Forgot your password?
typodupeerror
Privacy The Internet

Is Flixster Using Deceptive Viral Practices? 190

Posted by kdawson
from the password-please dept.
Talaria writes "The social networking movie review site Flixster is requesting their users' AOL, Gmail, Yahoo and Hotmail passwords, and then using them to access users' address books and send 'invitations' to join Flixster, making them appear to come from the user. The password prompt screen includes the ISP's logo right next to the password prompt. Rather than hiding this little 'feature,' Flixster brags about it in an interview after receiving $2 million in venture funding earlier this year." American Venture Magazine notes: "...such practices are becoming increasingly... common as new and even established web sites look to attract visitors without expensive marketing campaigns and a hefty advertising budget."
This discussion has been archived. No new comments can be posted.

Is Flixster Using Deceptive Viral Practices?

Comments Filter:
  • by Anonymous Coward on Monday March 26, 2007 @04:36AM (#18485477)
    Facebook does they same. They ask for your e-mail address and e-mail address password, then spam your contact list. I can't believe people will give them their password, but some actually do. Preposterous!
    • Re: (Score:2, Informative)

      by Anonymous Coward
      Yes Facebook does this too, but differently. With Facebook, if you give them your email login/password, they'll grab your address book and see who else you can add as a friend. You can select who it will and won't send an email to. With this, on the other hand, it looks like it just blasts spam out to everyone in your address book.
      • by scsscs (669925) on Monday March 26, 2007 @05:44AM (#18485783)
        The article makes it sound that way but it's not the case. They do prompt you to select which contacts to send an email to.
      • by Tim C (15259) on Monday March 26, 2007 @05:46AM (#18485807)
        The point remains that not only do these sites ask for your email account password, but people actually let them have them. I personally find it utterly incredible that they even ask; this is so open to potential abuse that I can hardly think where to start. Sure, you can always change your password if they do start to abuse it (if they don't change it first!), but by then the damage may already be done.
        • Re: (Score:2, Insightful)

          by Ostsol (960323)
          Yeah, that was my first reaction to this -- especially since 99.9% of products and services for which you set a password tell you never to give it to anyone. Add to that the frequent reports of identity and information theft in the media. . .
        • by AceJohnny (253840)

          I personally find it utterly incredible that they even ask

          That's exactly how social engineering works. Ask something incredible enough that people will think you've got a really good reason and have got the right authorizations to ask it in the first place!

          It's exactly like walking out of the office purposefully with that very expensive projector. As long as it looks like you know what you're doing, people won't think twice.
          • Downtown? Need to use the bathroom? Don't want to go near some subterranean hovel with an inch of piss flooding the floor? Dressed half decently?

            Walk into the lobby of that lovely five star hotel, and into their bathroom. Far more pleasant, and if you look like you're meant to be there, voila.

        • I've come accross login screens like this before - what they've said was 'Log in to this site using your Yahoo/Gmail/AOL account'- the implication is that they're partnered with these sites, and you use your 'account' to log in to them. That the logos of these sites is right there besides the login fields adds to the illusion that they're 'official' and that you're actually logging into your AOL/Yahoo/Gmail account when you fill in your username & password.

          Whenever I've been invited to use such a site

        • by geobeck (924637)

          ...not only do these sites ask for your email account password, but people actually let them have them.

          ...thereby violating the terms of service of their e-mail provider, and affecting others who didn't make the asinine decision to do so.

          I was having an argument with someone the other day about the fact that laws that prevent people from doing stupid things are a good thing. If the only victim were the primary idiot, I'd say go ahead, Darwin away. But, unfortunately, stupidity usually has a wide spla

      • by andreMA (643885)
        The terms of service of the email provider almost certainly specify that you not reveal your password to third parties (with exceptions for subphoena, etc.). Those that do so should simply be deleted.
    • Exactly; not new (Score:5, Informative)

      by blowdart (31458) on Monday March 26, 2007 @06:16AM (#18485917) Homepage

      sms.ac did exactly the same thing; but didn't ask permission to email people. Whilst you'd think people would know better even Joi Ito got caught by this, what's worse is they spammed before the signup process was complete. Joi immediately quit using the service and blogged a public apology [ito.com], referring to sms.ac as spammers. Next thing you know they sent him a cease and desist [ito.com] demanding Joi stopped calling them spammers.

