Morpheus under fire over hijacking

Morpheus, the file sharing program that claims to be a bastion of spyware-free peer-to-peer code, has come under fire from users over a piece of code that effectively hijacks a user's web browser.

The latest version of the file share tool contains a code element known as a Browser Help Object (BHO) which is designed to inject code from a piece of software straight into Internet Explorer's address space.

When Morpheus is installed, the BHO, in this case a file called 'bpboh.dl', intercepts certain addresses typed into the address bar and redirects the browser to an affiliate marketing site before it goes on to the designated site.

Addresses affected include radioshack.com, ebay.com, amazon.com and toysrus.com. The redirection works as long as Morpheus is installed, whether or not it is running at the time.

While affiliation programs are commonplace on the web, and it has been acknowledged that Morpheus does not cause any privacy concerns, there is some fear that the hijacking of an affiliate URL could give the proceeds to Morpheus while denying them to the true affiliate.

If, for example, a user clicks through to Amazon.com from a site that would receive commission for the referral, but the link is diverted by Morpheus, would Morpheus steal the commission instead? That question remains to be answered.

But as one Slashdot reader pointed out, the feature could even violate Amazon.com's referral policy. Part of Amazon's terms and conditions read: "In addition, you may not promote your site in any way that effectively conceals or misrepresents your identity, domain name, or return email address."

The problem code was created by Wurld Media as part of a confirmed plan to create an online shopping service for Morpheus users. However, the company has remained quiet about the URL interception process.

Morpheus has long stood against the inclusion of spyware, even going so far as to release the code for its client, where others such as Grokster have implemented spyware.

Morpheus now seems to have intercepted some of the internet community's disdain for underhand practices as well as a few URLs.