Slashdot Mirror
Is Flixster Using Deceptive Viral Practices?
Talaria writes "The social networking movie review site Flixster is requesting their users' AOL, Gmail, Yahoo and Hotmail passwords, and then using them to access users' address books and send 'invitations' to join Flixster, making them appear to come from the user. The password prompt screen includes the ISP's logo right next to the password prompt. Rather than hiding this little 'feature,' Flixster brags about it in an interview after receiving $2 million in venture funding earlier this year." American Venture Magazine notes: "...such practices are becoming increasingly... common as new and even established web sites look to attract visitors without expensive marketing campaigns and a hefty advertising budget."
Facebook does they same. They ask for your e-mail address and e-mail address password, then spam your contact list. I can't believe people will give them their password, but some actually do. Preposterous!
They can pry it only from my cold unresisting hands. If any site asked for it, not only I would not give it, but I would write a nasty letter, telling to shove their request so high up the ass, that it would be possible to see, when they open their mouths.
There is no way of telling if the password used is provided to a third party without consent or if the site is hacked. Be careful with your personal data, and keep your login to yourself as much as possible.
If you create a site with interactive content - think twice before if you really need your visitors to log in to request the content.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
I'm not really surprised that another company on the way to the venture capital bank lost any sense of morals it used to have.
If you give a website your password to your email account, you are to blame. If the company is hacking into your accounts to send out its viral invites...that's when the crap needs to hit the fan.
Most people try and keep their passwords and usernames to a small number so use the same password and username for several different sites... so a nasty trick could be to try using the password for flixter against the same username for a different account say google mail or myspace...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
You can just put your /. username and password as a reply to this reply and I'll be sure to send all your friends invites to Slashdot (as if we didn't have enough hosers already)...
I tried to think of a good sig, and this wasn't it.
If you look at the lousy screen shots it is painfully obvious they are being up front and quite clear what they intend to do and how to skip the invitation process.
I'm not saying I'm a fan of their scheme, but it's not like they're scamming anyone. You even get to select who you want to invite.
I guess some people feel they have to produce content, even if they have to dress a non-story up in inflammatory language and ignore the facts of the situation. Gotta drive those Adsense impressions.
Platform advocacy is like choosing a favorite severely developmentally disabled child.
I can literally hear the devs arguing this idea is insane, but their boss insisting on being implemented.
And so it came to be. It's crazy not just because it's deceptive, but because it's a security nightmare. If you give your passwords to random sites even for the nicest purposes (which isn't even the case here) it's guaranteed they'll be leaked, and your accounts abused.
What's next: signing a warrant of attorney so the great Flixster, so they could send your buddies free gifts, funded by your bank accounts and credit cards? It's definitely in the same line of thought as this preposterous scheme here.
I'm just surprised how these guys get funded at all. Anyone will tell you that this practice is unsustainable, not to mention unethical.
That's pretty tragic when you can't figure out how to create a tinyurl for goatse, mate.
From the 2nd article-
/.
:>
"We make it easy to invite your friends. Other sites don't provide good ways for people to spread the word."
What, like calling your friend and saying "Hey, this is a great site" or emailing them and saying "Hey, this is a great site" or texting them and saying "Hey, this is a great site" or walking up to them and saying "Hey, this is a great site"? (Did I make my point?)
From "Blaster.virus.com"- "Hey, we have a great site and we're going to check out you email address list and send email to everyone on it and tell them 'Hey, we have a great virus'."
This most be the most redundent post ever on
I'm almost ashamed. Except these idiots are worse. Well, there is also the RIAA, MPAA, Microsoft on certain weeks, SCO, various politicos, sometimes the USA, generally always the BSA, Taco Bell for getting rid of the burrito chiwawa (I have no idea how to spell that), George Lucas for his "remakes", Brannon Braga for screwing up Star Trek, the Sci-Fi channel for canceling Stargate, TNT for screwing up Bab5, whoever cancelled Threshold, L Ron Hubbard for going nuts after writing "Battelfield Earth", Scientology in general, the 4 Horsemen, cats and dogs living together, and general anarachy!
Did I miss anyone?
Vote monkeys into Congress. They are cheaper and more trustworthy.
That's breathtakingly evil. But like a lot of breathtakingly evil things, especially the smaller-scale ones, it first requires breathtaking stupidity on the part of the victim.
So in a sense it balances out.
