Slashdot Mirror
Is Flixster Using Deceptive Viral Practices?
Talaria writes "The social networking movie review site Flixster is requesting their users' AOL, Gmail, Yahoo and Hotmail passwords, and then using them to access users' address books and send 'invitations' to join Flixster, making them appear to come from the user. The password prompt screen includes the ISP's logo right next to the password prompt. Rather than hiding this little 'feature,' Flixster brags about it in an interview after receiving $2 million in venture funding earlier this year." American Venture Magazine notes: "...such practices are becoming increasingly... common as new and even established web sites look to attract visitors without expensive marketing campaigns and a hefty advertising budget."
Facebook does they same. They ask for your e-mail address and e-mail address password, then spam your contact list. I can't believe people will give them their password, but some actually do. Preposterous!
They can pry it only from my cold unresisting hands. If any site asked for it, not only I would not give it, but I would write a nasty letter, telling to shove their request so high up the ass, that it would be possible to see, when they open their mouths.
There is no way of telling if the password used is provided to a third party without consent or if the site is hacked. Be careful with your personal data, and keep your login to yourself as much as possible.
If you create a site with interactive content - think twice before if you really need your visitors to log in to request the content.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Most people try and keep their passwords and usernames to a small number so use the same password and username for several different sites... so a nasty trick could be to try using the password for flixter against the same username for a different account say google mail or myspace...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
If you look at the lousy screen shots it is painfully obvious they are being up front and quite clear what they intend to do and how to skip the invitation process.
I'm not saying I'm a fan of their scheme, but it's not like they're scamming anyone. You even get to select who you want to invite.
I guess some people feel they have to produce content, even if they have to dress a non-story up in inflammatory language and ignore the facts of the situation. Gotta drive those Adsense impressions.
Platform advocacy is like choosing a favorite severely developmentally disabled child.
I can literally hear the devs arguing this idea is insane, but their boss insisting on being implemented.
And so it came to be. It's crazy not just because it's deceptive, but because it's a security nightmare. If you give your passwords to random sites even for the nicest purposes (which isn't even the case here) it's guaranteed they'll be leaked, and your accounts abused.
What's next: signing a warrant of attorney so the great Flixster, so they could send your buddies free gifts, funded by your bank accounts and credit cards? It's definitely in the same line of thought as this preposterous scheme here.
That's pretty tragic when you can't figure out how to create a tinyurl for goatse, mate.
The page in question is formatted to resemble a login gateway page of the various providers (think Microsoft Passport and the like) using the domain part of your email address to decide which provider login to display. Even though I consider myself quite knowledgeable when it comes to security related issues and have done security consulting for various companies, I *might* have fallen for this since it admittedly lowered my suspicions. I doubt Joe Sixpack or even many above-average users would have questioned the purpose of this form.
Worth noting is their elaborate privacy policy and the cute picture of a monkey in their terms of service. Also, the footnote "Flixster does not store this information in any way" seems to have been added after the screen shots in TFA were taken and I could not find any information on how they connect to the email services (i.e. via a cryptographically safe link or plain text via a Win98 proxy server in Nigeria)
:/- spoon(_).
After spending time and again to train our users not to give out passwords and other sensitive information, this feels like a smack in the face.
As this practice gets more common, people will lower their guards (if they had them in the first place) and become conditioned to give out their password to anyone who asks.
I can already hear them say "... but the website asked me for it... was that wrong?" *sigh*
"Extraordinary claims require extraordinary evidence" - Carl Sagan
This isn't new, it's done by almost every social network. As long as it doesn't automatically spam your entire address book it's a perfectly acceptable feature.
Name any marketing campaign ever done by any company & I bet at least one person here at Slashdot can come up with at least one thing deceptive about each of them.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
sms.ac did exactly the same thing; but didn't ask permission to email people. Whilst you'd think people would know better even Joi Ito got caught by this, what's worse is they spammed before the signup process was complete. Joi immediately quit using the service and blogged a public apology, referring to sms.ac as spammers. Next thing you know they sent him a cease and desist demanding Joi stopped calling them spammers.
Google and other mainstream mail-service providers can put a stop to these messages pretty easily. Sending these messages violate several points in gmail's Terms of Use and Program Policies. Specifically:
..." ... selling, exchanging or distributing to a third party the email addresses of any person without such person's knowing and continued consent to such disclosure ... Interfere with other Gmail users' enjoyment of the Service" [spam certainly interferes with my enjoyment of gmail].
