The uLogin service sends data from forms (mail, phone) to a third-party site and is silent about it
Hello community. This is my first entry, even if it is not quite long - but an important message in the title. There is such a service for authorization through social networks - uLogin. The developers have released a lot of free plugins for various CMS and here it is - the cheese in a mousetrap.
We see things did not go well, and users began to notice that the service loads strange scripts when the module is running. I am conducting an audit of my site - I noticed that counter.yadro.ru is loaded several times. In total, when loading the page, they loaded 18 resources (js, css, other requests) - that’s a lot for my project with only 47 requests. And their service adds another 18, including requests to third-party sites.
Here is their response in December 17th:
There are requests to our counter li.ru and to our website. Partner requests were previously, but we finally removed them a few months ago.- but they were deceitful - they sent a request to x01.aidata.io:

And on the resource no answer was given to anyone.
So what is this aidata.io? This is a data management platform for software marketing . So this service calls itself. But why me? Yes, I know: that social networking widgets, share buttons, search engine counters - they all collect data from our site. But they send data to themselves. They use their own , proven scripts - a third party intervenes in the script. A uLogin connects a third party and I, as the site owner does not speak about it. Is that fair? I think no. Am I against? Of course against.
On May 25, 2018, the General Regulations for the Protection of Personal Data of the European Union entered into force: Data Protection Regulation (GDPR) and in the Russian Federation, previously - No. 152-ФЗ “On Personal Data” - and uLogin does not notify my site visitors. I myself did not know that the data is being collected - how would I answer this question if someone knocked on my door? I did not control my site.
Did it cost them to believe that they finally removed the tracking? I believed it.
January 24, 2018, I paid attention to errors in the site console:

and immediately sounded the alarm. Written off by mail with the uLogin team - answer:
This is a script tracker from our partner.
What a twist! A little more than a month ago, they assured me that they had removed this.
Meanwhile, on the Internet, at the reformal site, there was a movement in the subject. I do not know the rules of publications - allow you to insert a link? But I take the risk: the topic of December 28, 2017.
There and I wrote and laid out for the light heads the contents of the included script.
Ivan Pshenitsyn responded to the topic - and he was very surprised - "how can this happen?" At the end of March, he last appeared in the topic and abandoned his clients, who entrusted their websites to them - to the mercy of fate.
And even in May of 2018, new commentators came to the topic, at the end of April, a user with the nickname Maxim published a video - as a script from a form on the site, it sends user personal data (phone number) to a completely third-party site.
A month ago, the topic was raised in the official WordPress plug-in support forum - two people complained about a leak. There was no official answer.
Should I trust the service team, who claimed in the mail correspondence that they removed the partner requests, and continue to send Trojan horses to our sites? If they allow a third party to load any js uncontrollably onto our sites, then what they want (these third parties) is this correct? Is it safe? Is it legal?
This post I publish - because from the service team uLogin did not receive a proper response.
ps when installing the WordPress plugin uLogin does not require registration on their service. This means that the user agreement that they placed on their website is not legally binding.
If you have ideas and thoughts about this product and the current situation - welcome to the comments.
upd. 2018-06-05 - Yesterday I wrote a letter to WordPress Security. They responded (but unfortunately the answer has not been sent to me by mail yet) - the plugin in the official WordPress repository is not available for download. The visitor is greeted with the following inscription:

Either they understand the question, or they give the uLogin team time to eliminate such behavior.
Only registered users can participate in the survey. Sign in , please.