Whence? Hence. Whither? Thither.
The page in question is formatted to resemble a login gateway page of the various providers (think Microsoft Passport and the like) using the domain part of your email address to decide which provider login to display. Even though I consider myself quite knowledgeable when it comes to security related issues and have done security consulting for various companies, I *might* have fallen for this since it admittedly lowered my suspicions. I doubt Joe Sixpack or even many above-average users would have questioned the purpose of this form.
Worth noting is their elaborate privacy policy and the cute picture of a monkey in their terms of service. Also, the footnote "Flixster does not store this information in any way" seems to have been added after the screen shots in TFA were taken and I could not find any information on how they connect to the email services (i.e. via a cryptographically safe link or plain text via a Win98 proxy server in Nigeria)
:/- spoon(_).
After spending time and again to train our users not to give out passwords and other sensitive information, this feels like a smack in the face.
As this practice gets more common, people will lower their guards (if they had them in the first place) and become conditioned to give out their password to anyone who asks.
I can already hear them say "... but the website asked me for it... was that wrong?" *sigh*
"Extraordinary claims require extraordinary evidence" - Carl Sagan
What's interesting is that apparently some people are supplying this information to Flixster without a second thought, and perhaps under the impression that they're actually submitting it to AOL/Yahoo/whatever.
So the next question would be; if they had a similar page with the Bank Of America/Barclays/whatever logo, would people be just as happy to give their details for them?
Either way, it's scary. Scary that Flixster thinks this is an acceptable way to market themselves, scary that people are letting them.
If a girl gets raped when walking through a park alone at night, or after drinking something that a stranger gave her at a party well perhaps she was stupid. That does not let the rapist off the hook!
Engineering is the art of compromise.
This isn't new, it's done by almost every social network. As long as it doesn't automatically spam your entire address book it's a perfectly acceptable feature.
Name any marketing campaign ever done by any company & I bet at least one person here at Slashdot can come up with at least one thing deceptive about each of them.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
There is no way I would allow a company to use my name or email address to send email on my behalf. This is misrepresentation and is simply illegal. To put this in perspective, what do you think would happen if you sent an email in the name of George Bush to the FBI?
In this case it's certainly worth reading the Terms & Conditions - if that 'feature' isn't in there you ought to be able to sue the hell out of them.
Insert
What kind of idiot gives away their password anyways?
Got to be pretty fucking stupid.
Well lets see, they access your email account without permission, without preagreement, and with a deceptive screen indicating it is used for YOU to send out invites to your friends on the next screen.
Phishing. It's no different from a phishing screen trying to get your account passwords by deception or any other phishing site.
Arrest them, make it the criminal matter that it is.
If I were an email-Provider, I'd do a captcha if a Flixster-IP is accessing the address book.
Yes, they shouldn't assume; but that's the way things normally work. Flickr asks for your Yahoo account, because they're associated, so this is the same thing? Wrong, of course.
But I think that this is a whole world of legal pain for Flixster. (Disclaimer, IANAL). For one thing, regardless of whether they think they have given "permission", what they are doing is probably against the Hotmail/AOL terms of service. That the account owners may have broken these by giving away the password does not entitle Flixster to access the accounts or exclude them from charges of unauthorised access.
And, as stated above, the use of logos may be considered misleading or indicative of some (nonexistent) endorsement, and if AOL/Hotmail can demonstrate that some users may have been given this impression (even simply by the lack of sufficient disclaimers on the same page), Flixster could be legally up to their necks in it.
Personally, I think they could be sued into oblivion.
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
sms.ac did exactly the same thing; but didn't ask permission to email people. Whilst you'd think people would know better even Joi Ito got caught by this, what's worse is they spammed before the signup process was complete. Joi immediately quit using the service and blogged a public apology, referring to sms.ac as spammers. Next thing you know they sent him a cease and desist demanding Joi stopped calling them spammers.
I can't understand why this is a problem. You already trust these networking sites with pretty detailed information on your own preferences, tastes, friends, location etc., so your e-mail password is not much of an asset to them. Any abuse would obviously lead to people changing their passwords.
The feature is really useful, and presented properly it is not abusive at all. What it does, is log in to your e-mail account and grab your address book. Then you are able to check off people you want to invite and send a premade invitation message. To the end user, the alternative is to manually type or copy-paste in all the e-mail addresses.
