Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Flixster Using Deceptive Viral Practices?

Posted by kdawson on from the password-please dept.

Talaria writes "The social networking movie review site Flixster is requesting their users' AOL, Gmail, Yahoo and Hotmail passwords, and then using them to access users' address books and send 'invitations' to join Flixster, making them appear to come from the user. The password prompt screen includes the ISP's logo right next to the password prompt. Rather than hiding this little 'feature,' Flixster brags about it in an interview after receiving $2 million in venture funding earlier this year." American Venture Magazine notes: "...such practices are becoming increasingly... common as new and even established web sites look to attract visitors without expensive marketing campaigns and a hefty advertising budget."

18 of 190 comments (clear)

  1. Facebook does this too. by Anonymous Coward · · Score: 4, Informative

    Facebook does they same. They ask for your e-mail address and e-mail address password, then spam your contact list. I can't believe people will give them their password, but some actually do. Preposterous!

    1. Re:Facebook does this too. by scsscs · · Score: 5, Informative

      The article makes it sound that way but it's not the case. They do prompt you to select which contacts to send an email to.

    2. Re:Facebook does this too. by Tim+C · · Score: 5, Insightful

      The point remains that not only do these sites ask for your email account password, but people actually let them have them. I personally find it utterly incredible that they even ask; this is so open to potential abuse that I can hardly think where to start. Sure, you can always change your password if they do start to abuse it (if they don't change it first!), but by then the damage may already be done.

      --
      It's official. Most of you are morons.
    3. Re:Facebook does this too. by RazzleDazzle · · Score: 3, Insightful

      Well why do you think spamming is actually a productive/sucessful business model? Because dumbass people actually attempt to purchase freely give their bank acct # for a share of $1.5 billion from some poor African country scam, want increase their manly juice giver with see-al1s, are looking for a low 5.1% mortgage refinance, want to meet the local barely legals, etc.

      Think about it, if people never clicked on the links, replied to the emails, or called the numbers these spammers would probably die off. It is the fault of the masses of people to are all too eager and ignorant. Power thru inaction would solve spamming. Well, at least curb it a bit.

      So back to the topic at hand, while this is very dasterdly, I have never signed up with facebook, I do not have a myspace page, i don't do that school class reunion site. These sites with their ads also help keep these scary/shady companies alive too. If they do things that are as bad as this publicly, imagine what they're doing behind our digital backs. Let's see, they have just about your entire personal history, background, lifestyle, etc. not mention they probably have every single click on their own respective websites completely tracked. They own you and can probably easily guess all of your secret questions for password reminders on any site such as "Your pets name" or "city your high school was in" or "what is your favorite color", etc.

      Sorry for the paranoia and cynicism. I just don't trust these people, especially without some regulatory oversight. I am totally against said regulatory oversight so I just exercise extreme caution and do not generally sign up for these types of sites.

      Have a nice day.

      --
      ZERO ZERO ONE ZERO ONE ZERO ONE ONE! Just brushing up for my next big invention: Ethernet over Voice (EoV)
    4. Re:Facebook does this too. by Zonk+(troll) · · Score: 4, Insightful

      Better solution:

      1) Boycott the scummers that use these tactics

      --
      "The Federal Reserve is a fraudulent system."--Lew Rockwell
      End The FED. -
  2. My Gmail password?! by mpiktas · · Score: 4, Insightful

    They can pry it only from my cold unresisting hands. If any site asked for it, not only I would not give it, but I would write a nasty letter, telling to shove their request so high up the ass, that it would be possible to see, when they open their mouths.

    1. Re:My Gmail password?! by Stewie241 · · Score: 4, Funny

      Go to:
      Edit->Preferences
      Select the Security Tab
      Click the Show Passwords button
      Click the Show Passwords button on the window that comes up
      Click the Yes button.
      Copy your list of usernames and passwords
      Paste the list here so I can make sure for you that the username and passwords are valid.

  3. another nasty trick... by advocate_one · · Score: 4, Interesting

    Most people try and keep their passwords and usernames to a small number so use the same password and username for several different sites... so a nasty trick could be to try using the password for flixter against the same username for a different account say google mail or myspace...