      • by rjshields (719665)
        You've gotta love their cease and decist letter:

        The text, colors, drawings, images, and multiple logos are further protected under the Copyright laws of the United States as well as International treaties.
        Their logo is a blatant rip-off of the ebay logo! Bunch of spamming cnuts!
    • by RazzleDazzle (442937) on Monday March 26, 2007 @06:22AM (#18485947) Journal
      Well why do you think spamming is actually a productive/sucessful business model? Because dumbass people actually attempt to purchase freely give their bank acct # for a share of $1.5 billion from some poor African country scam, want increase their manly juice giver with see-al1s, are looking for a low 5.1% mortgage refinance, want to meet the local barely legals, etc.

      Think about it, if people never clicked on the links, replied to the emails, or called the numbers these spammers would probably die off. It is the fault of the masses of people to are all too eager and ignorant. Power thru inaction would solve spamming. Well, at least curb it a bit.

      So back to the topic at hand, while this is very dasterdly, I have never signed up with facebook, I do not have a myspace page, i don't do that school class reunion site. These sites with their ads also help keep these scary/shady companies alive too. If they do things that are as bad as this publicly, imagine what they're doing behind our digital backs. Let's see, they have just about your entire personal history, background, lifestyle, etc. not mention they probably have every single click on their own respective websites completely tracked. They own you and can probably easily guess all of your secret questions for password reminders on any site such as "Your pets name" or "city your high school was in" or "what is your favorite color", etc.

      Sorry for the paranoia and cynicism. I just don't trust these people, especially without some regulatory oversight. I am totally against said regulatory oversight so I just exercise extreme caution and do not generally sign up for these types of sites.

      Have a nice day.
    • by mcleaver (105698)
      I received an MSN message from a friend inviting me to see who had banned me from their MSN listing. I only had to log on to the site (http://www.get-messenger.com/) and give them my MSN name and password (also for Passport!)
      My friend and apparently many others had done so. How do we close down crooks like this?
    • Total FUD.

      Facebook asks you for your email password so that they can DOWNLOAD THE ADDRESSS BOOK so you can find people in it who ARE ALREADY FACEBOOK MEMBERS.

      As well, you have to AUTHORIZE THEM to add the people via checking them off. Absolutely no messages are sent to anyone unless you specifically approve each and every person.

      They are very upfront about what they are doing and why they are asking for your passwords. IMO it's a great service, it saved me hours of hunting down people in there when I first
      • by andreMA (643885)
        Does your email providers terms of service permit you to provide USER/PASS to any third party, for any reason at all, barring a court order to do so? Probably not. I look forward to you confessing to them and cancelling your account to save them the trouble, as it looks like they'd certainly be within their rights to do so. And I'd support them in it. The problem isn't facebook per se - or any other service that may in fact be honorable in their intentions. The problem lies in the desensitization that suc
  • by mpiktas (740253) on Monday March 26, 2007 @04:38AM (#18485483)
    They can pry it only from my cold unresisting hands. If any site asked for it, not only I would not give it, but I would write a nasty letter, telling to shove their request so high up the ass, that it would be possible to see, when they open their mouths.
    • Re: (Score:2, Funny)

      by joshier (957448)
      If any company does this to me, I shit in a bag and send it to them.
      If they want to send me some of their shit, I send them some of fucking mine.
      • Re: (Score:2, Informative)

        by bkr1_2k (237627)
        Fair warning, don't put a return address on that. It's a federal offense to send hazardous material (feces being classified as biohazard) through the mail. At least in the USA.
    • They can't even pry my GMail password from my cold dead hands. I changed my gmail password about six months ago (following good security practices: two upper case, two lower case, two numbers, two special characters, not similar to previous passwords and with no hidden meaning... oops) and thanks to firefox's "remember password" feature, within a month I forgot it. Since I am pretty dependent on the account, I live in fear that the saved password might somehow disappear or expire (it was with the greatest
  • Not to mention (Score:3, Informative)

    by Z00L00K (682162) on Monday March 26, 2007 @04:39AM (#18485489) Homepage
    that this technique is a goldmine for spammers, phishers and other malware producers.