As far as I know, Flixster (and Facebook) have not abused the passwords they are given. When they do, make a case of it. If you don't want to give them your password, don't (or, if you need the feature, change the password after your address book has been downloaded). Don't force your paranoid, ineffective habits on the rest of us.
Roses are #FF0000, violets are #0000FF, all my base are belong to you
Google and other mainstream mail-service providers can put a stop to these messages pretty easily. Sending these messages violate several points in gmail's Terms of Use and Program Policies. Specifically:
..." ... selling, exchanging or distributing to a third party the email addresses of any person without such person's knowing and continued consent to such disclosure ... Interfere with other Gmail users' enjoyment of the Service" [spam certainly interferes with my enjoyment of gmail].
-Section 2. Personal Use: "The Service is made available to you for your personal use only."
I see two violations here. First of all, they are giving the use of the service to someone other than themselves, violating the word "your". Secondly, they violate the word "personal" - this is clearly a business application
-Section 3. Proper Use: "... Your use of the Service is subject to your acceptance of and compliance with the Agreement, including the Gmail Program Policies
Violations of the program policies include:
- "Generate or facilitate unsolicited commercial email ("spam"). Such activity includes, but is not limited to
-Additionally in Section 3: You shall not "(i) use the Service to upload, transmit or otherwise distribute any content that is unlawful, defamatory, harassing, abusive, fraudulent, obscene, contains viruses, or is otherwise objectionable as reasonably determined by Google;" Again, I find spam harassing.
Given these violation, Google would be well within their rights to terminate the accounts (actually, according to the Terms of Use, they can do that whenever they feel like it, but lets assume they don't want to look too evil). Alternatively, They could send out notices that they will terminate any accounts that have been violated if they don't change their password in the next 10 days. Since so many people would lose, or face impending loss of their email accounts, services such as Flixster would suddenly have to find a new business model.
While I didn't check, I would bet hotmail, yahoo mail etc. have similar terms of use.
Even if Flixster decided to keep being an ass and collect passwords anyways, that would just mean that people stupid enough to give out their passwords would no longer have email accounts. Either way, I see no loss. Get to it Google et al.
Okay, who tagged the article "yes"? Own up.
No kidding!!! What do you say at this point?
I suggest Google block Flixters IPs from logging in to Gmail. That should keep away some of this spam. In general, preventing a single IP from logging in to a lot of accounts sounds like a decent security measure.
Your email certainly looks like astroturf, by the way. Which would fit right in with the kind of tactics used by a company that asks for user passwords to other networks.
But to give you the benefit of the doubt:
There is absolutely no reason, security or otherwise, for a user's password to be anywhere but between the user's ears or typed in to the one correct "password" box where it applies. Even the company who provides the password-protected service has no need of it, unless they have a severely damaged concept of security.
Asking for someone's password shows a flaming disregard for data security and the privacy of users. It's also an insult to the intelligence of the user. Morally, if you ask for a password, you accept the same responsibility of using that password as the original user. I doubt flixster (or any company) would willingly accept the terms of service that companies usually force on users.
The only reasons to ask for a user's passwords are:
1> To pretend to be that user, which is certain to be against the terms of service of ANY security-conscious provider;
2> To access that user's private data, which would not be password protected without reason.
This is about as severe a character flaw as an internet company could possibly have.
Also, email sent from a password protected account will stain your reputation. Especially if used in court against you. Even though it can easily be challenged, the judge and jury would probably still think hmmmmmmmmmmmmm.
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
As a former network admin, i'd bet quite a large sum of money that in the majority of cases, the password the user chooses for the new site registration and the password they're using for email - probably the same email they gave for the signup! - are identical anyway.
.. wider adoption of OpenID could be part of the solution to this problem.
This is just asking permission. Nine out of ten times, they've already got the information.
Still don't like it. The real solution is for the mail providers to provide a secondary authentication measure to provide information from a users' account, like calendar or address book info, without giving away their password
Let my new 7-digit UID be a lesson to all - write down your passwords.
Flixster is asking for the user's password to *other* networks, not to its own. Whether a user chooses the same password in more than one app is irrelevant. No honest reputable business would ask for your password to some other company's services.
This is just asking permission. Nine out of ten times, they've already got the information.
NO, they don't have the info - that's why they're asking for it. They put up a display that borders on phishing (some would say it IS phishing), without explaining what they're going to do while pretending to be you.