    --
    Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
    1. Re:another nasty trick... by pla · · Score: 3, Insightful

      Most people try and keep their passwords and usernames to a small number so use the same password and username for several different sites... so a nasty trick could be to try using the password for flixter against the same username for a different account say google mail or myspace...

      That, however, would fall squarely under the category of "cracking". By asking for it, they can claim to have (at least as a pretense) your "permission" to spam your friends and contacts.

      I do have to wonder, though, whether this might not count as a DMCA violation for Flixster, regardless of the appearance of having your permission... Virtually all free email hosts have a clause in their terms saying basically that you and only you may use your account. By using it "on your behalf", Flixster has used your password to circumvent an access control mechanism, the magical phrase that triggers a DMCA violation.

  4. Non-Issue by earnest+murderer · · Score: 4, Informative

    If you look at the lousy screen shots it is painfully obvious they are being up front and quite clear what they intend to do and how to skip the invitation process.

    I'm not saying I'm a fan of their scheme, but it's not like they're scamming anyone. You even get to select who you want to invite.

    I guess some people feel they have to produce content, even if they have to dress a non-story up in inflammatory language and ignore the facts of the situation. Gotta drive those Adsense impressions.

    --
    Platform advocacy is like choosing a favorite severely developmentally disabled child.
    1. Re:Non-Issue by forkazoo · · Score: 3, Insightful

      If you look at the lousy screen shots it is painfully obvious they are being up front and quite clear what they intend to do and how to skip the invitation process.

      I'm not saying I'm a fan of their scheme, but it's not like they're scamming anyone. You even get to select who you want to invite.

      I guess some people feel they have to produce content, even if they have to dress a non-story up in inflammatory language and ignore the facts of the situation. Gotta drive those Adsense impressions.


      I recently signed up with Facebook to get in touch with some old friends and generally pretend to be one of the cool kids. They have a similar feature where I was able to provide my login information for gmail or yahoo, and it would automatically dend friend requests to folks in my address books. Sure, it's a bit stupid to provide your login information to a third party. If that information is stored, then yes it could be breached. But, ultimately the facebook feature and the one in this article are apparently very straightforward. A user can choose to share the login information with a third party. As long as that third party does what they say they will, I'm not sure where the issue is.

      Ideally, webmail providers would get together with the folks who impliment these sorts of features, and make some sort of easy way to generate a one time use password that can only be used by an IP assigned to the domain that is supposed to use it. Then, you could impliment this sort of thing without needing as much trust. Then, the next time you login to your webmail, it pops up a message saying that "XYZ domain used the one time key you generated on X date to attempt the following actions. Please look over this log and make sure it is what you wanted them to do and click approve or deny."

      But, the security issue doesn't even seem to be the main complaint of the article. It's just all huffy about them doing what they say they will, and declaring it deceptive.
  5. Some crazy man's "great business idea" by suv4x4 · · Score: 4, Interesting

    I can literally hear the devs arguing this idea is insane, but their boss insisting on being implemented.

    And so it came to be. It's crazy not just because it's deceptive, but because it's a security nightmare. If you give your passwords to random sites even for the nicest purposes (which isn't even the case here) it's guaranteed they'll be leaked, and your accounts abused.

    What's next: signing a warrant of attorney so the great Flixster, so they could send your buddies free gifts, funded by your bank accounts and credit cards? It's definitely in the same line of thought as this preposterous scheme here.

    1. Re:Some crazy man's "great business idea" by Stooshie · · Score: 3, Insightful

      ... Their boss might "insist" on this being implemented, because it was in the signed off functional spec. which the developer is paid to implement. ...

      I was only doing my job M'Lud.

      Now where have I heard that one before.

      --
      America, Home of the Brave. ... .and the Squaw.
  6. Maybe by dysfunct · · Score: 4, Interesting
    This clearly looks like one of those great "thinking out of the box" ideas upper management come up with in order to pat themselves on their back (and explain their bonuses with) that - apart from being badly thought out in the first place - also was badly implemented. Sending a mail to every single contact in an address book without giving the user any kind of choice might not be the best way to make friends - although due to obvious reasons I didn't want to try and find out whether there's a confirmation or something who this will be sent to. Any volunteers?

