounts
with their dedicated Cnet userid and password info."
I personally
don't see why this should be a problem, especially if you aren't
connecting to any social network to log into CNET, but I'm not an
engineer, nor am I the one to call priorities--so I can't tell you what
effort it would take or where it would fall into our list of priorities,
however I will bring it to the table to see what can be done.

As far as private information, I'm not an engineer, nor am I lawyer,
but you're right, I don't know what is being captured, but I'm certain
that before CBS Interactive goes live with Gigya or
any other 3rd party service, our legal team at CBS Corp has
a contract with them agreeing to protect the privacy of our
users. At CBS Interactive we take each and everyone's' privacy
very seriously and we would not jeopardize that. After all Gigya
does have a lot to lose given that they have a huge list of high
profile clients (http://www.gigya.com/clients/). I also think that
we wouldn't be handing things to them that are personally
identifiable--most likely a unique anonymous token of some sort,
but not private data for them to authenticate people's social log in.

Alan, again I thank you for your feedback and expressing your concerns
in regards to this. Like I said I will take your feedback and present
it to our engineers and business folks to see if it is something
we can consider doing.

Take care,
-Lee

Collapse -
Rough guess
by QMT / June 22, 2012 2:47 AM PDT

Welcome to the new internet. Every page wants to load upwards of a dozen scripts now.

I would guess the local login script is failing when a variable from gigya's script just does not exist, because the gigya script is being blocked.
At the very least, gigya only needs script permission long enough to actually login, and is not needed after that (but cbsistatic.com must be enabled to stay logged in).

Collapse -
RE: Rough guess
by Alan Mintaka / June 22, 2012 7:54 AM PDT
In reply to: Rough guess

@QMT,

"Welcome to the new internet. Every page wants to load upwards of a dozen scripts now. "

I know. I wasn't reporting on this obvious fact, just taking issue with the requirement to run Gigya scripts in order to log into a Cnet account.

"At the very least, gigya only needs script permission long enough to actually login, and is not needed after that (but cbsistatic.com must be enabled to stay logged in)."

You raise a good point. However, disabling Gigya after you log into a Cnet account will only prevent Gigya from obtaining additional information. At that point, Gigya has already obtained your login info. It's a partial solution, at best.

Collapse -
It's NOT just gigya that needs to run, I did temp allow to
by WisconsinCA / July 21, 2012 1:51 AM PDT
In reply to: RE: Rough guess

It's NOT just gigya that needs to run, I did temp allow to log in.................too many to go thru

is CNET ever going to address this?????????

Collapse -
It's not just Gigya....
by Alan Mintaka / July 21, 2012 9:50 AM PDT

There are indeed many, many other scripts required to run in order for Cnet login to work correctly. I picked out Gigya and Facebook because those two are so widespread (Facebook scripts are EVERYWHERE now) and because they exchange information with other social networks.

The other scripts required to run are a mix of lesser-known social network data miners and various tracking services associated with financial/internet businesses. The latter are also everywhere.

They can all be blocked using "private browsing" and third-party tools like NoScript. Blocking them isn't the problem per se. It's when blocking them actually prevents websites from allowing their users to access their accounts. That MUST NEVER HAPPEN.

Collapse -
firefox with noscripts
by kxmmxk / September 26, 2012 7:52 AM PDT

I use firefox with the noscripts addon. It is ridiculous how much stuff is loaded in the background without people having any idea if they aren't paying attention. It's why they say nothing is private anymore and you need to be very careful. Most of the things loaded in the background are not necessary at all and I don't allow them. It irritated my greatly when gigya showed up but it's not as bad as some sites that insist you login with a facebook or twitter account, which I refuse to do. No site is that important and most people I know also refuse to do it. But you have to wonder what they are tracking, after all they wouldn't be doing it for nothing, they have to be getting some info out of you.

Just use a plugin like noscripts with firefox and be willing to take the time. After awhile you just no what are legitimately necessary and what aren't. Some of it is just history from when cnet was it's own company (com.com) and now it's part of cbs (cbsinteractive.com). I also set my browser to delete all cookies and other information when I quit cause that's how they really get you.

Of course this is a site people access during the day, usually from work. And work places are getting more and more controlling what they allow through their firewalls. So sites that do this are only hurting themselves in the long run. I assume they want people with jobs and therefore money to spend on advertised products Happy


But the whole thing has gotten really silly.