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
I care,
I care because it's unwanted behavior.
I care because it's private information.
I care because some of the sites other mention here as also doing this, I have signed up to and I didn't know they were doing this.
I care. I care enough to wonder how I can get a CEO prosecuted.
"everyone does it and it's no big deal"
No, only a few are doing this and think they've got away with it because nobody noticed.
This is another case where we have to protect the stupid from their own actions.
Or educate them. Rapidly.
I saw this recently at Google Video.
You click the 'add to myspace' button and google video asks for your myspace username and password so that it can login and add the video.
I lol'd pretty hard at the idea that people would actually do that. But I see it is pretty common.
Who needs security when nobody actually cares enough about their data to protect it.
I'm imagining a future of malware infested web applications. fun fun fun!!!
...and that is all I have to say about that.
http://jessta.id.au
Apparently, the user has to manually select the addresses that will be spammed ("invited"), and click a button.
This is by far not as bad as what wayn.com does (or at least used to do). They were just sending out their spam through your account without your knowledge. See "WAYN - Where Are You Now? Warning" or Wayn.com : phishing alert, ne vous faites pas couillonner ! (the last one in French). (found these at the end of a French blog post about other deceptive practices of Wayn.com)
No, it sends an email to everyone in your address list just like WAYN.
Enough already, they should prosecute one of them.
Sorry MR RIAA lawyer... I didn't download the mp3's.... try Flixster they use my account too...
Cruise TT
I received an MSN message from a friend inviting me to see who had banned me from their MSN listing. I only had to log on to the site (http://www.get-messenger.com/) and give them my MSN name and password (also for Passport!)
My friend and apparently many others had done so. How do we close down crooks like this?
If you look at any of the major social networking sites you will see that they all do this (Friendster, Hi5, Facebook). The funny thing is that most aren't even using SSL to submit your credentials!
So be smart and don't use the same password for your email and for accounts to random web sites.
If you have to re-use passwords, at the very least do something like having half a dozen passwords, one for each category. One for your email, one for web forums, one for work, one for the home computer (but use a firewall anyway), one for PayPal/Ebay/whatever, one for MMOs or whatever. Ok, maybe you don't like having 100 passwords, but you _can_ remember 5-6 passwords, right?
That way if one is compromised, basically the only access they get is within the same category. If someone gets your Slashdot password, they can at most then spam some other forum in your name. Maybe do some spam link. That's not even in the same class as having full access to your email and your address book and the password to your Ebay or PayPal accounts.
For best results, also consider having a different user name for each. E.g., I hope your PayPal account isn't under the username MichaelSmith.
The problem is that if your email is breached, not only can they read your email and spam your friends, they can also use that as a beachhead to get even more stuff. E.g., even if you didn't use the same password on, say, Paypal or Ebay, as long as they have your username and can read your email, it's trivial to just go to PayPal or Ebay and do a "I forgot my password" in your name. Congrats, now there's nothing to stop them from transferring your PayPal money to an account in East Bumfuckistan or from running some scam in your name on Ebay.
So basically please _be_ paranoid about these things. It's not just a case of "bah, all they can do is spam my friends a little" or "bah, none of my emails are secret anyway", as some people seem to assume. Email is used in so many aspects every day, or can be used without raising any alarm flags on the recepients' side, that losing control of it can be pretty much _the_ one most important step you could take towards getting your identity stolen. Do be careful.
A polar bear is a cartesian bear after a coordinate transform.
When I clicked on the link, I got a picture of a Monkey with the comment "We can't believe you clicked this"! That pretty much sealed the deal for me. :D
In addition to the scary (but in my case ignored) feature of asking for your email password and spamming your friends they also automatically add friends to your friends list to make it seem like you are more active and connected than you actually are. I was invited by one friend and within a week or so received 5 emails that so-and-so has accepted your friend request. Crazy thing is, I hadn't been back onto the service since I initially checked it out, and had NEVER invited any friends. I didn't know the people who'd "accepted" my invitation.
They're a scam.
Who in their right mind provides that information? Seriously, is it just me or is the general public getting stupider? No way am I providing my passwords to anyone, let alone some website.
"Growing old is inevitable; growing up is optional."
* Much lower here on
I logged into Google Video today and the feature you describe doesn't seem to exist anymore. Unlike Flixster, Google has a deal with News Corp to provide search features and targeted ads for Myspace. Google's logos are plastered all over Myspace to the point where it almost looks like the site IS Google from time to time. So, the concept that you could crosspost seems almost sane.