    The page in question is formatted to resemble a login gateway page of the various providers (think Microsoft Passport and the like) using the domain part of your email address to decide which provider login to display. Even though I consider myself quite knowledgeable when it comes to security related issues and have done security consulting for various companies, I *might* have fallen for this since it admittedly lowered my suspicions. I doubt Joe Sixpack or even many above-average users would have questioned the purpose of this form.

    Worth noting is their elaborate privacy policy and the cute picture of a monkey in their terms of service. Also, the footnote "Flixster does not store this information in any way" seems to have been added after the screen shots in TFA were taken and I could not find any information on how they connect to the email services (i.e. via a cryptographically safe link or plain text via a Win98 proxy server in Nigeria)

    --
    :/- spoon(_).
  7. Phishing made easy by the_doctor_23 · · Score: 5, Insightful

    After spending time and again to train our users not to give out passwords and other sensitive information, this feels like a smack in the face.
    As this practice gets more common, people will lower their guards (if they had them in the first place) and become conditioned to give out their password to anyone who asks.
    I can already hear them say "... but the website asked me for it... was that wrong?" *sigh*

    --
    "Extraordinary claims require extraordinary evidence" - Carl Sagan
  8. Exactly; not new by blowdart · · Score: 5, Informative

    sms.ac did exactly the same thing; but didn't ask permission to email people. Whilst you'd think people would know better even Joi Ito got caught by this, what's worse is they spammed before the signup process was complete. Joi immediately quit using the service and blogged a public apology, referring to sms.ac as spammers. Next thing you know they sent him a cease and desist demanding Joi stopped calling them spammers.

  9. Here's how to stop these scams by bocaJWho · · Score: 5, Insightful

    Google and other mainstream mail-service providers can put a stop to these messages pretty easily. Sending these messages violate several points in gmail's Terms of Use and Program Policies. Specifically:

    -Section 2. Personal Use: "The Service is made available to you for your personal use only."
        I see two violations here. First of all, they are giving the use of the service to someone other than themselves, violating the word "your". Secondly, they violate the word "personal" - this is clearly a business application
    -Section 3. Proper Use: "... Your use of the Service is subject to your acceptance of and compliance with the Agreement, including the Gmail Program Policies ..."
        Violations of the program policies include:
        - "Generate or facilitate unsolicited commercial email ("spam"). Such activity includes, but is not limited to ... selling, exchanging or distributing to a third party the email addresses of any person without such person's knowing and continued consent to such disclosure ... Interfere with other Gmail users' enjoyment of the Service" [spam certainly interferes with my enjoyment of gmail].
    -Additionally in Section 3: You shall not "(i) use the Service to upload, transmit or otherwise distribute any content that is unlawful, defamatory, harassing, abusive, fraudulent, obscene, contains viruses, or is otherwise objectionable as reasonably determined by Google;" Again, I find spam harassing.

    Given these violation, Google would be well within their rights to terminate the accounts (actually, according to the Terms of Use, they can do that whenever they feel like it, but lets assume they don't want to look too evil). Alternatively, They could send out notices that they will terminate any accounts that have been violated if they don't change their password in the next 10 days. Since so many people would lose, or face impending loss of their email accounts, services such as Flixster would suddenly have to find a new business model.

    While I didn't check, I would bet hotmail, yahoo mail etc. have similar terms of use.

    Even if Flixster decided to keep being an ass and collect passwords anyways, that would just mean that people stupid enough to give out their passwords would no longer have email accounts. Either way, I see no loss. Get to it Google et al.

  10. Re:Not to mention by MichaelSmith · · Score: 3, Interesting

    There is no way of telling if the password used is provided to a third party without consent or if the site is hacked. Be careful with your personal data, and keep your login to yourself as much as possible.

    Anybody who gets an account on service X will be asked for a password and a contact email address. Chances are that the password will get you right into their email account, because people don't like having 100s of low security passwords.

    Of course, I trust slashdot not to take my password and try to get into all my other accounts. Am I justified?

    --
    http://michaelsmith.id.au