Collapse -
firefox with noscripts - NOT
by Alan Mintaka / September 26, 2012 2:52 PM PDT
In reply to: firefox with noscripts

Please re-read my original post again carefully. I didn't hide the pertinent information - it's right there in the first sentence:

"I'm using the NoScript add-on with FireFox 12. For those of you not familiar with it, NoScript allows you to disable embedded scripts from third-party websites. It's very effective for finding out what third-parties are running scripts on a website you're visiting."

The second sentence contains the reason for the post, and why NoScript (note the spelling) is NOT a solution in this case:

"Today (06/09/2012) I discovered that unless I allow scripts from Gigya.Com to run on Cnet web pages, I can't log in to my Cnet account."

Get it now?

UPDATE - please read this carefully too: today (09/27/2012) when I attempted to log in to my Cnet account to respond to your message, I discovered once again that I had to allow Gigya scripts to run in order to log in. I did not log in using any social media IDs and passwords. I logged in using my Cnet ID and password.

Nothing has changed - Cnet users are still being forced to run social media scripts even if they log in using their Cnet account IDs. There is NO way for us to know what those social media scripts are doing, e.g. if they are recording personal information.

Deleting your cookies is fine, but that only deletes information about you that's stored locally on your hard drive. You have NO idea what information those Gigya scripts may have retrieved and stored on THEIR servers.

Collapse -
Here's the gigya script. Good luck deciphering that mess.
by QMT / September 28, 2012 11:02 PM PDT
Collapse -
RE: Here's the gigya script
by Alan Mintaka / September 29, 2012 9:05 PM PDT

Wow - good job hunting that down.

I see it as a flat file in FireFox, so I certainly can't make much sense of it structure-wise. Here and there I can find the beginnings of loops and other structures (e.g. for(c=0;c<b.length;c++)) but finding the ends amounts to text searches for matching braces.

I'm going to try loading it into code-sensitive editors like NotePad++, and the built-in script editors that come with Dreamweaver 4 (I was already old when this was new) and ExpressionWeb. Are you using some kind of code-sensitive editor that renders it in "pretty-print" format?

Collapse -
re
by QMT / September 29, 2012 11:12 PM PDT

I didn't try to reverse-engineer it very much (or at all).
All I was looking for was obvious loading of more script, but didn't bother to look at those.

I'm curious as to what it returns that makes it essential for logging in. Good hunting!

Collapse -
UPDATE...
by Lee Koo (ADMIN) CNET staff/forum admin / December 5, 2012 7:54 AM PST

A few weeks ago we fixed this as per your feedback.

Can you guys give it a try and log into CNET directly (not using any of the social login) and see if you are still seeing the Gigya scripts?

Please let me know.

I appreciate it.

-Lee

Collapse -
RE:Update
by Alan Mintaka / December 6, 2012 1:31 AM PST
In reply to: UPDATE...

Hi Lee,
I just tried it and it seems to work fine! I'm also running the FireFox add-on NoScript, so I should explain how I did this.

1. Used NoScript to revoke all permissions on the Cnet main page.

2. In NoScript, selectively allowed only Cnet-related scripts to run. I noted that Gigya scripts were explicitly forbidden to run.

3. Clicked on "Login". In the popup, the FireFox add-on LastPass automatically entered my Cnet userid and password.

Here I am! Logged in, no Gigya or other non-Cnet scripts running.

Thanks Lee!

Collapse -
Awesome!
by Lee Koo (ADMIN) CNET staff/forum admin / December 6, 2012 1:40 AM PST
In reply to: RE:Update

Thanks for following up and verifying Alan, glad it's working!

Happy Holidays!
-Lee

Collapse -
RE: Update
by Alan Mintaka / December 6, 2012 3:40 AM PST
In reply to: Awesome!

Back to you, my friend: Happy Holidays!

"Eat, drink, and be merry - for tomorrow, we fall off the fiscal cliff."
--Anonymous Tea Bagger, holding rotten pumpkin stems

Alan Mintaka

Popular Forums
icon
Computer Help 49,613 discussions
icon
Computer Newbies 10,349 discussions
icon
Laptops 19,436 discussions
icon
Security 30,426 discussions
icon
TVs & Home Theaters 20,308 discussions
icon
Windows 10 360 discussions
icon
Phones 15,802 discussions
icon
Windows 7 7,351 discussions
icon
Networking & Wireless 14,641 discussions

Smartphone tip

Hoarding photos on your phone?

Those picture are hogging memory and could be slowing down your phone.