Hell, Blogger (which is google) has a "feature" that will let the service p0wn your FTP server by posting directly to the server. This sort of behaviour isn't new and I'm surprised Flixster gets tagged as horrible and evil for doing something everyone is already doing.
I hate to admit it but I fell for the FTP one and used the service for a good six months until it dawned on me what I had done. I immediately cancelled my shell account and moved my blog to blogspot. Sometimes even people who understand the security implications can get tripped up. This doesn't excuse the now absent behaviour of posting videos within your account but at least the idea seems somewhat understandable. Plus, Google has a history of doing these sort of things in the interest of "interoperability."
Yeah, right... interoperability. I'll keep telling myself that. Maybe it will make it true.
Who uses address books anyway? I find the only contacts I put in address books are those for people I will rarely if ever contact again or say, business contacts, and neither of those two catagories include people to whom it would be appropriate to send such flippant spam. Is it so hard to remember someone's email address or perhaps look up a previous message sent from them -- assuming they're not a thoughtless clod with some inane string of random letters and numbers -- if they are really worth exchanging your correspondence? Reminds me of how people can't remember a simple 7-digit phone number anymore, preferring rather to pitch it into their cells and forget about it -- c'mon it's 7 fucking digits, with at most a fairly common 3-digit area code on top. I understand the convenience of an address book, but that doesn't really seem to outweigh the big potential these damn things have for being a big online bomb scattering viri and/or untargeted advertising. This is just one more example and shouldn't we start holding people socially responsible for this garbage? Should be bad manners to get spam from someone because they were careless with their contacts. Then again the "viral" campaigns only work on the blockhead demographic anyway, just be sure you don't wind up in their address books.
Just use a throwaway email account and fill that account's address book with everybody's email addresses that you hate.
To put this in perspective, what do you think would happen if you sent an email in the name of George Bush to the FBI?
Erm, if George Bush himself logged onto a website, and clicked a button saying "Please send an email to the FBI", then yes I think that would be legal.
I'm not saying this "feature" is a good idea - it's not. But keep things in perspective - this is not misrepresentation.
Facebook does this.
:-)
Myspace does this.
WAYN does this.
It's the new way to "invite" your friends to the great new service.
I mean if you're gonna post it here at least inform people that it's practically every social networking site out there, it's not just Flixster.
and whatever the site's may SAY that they are, they're still at their core just another way for people who have no lives to interact with other people who have no lives. Some of the sites just simply have content that appeals to the masses, like Youtube.
Just my $0.02
- Alex
One exception is Virgin Mobile (USA), for which the password (they call it vkey) to log onto your account on the Virgin site has always been asked for the Live Adviser when you call customer service.
Well, there is that, but then it's also a gold mine for phishers, spyware, you name it. Telling someone to just download any password manager and be done with it, is probably the most unsafe advice I can think of giving anyone. You give all your passwords to a piece of software, and... have no clue what happens from there. You damn better trust the makers of that software more than you trust your mom, because you just gave them pretty much unrestricted access to your money, data, identity. And trust that when the company is taken over or changes management, the next update doesn't _then_ transmit all your data to them.
Plus, even if the company doesn't stoop _that_ low, you just became dependent on that one piece of software. If they start mis-behaving, how much advertising and spying are you going to have to tolerate when the alternative is losing access to every single web site you ever used. See, Claria/Gator and users being reluctant to uninstall their crap even when told it's spyware.
Sure, you could do a bit of research and whatnot, and you probably did yours, but I'm reluctant to push that kind of advice upon someone who, honestly, I have no idea if they do theirs. Plus, it's asking someone to trust a third party blindly. Even if I'd trust some company X _that_ much, I can't ask anyone to do the same.
A polar bear is a cartesian bear after a coordinate transform.
With a name like 'spammeister' I'm sure you're an honest, reliable gentleman. However, I'm not stupid enough to post my password on a public forum! Just email me your physical address at kill.all.spammers@gmail.com (or post it here) and I'll send you my password via 'snail mail'. It will come in a special, unmarked package with no return address, so make sure that you open it when you get it!
You are reading a copy of my copyrighted post.
You should use it first. I'm still getting these spam and the friend who signed up for Flixster is *still* apologizing. See, she had no idea it was going to gain access to here entire address book. She certainly didn't click 100+ OK's or pick any addresses (from what she says).
