Resolved share2dlink Keychain entry?

[RedNova6289]

I would like to clarify a problem with a strange website found in my keychain.

Only one person is talking about it on Reddit:

I’m not sure how it got there or what it even is but I had realised in my iCloud Keychain passwords there were websites I had never seen or clicked on in my life. One of them was called “share2dlink.com” and it had my phone number, email, and password saved as a login to its website. I tried clicking the website to delete my account off whatever this was but it lead me to a deleted website. I’m just very confused and concerned.

This is a Chinese site that I have never visited in my life.

As a precaution I deleted this entry and cleaned my OS.

Do you have any idea how this was created ?

 

[gilby101]

Was the password on share2dlink, the same as any of your other passwords?

May be completely unrelated, but do you have any D-Link products? D-Link is active in the home networking space - routers, cameras, etc.

The share2dlink web site says: Founded in 2012, Shanghai Youkun is the world's leading data intelligence technology platform. Adhering to the enterprise vision of "making the world know", taking data application as the lead, integrating cutting-edge big data, artificial intelligence and other diversified advanced technologies, creating four sections of developer services, commercialisation, AI and Mob research institutes, providing data intelligence services in mobile development, intelligent growth, financial risk control, commercial real estate and other scenarios, providing professional products and solutions for nearly one million customers, developers and government agencies, and helping enterprises and modern society realise data-driven digital intelligent transformation.

Sounds to me like something that other companies use for data gathering.

 

[RedNova6289]

Was the password on share2dlink, the same as any of your other passwords?

May be completely unrelated, but do you have any D-Link products? D-Link is active in the home networking space - routers, cameras, etc.

The share2dlink web site says: Founded in 2012, Shanghai Youkun is the world's leading data intelligence technology platform. Adhering to the enterprise vision of "making the world know", taking data application as the lead, integrating cutting-edge big data, artificial intelligence and other diversified advanced technologies, creating four sections of developer services, commercialisation, AI and Mob research institutes, providing data intelligence services in mobile development, intelligent growth, financial risk control, commercial real estate and other scenarios, providing professional products and solutions for nearly one million customers, developers and government agencies, and helping enterprises and modern society realise data-driven digital intelligent transformation.

Sounds to me like something that other companies use for data gathering.

Absolutely not - the password was different.

For D-link, I do not own any of their products.

Thank you for the information about this website. i didn't think to check the WHOIS :

Domain Name: share2dlink.com
Registry Domain ID: 2468188418_DOMAIN_COM-VRSN
Registrar WHOIS Server: grs-whois.hichina.com
Registrar URL: http://whois.aliyun.com
Updated Date: 2021-10-09T03:52:11Z
Creation Date: 2019-12-17T07:50:16Z
Registrar Registration Expiration Date: 2023-12-17T07:50:16Z
Registrar: Alibaba Cloud Computing (Beijing) Co., Ltd.
Registrar IANA ID: 420
Reseller:
Domain Status: ok https://icann.org/epp#ok
Registrant City:
Registrant State/Province: shang hai
Registrant Country: CN
Registrant Email:https://whois.aliyun.com/whois/whoisForm
Registry Registrant ID: Not Available From Registry
Name Server: DNS13.HICHINA.COM
Name Server: DNS14.HICHINA.COM
DNSSEC: unsigned
Registrar Abuse Contact Email:

Registrar Abuse Contact Phone: +86.95187
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>>Last update of WHOIS database: 2022-08-07T07:45:03Z <<<

My wife also had this website in her Keychain - and we are unable to find out where it came from as well as the original author of the Reddit topic (???)

 

[gilby101]

Absolutely not - the password was different.

To me, that is a good sign.

For D-link, I do not own any of their products.

Good, that excludes that meaning of 'dlink' which would have suggested some hack of your network.

At a guess, some web site you have visited uses share2dlink to track and analyse your usage of that web site (and maybe some related web sites). But it is a bit devious to create a login with a password stored in your keychains.

A quick web search does not hint at any related malware. So I would just delete the keychain entry and check for it reappearing. A bit worrying though.

If you don't use any 3rd party anti-malware, I suggest download Malwarebytes (just the free version - ignore suggestions to pay for more features)) and run a scan on your Macs.

 

[RedNova6289]

To me, that is a good sign.


Good, that excludes that meaning of 'dlink' which would have suggested some hack of your network.