-Section 2. Personal Use: "The Service is made available to you for your personal use only."
I see two violations here. First of all, they are giving the use of the service to someone other than themselves, violating the word "your". Secondly, they violate the word "personal" - this is clearly a business application
-Section 3. Proper Use: "... Your use of the Service is subject to your acceptance of and compliance with the Agreement, including the Gmail Program Policies
Violations of the program policies include:
- "Generate or facilitate unsolicited commercial email ("spam"). Such activity includes, but is not limited to
-Additionally in Section 3: You shall not "(i) use the Service to upload, transmit or otherwise distribute any content that is unlawful, defamatory, harassing, abusive, fraudulent, obscene, contains viruses, or is otherwise objectionable as reasonably determined by Google;" Again, I find spam harassing.
Given these violation, Google would be well within their rights to terminate the accounts (actually, according to the Terms of Use, they can do that whenever they feel like it, but lets assume they don't want to look too evil). Alternatively, They could send out notices that they will terminate any accounts that have been violated if they don't change their password in the next 10 days. Since so many people would lose, or face impending loss of their email accounts, services such as Flixster would suddenly have to find a new business model.
While I didn't check, I would bet hotmail, yahoo mail etc. have similar terms of use.
Even if Flixster decided to keep being an ass and collect passwords anyways, that would just mean that people stupid enough to give out their passwords would no longer have email accounts. Either way, I see no loss. Get to it Google et al.
I suggest Google block Flixters IPs from logging in to Gmail. That should keep away some of this spam. In general, preventing a single IP from logging in to a lot of accounts sounds like a decent security measure.
Your email certainly looks like astroturf, by the way. Which would fit right in with the kind of tactics used by a company that asks for user passwords to other networks.
But to give you the benefit of the doubt:
There is absolutely no reason, security or otherwise, for a user's password to be anywhere but between the user's ears or typed in to the one correct "password" box where it applies. Even the company who provides the password-protected service has no need of it, unless they have a severely damaged concept of security.
Asking for someone's password shows a flaming disregard for data security and the privacy of users. It's also an insult to the intelligence of the user. Morally, if you ask for a password, you accept the same responsibility of using that password as the original user. I doubt flixster (or any company) would willingly accept the terms of service that companies usually force on users.
The only reasons to ask for a user's passwords are:
1> To pretend to be that user, which is certain to be against the terms of service of ANY security-conscious provider;
2> To access that user's private data, which would not be password protected without reason.
This is about as severe a character flaw as an internet company could possibly have.
Also, email sent from a password protected account will stain your reputation. Especially if used in court against you. Even though it can easily be challenged, the judge and jury would probably still think hmmmmmmmmmmmmm.
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
As a former network admin, i'd bet quite a large sum of money that in the majority of cases, the password the user chooses for the new site registration and the password they're using for email - probably the same email they gave for the signup! - are identical anyway.
.. wider adoption of OpenID could be part of the solution to this problem.
This is just asking permission. Nine out of ten times, they've already got the information.
Still don't like it. The real solution is for the mail providers to provide a secondary authentication measure to provide information from a users' account, like calendar or address book info, without giving away their password
Let my new 7-digit UID be a lesson to all - write down your passwords.
If a girl gets raped when walking through a park alone at night, or after drinking something that a stranger gave her at a party well perhaps she was stupid. That does not let the rapist off the hook!
Sooo... if I ask you for your password and you give it to me... I'm to blame? Like I go; "Hi, I need your e-mail address and password so I can access your address book and send e-mails in your name" And you say "Sure, sounds good to me."Some people are just too stupid. They're impossible to protect. They're the people that makes it necessary to have three pages of warnings on a knife, that need to be told that a hammer should not be used to smash insects on somebody's head. It's the people that smokes them self to death... They are the people so stupid that no one has the imagination to even come up with the necessary laws to protect them and you just have to look at them as an example of Darwin's theory of natural selection.
Apparently, the user has to manually select the addresses that will be spammed ("invited"), and click a button.