Even if it says somewhere in the fine print the fact that she provided her login information allowing this worm to hi-jack her address book says a lot about what's deceptive. Not everyone is a paranoid system admin or computer savy. These companies prey on regular people and seem to thing that it's okay.
Quack, quack.
I noticed that Flickster or whatever also scans your sent items and any email addresses that have been cached. I was very dismayed to find out that some business contacts of mine were sent these invites after a friend sent me an invite. This is out and out bad.
My friend was foolish enough to supply his username and password (it's arguable that it's possibly his fault for doing so, but it was my understanding he had been drinking ;-) At any rate he was just under the impression that he was importing his address book. Unfortunately the gmail address he supplied flixster with was used for corresponding with all of his business and university contacts.
For weeks following this he was constantly being angrily confronted by the same "Can you stop sending me those invites?!". I was one of those that received these unwanted viral marketing turdlettes, so I spent a little time doing some simple digging (yes, just information you can find on the net).
If this has happenend to you, you can contact them directly:
Flixster, Inc.
208 Utah St
San Francisco, CA
94103
The owner:
Joe Greenstein
1730 Jackson ST. #106
San Francisco, CA 94109
(Again, all of this information came from public sources)
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
Total FUD.
Facebook asks you for your email password so that they can DOWNLOAD THE ADDRESSS BOOK so you can find people in it who ARE ALREADY FACEBOOK MEMBERS.
As well, you have to AUTHORIZE THEM to add the people via checking them off. Absolutely no messages are sent to anyone unless you specifically approve each and every person.
They are very upfront about what they are doing and why they are asking for your passwords. IMO it's a great service, it saved me hours of hunting down people in there when I first signed up; I knew instantly who was and was not a facebook member that I knew.
Also, when you sign up for facebook you KNOW you are going to get email requests for friends' approval, that is the whole point of the friggin site, to network. If you don't want any emails from people then don't sign up to these sites. And tell your friends you don't want them to end you the invites.
Simple. If you really have a problem you should talk to your friends, not the sites. All emails are coming from them.
More people should read this response.
Blerg.
(reposted from theinternetpatrol.com's comment section)
The flixter guy mentions Plaxo in his comment -- I hate those guys too.
Basically we need to really shine a spotlight on all these kinds of operations like Plaxo and Flixter -- we need to raise public awareness that all these "social networking"-type sites do is offer you a product/service which doesn't do much for you, and in exchange you not only forfeit your own privacy, but the privacy of everyone on your contact list! These companies should be ashamed of themselves, really.
And honestly, how hard is it to keep in contact with your friends and let them know what stupid movies you are watching these days? Is that worth giving up even one iota of privacy? Give me a break.
Regards;
--booj
Hi all,
I am one of the co-founders of flixster - a friend pointed me to this discussion. I would like to clarify a few things:
1. We DO offer the ability for users to select friends from their hotmail/yahoo/etc address books. This is a very common practice on social sites like ours - LinkedIn/Yelp/Facebook/MySpace/StumbleUpon/etc all do exactly the same thing. Its an optional convenience feature for users and we are not deceptive or misleading about it in any way.
2. We do NOT store anyone's username/pwd info in any way. We use it one-time only to retrieve their contacts as they go through the invitation process and that is it.
3. We NEVER send invitations without the user's consent. For users that access their address books are always the next screen is always just a list of their contacts and they get to select whom to invite.
4. We are a small company and we take our users privacy very seriously. Needless to say i am disappointed that we somehow became the example site around which to have this discussion - although it is actually a good discussion to have. The world would be a safer place for users if all of these social platforms (MySpace counts too - tons of sites ask for MySpace passwords to auto-post widgets onto your page - its the same thing) had secure APIs which would allow reputable companies to integrate with them in ways that were still user friendly. We and many others would welcome this - its just not there yet.
If you have questions about flixster or further thoughts on this in general - feel free to drop me a note via the link above.
Sincerely,
Joe G
Flixster Co-founder
Myspace has BEEN DOING this, like, since they started. In fact, a myspace competitor could legally do this.
P2P Anonymous Distributed Web Search: http://www.yacy.net/
At the risk of being a mother hen, I must say that in this day and age all computer users should know better than to give their passwords to ANYONE.
:/ ...Class dismissed.