At a guess, some web site you have visited uses share2dlink to track and analyse your usage of that web site (and maybe some related web sites). But it is a bit devious to create a login with a password stored in your keychains.

A quick web search does not hint at any related malware. So I would just delete the keychain entry and check for it reappearing. A bit worrying though.

If you don't use any 3rd party anti-malware, I suggest download Malwarebytes (just the free version - ignore suggestions to pay for more features)) and run a scan on your Macs.

I deleted the entry in the keychain after visiting the website.

Do you think that just looking at the link in Safari can infect a computer ?

As a precaution I deleted and reinstalled macOS - I check the keychain regularly and try not to install new software.

At the moment I only have these:

EtreCheck Pro (from official website)
Firefox (from official website)
KeePassXC (from official website)
IINA (from official website)
Malwarebytes (from official website)
Stats (from GitHub)
Wipr (Safari Extension from App Store)

The Malwarebytes scan results are good - same thing from EtreCheck Pro

 

[NoBoMac]

iPhone/iPad? If so, might be getting into Keychain via an app and iCloud Keychain.

Which app, that will be tough to determine. Maybe a new-ish install? One from way back in the day?

 

[RedNova6289]

iPhone/iPad? If so, might be getting into Keychain via an app and iCloud Keychain.

Which app, that will be tough to determine. Maybe a new-ish install? One from way back in the day?

I didn't look at the keychain on my iPhone but as it is synced...

I had installed two Chinese apps:

Fitdays and Zepp Life, which are now no longer in my iPhone after it was cleaned and reset.

 

[gilby101]

Fitdays and Zepp Life

Both of which store your health data somewhere in the cloud. Definitely candidates for creating the share2dlink password.

Personally, I am very wary of cloud enabled fitness apps and what they are doing with your data. In general, safest to use those that only link into Apple Health.

 

[RedNova6289]

iPhone/iPad? If so, might be getting into Keychain via an app and iCloud Keychain.

Which app, that will be tough to determine. Maybe a new-ish install? One from way back in the day?

I didn't look at the keychain on my iPhone but as it is synced...

I have installed two Chinese apps from memory:

Fitdays and Zepp Life which are now no longer in my iPhone after it was cleaned and reset.

Both of which store your health data somewhere in the cloud. Definitely candidates for creating the share2dlink password.

Personally, I am very wary of cloud enabled fitness apps and what they are doing with your data. In general, safest to use those that only link into Apple Health.

Thanks for your advice

I will now be more careful with applications. The latest one I have installed is this one:

Battery Life (from App Store)

I don't think I'll keep it.

Last question: do you think that after uninstallation, an iOS application can continue to infiltrate our machines ?

 

[Snookypants444]

Was the password on share2dlink, the same as any of your other passwords?

May be completely unrelated, but do you have any D-Link products? D-Link is active in the home networking space - routers, cameras, etc.

The share2dlink web site says: Founded in 2012, Shanghai Youkun is the world's leading data intelligence technology platform. Adhering to the enterprise vision of "making the world know", taking data application as the lead, integrating cutting-edge big data, artificial intelligence and other diversified advanced technologies, creating four sections of developer services, commercialisation, AI and Mob research institutes, providing data intelligence services in mobile development, intelligent growth, financial risk control, commercial real estate and other scenarios, providing professional products and solutions for nearly one million customers, developers and government agencies, and helping enterprises and modern society realise data-driven digital intelligent transformation.

Sounds to me like something that other companies use for data gathering.

Hello I’m the original poster of the Reddit paragraph. I came here to ask some people for some answers. When I had checked the information on the share2dlink in my ICloud Keychain I noticed it had my old password that I had used frequently and my email and phone number. After conversing with some people online I had eventually deleted it but up until a few days ago I noticed it had reappeared. There was also a website called page.link in my keychain.

 

[gilby101]

When I had checked the information on the share2dlink in my ICloud Keychain I noticed it had my old password that I had used frequently and my email and phone number. After conversing with some people online I had eventually deleted it but up until a few days ago I noticed it had reappeared. There was also a website called page.link in my keychain.

There is so much in my keychains that seems to have been created without my permission. No doubt it all makes for a smooth experience, but any careful look raises so many questions which easily become fears. Some of the so called passwords are just access strings/tokens obviously created behind the scenes by a browser app. It would so much easier to explore if display of 'passwords' could be enabled once and then display in a column.