This is by far not as bad as what wayn.com does (or at least used to do). They were just sending out their spam through your account without your knowledge. See "WAYN - Where Are You Now? Warning" or Wayn.com : phishing alert, ne vous faites pas couillonner ! (the last one in French). (found these at the end of a French blog post about other deceptive practices of Wayn.com)
I received an MSN message from a friend inviting me to see who had banned me from their MSN listing. I only had to log on to the site (http://www.get-messenger.com/) and give them my MSN name and password (also for Passport!)
My friend and apparently many others had done so. How do we close down crooks like this?
So be smart and don't use the same password for your email and for accounts to random web sites.
If you have to re-use passwords, at the very least do something like having half a dozen passwords, one for each category. One for your email, one for web forums, one for work, one for the home computer (but use a firewall anyway), one for PayPal/Ebay/whatever, one for MMOs or whatever. Ok, maybe you don't like having 100 passwords, but you _can_ remember 5-6 passwords, right?
That way if one is compromised, basically the only access they get is within the same category. If someone gets your Slashdot password, they can at most then spam some other forum in your name. Maybe do some spam link. That's not even in the same class as having full access to your email and your address book and the password to your Ebay or PayPal accounts.
For best results, also consider having a different user name for each. E.g., I hope your PayPal account isn't under the username MichaelSmith.
The problem is that if your email is breached, not only can they read your email and spam your friends, they can also use that as a beachhead to get even more stuff. E.g., even if you didn't use the same password on, say, Paypal or Ebay, as long as they have your username and can read your email, it's trivial to just go to PayPal or Ebay and do a "I forgot my password" in your name. Congrats, now there's nothing to stop them from transferring your PayPal money to an account in East Bumfuckistan or from running some scam in your name on Ebay.
So basically please _be_ paranoid about these things. It's not just a case of "bah, all they can do is spam my friends a little" or "bah, none of my emails are secret anyway", as some people seem to assume. Email is used in so many aspects every day, or can be used without raising any alarm flags on the recepients' side, that losing control of it can be pretty much _the_ one most important step you could take towards getting your identity stolen. Do be careful.
A polar bear is a cartesian bear after a coordinate transform.
When I clicked on the link, I got a picture of a Monkey with the comment "We can't believe you clicked this"! That pretty much sealed the deal for me. :D
I logged into Google Video today and the feature you describe doesn't seem to exist anymore. Unlike Flixster, Google has a deal with News Corp to provide search features and targeted ads for Myspace. Google's logos are plastered all over Myspace to the point where it almost looks like the site IS Google from time to time. So, the concept that you could crosspost seems almost sane.
Hell, Blogger (which is google) has a "feature" that will let the service p0wn your FTP server by posting directly to the server. This sort of behaviour isn't new and I'm surprised Flixster gets tagged as horrible and evil for doing something everyone is already doing.
I hate to admit it but I fell for the FTP one and used the service for a good six months until it dawned on me what I had done. I immediately cancelled my shell account and moved my blog to blogspot. Sometimes even people who understand the security implications can get tripped up. This doesn't excuse the now absent behaviour of posting videos within your account but at least the idea seems somewhat understandable. Plus, Google has a history of doing these sort of things in the interest of "interoperability."
Yeah, right... interoperability. I'll keep telling myself that. Maybe it will make it true.
Hi all,
I am one of the co-founders of flixster - a friend pointed me to this discussion. I would like to clarify a few things:
1. We DO offer the ability for users to select friends from their hotmail/yahoo/etc address books. This is a very common practice on social sites like ours - LinkedIn/Yelp/Facebook/MySpace/StumbleUpon/etc all do exactly the same thing. Its an optional convenience feature for users and we are not deceptive or misleading about it in any way.
2. We do NOT store anyone's username/pwd info in any way. We use it one-time only to retrieve their contacts as they go through the invitation process and that is it.
3. We NEVER send invitations without the user's consent. For users that access their address books are always the next screen is always just a list of their contacts and they get to select whom to invite.
4. We are a small company and we take our users privacy very seriously. Needless to say i am disappointed that we somehow became the example site around which to have this discussion - although it is actually a good discussion to have. The world would be a safer place for users if all of these social platforms (MySpace counts too - tons of sites ask for MySpace passwords to auto-post widgets onto your page - its the same thing) had secure APIs which would allow reputable companies to integrate with them in ways that were still user friendly. We and many others would welcome this - its just not there yet.
If you have questions about flixster or further thoughts on this in general - feel free to drop me a note via the link above.
Sincerely,
Joe G
Flixster Co-founder