So why would a user trust any website that asks for their password? Really, nobody should trust any one or anything that requires your password in order to participate. Why, you ask??
Because it goes against the one universal law of computing -- 'Don't give anyone your password!'
The folks who succumb to mischief as a result of this, really need to attend computing 101 or something because even my 7 year old knows this rule.
I am open source, and Linux baby!
This same tactic is employed by phisher sites, so intelligent users should see those prompts for logins and flee in the opposite direction. Some browsers may even pick up on these fields and put up an alert to be wary.
Of course, that's not how the general public reacts (yet), but the earmarks should set off the alarms for many.
Laughter is the Spackle of the Soul.
> 1. We DO offer the ability for users to select friends from their hotmail/yahoo/etc address books. This is a very common practice on social sites like ours - LinkedIn/Yelp/Facebook/MySpace/StumbleUpon/etc all do exactly the same thing. Its an optional convenience feature for users and we are not deceptive or misleading about it in any way.
It's one thing to do that, it's another thing in terms of HOW you do that. This is a BAD idea. Period.
> 2. We do NOT store anyone's username/pwd info in any way. We use it one-time only to retrieve their contacts as they go through the invitation process and that is it.
Right, but we have no way of knowing that. I'll give you the benefit of the doubt, but realize this: a password is a secret and it's supposed to remain one. Secrets that you tell other people aren't really secrets any more, are they? What happens when you get hacked and suddenly people get their email accounts stolen (a 'when' not an 'if' now that this is so public; and no, I do not buy the notion that your security is that perfect, not if you're doing things like this)?
Also, what of the broader harm in getting users used to "harmlessly" giving out their passwords to third parties? I can't think of anything worse, except maybe UAC in Vista (which trains users to mindlessly click "Accept").
> 4. We are a small company and we take our users privacy very seriously.
If you did, you wouldn't train them in horrible security practices. What if it's an attorney or someone with important emails who gets hacked because of you?
If you want to do this, let them copy/paste the emails and YOU can send the invitations on their behalf. Now, can you see why this is a terrible idea, even if others are doing it? I don't care who else does it, doing this is a BAD IDEA, period. Moreover, doing it this way only creates perverse incentives--why should they bother doing it now when you already found a (bad) way to do it?
Or will it take a high profile security breach to convince you? Just give it some time. And don't forget that you have to notify all your California users per Californian law. There won't be any hiding it, anyhow.
Microsoft Cardspace is in Internet Explorer 7, and it does something similar to what you're talking about except that it adds several more layers of trust and security assertions before releasing the stored credentials. It's a high-powered form filler that does some background checking. Microsoft Cardspace
Flixster's gonna get sued for trademark violation, using the ISP logos the way they do. I can't imagine an email provider who says "we'll never ask for your password over the phone" being OK with this use of their trademark.
Spammers get collocation hosting and bandwidth/connectivity. There is absolutely no way one or two people buying $50 drugs is going to cover the costs.
What makes you think people peddling male enhancement pills or obscure stock by email are so ethical that they actually pay for bandwidth they can steal for free?
paintball
If Dubya had an AOL account (which wouldn't surprise me, but I digress) and some company started to use his address book and send email pretending they originate from him I think there would be a certain lack of enthusiasm by Dubya.
The crux is not that your address book gets abused - sure, it happens and if you don't want that don't put it on a public service. What I question is the sending of email endorsements as if they originate from a specific user (i.e. alleging the user endorses the service). That would abuse my personal reputation (if I had one) for their gain, without my permission.
Insert
.... I want to tell that you are a complete moron.
Have a good day.
IANAL but write like a drunk one.
I originally understood from the article that they did indeed do so without your permission.
:-).
Otherwise it's just 'helping' you which I don't have a problem with (it's my choice to use that, after all).
However, a clarification has since been posted which makes it clear that your permission is indeed required, in which case I couldn't care less
I guess I've been a bit trigger happy because we had something like this happening to us a while back, but with much more serious consequences (think 5 figure sums fraud) and I'm still amazed that things can happen on the basis of unauthenticated, unverified and non-signed emails. Sure, it was possible to roll it back because there was no way an email constituted a valid contract, but the hassle such stupidity causes is beyond belief..
Having said that, I personally witnessed negotiations for the purchase of 3 companies take place over email. To the tune of $150 million..
[shakes head in disbelief]
Insert