    There is no way of telling if the password used is provided to a third party without consent or if the site is hacked. Be careful with your personal data, and keep your login to yourself as much as possible.

    If you create a site with interactive content - think twice before if you really need your visitors to log in to request the content.

    • Re:Not to mention (Score:4, Interesting)

      by MichaelSmith (789609) on Monday March 26, 2007 @06:27AM (#18485969) Homepage Journal

      There is no way of telling if the password used is provided to a third party without consent or if the site is hacked. Be careful with your personal data, and keep your login to yourself as much as possible.

      Anybody who gets an account on service X will be asked for a password and a contact email address. Chances are that the password will get you right into their email account, because people don't like having 100s of low security passwords.

      Of course, I trust slashdot not to take my password and try to get into all my other accounts. Am I justified?

      • So be smart and don't use the same password for your email and for accounts to random web sites.

        If you have to re-use passwords, at the very least do something like having half a dozen passwords, one for each category. One for your email, one for web forums, one for work, one for the home computer (but use a firewall anyway), one for PayPal/Ebay/whatever, one for MMOs or whatever. Ok, maybe you don't like having 100 passwords, but you _can_ remember 5-6 passwords, right?

        That way if one is compromised, basic
        • Re: (Score:3, Informative)

          by Greyfox (87712)
          I thought technology should be able to solve this problem. A quick google search turns up The Firefox Password Maker Plugin. [passwordmaker.org] Looks like it'll generate secure unique passwords that you don't even have to know to use a given service, and control them all with a master password.
          • Well, there is that, but then it's also a gold mine for phishers, spyware, you name it. Telling someone to just download any password manager and be done with it, is probably the most unsafe advice I can think of giving anyone. You give all your passwords to a piece of software, and... have no clue what happens from there. You damn better trust the makers of that software more than you trust your mom, because you just gave them pretty much unrestricted access to your money, data, identity. And trust that wh
      • Re: (Score:3, Informative)

        A most PHP-based sites don't actually store your password, they store a hash of your password. So at a lot of honest sites, this isn't even a concern. This is why they have to reset your password for you instead of just emailing it to you.
  • by advocate_one (662832) on Monday March 26, 2007 @04:43AM (#18485509)
    Most people try and keep their passwords and usernames to a small number so use the same password and username for several different sites... so a nasty trick could be to try using the password for flixter against the same username for a different account say google mail or myspace...
    • by pla (258480) on Monday March 26, 2007 @06:25AM (#18485963) Journal
      Most people try and keep their passwords and usernames to a small number so use the same password and username for several different sites... so a nasty trick could be to try using the password for flixter against the same username for a different account say google mail or myspace...

      That, however, would fall squarely under the category of "cracking". By asking for it, they can claim to have (at least as a pretense) your "permission" to spam your friends and contacts.

      I do have to wonder, though, whether this might not count as a DMCA violation for Flixster, regardless of the appearance of having your permission... Virtually all free email hosts have a clause in their terms saying basically that you and only you may use your account. By using it "on your behalf", Flixster has used your password to circumvent an access control mechanism, the magical phrase that triggers a DMCA violation.
      • by ajs318 (655362)
        I would have thought that handing over the passwords in the first place would constitute a ToS violation.

        Part of me hopes people will end up getting themselves banned from GMail, AOL, Hotmail &c. because of this, if only in order to generate some publicity and draw some attention. You wouldn't give a shady stranger the keys to your home. Why let them into your email accounts?
      • access control mechanism, the magical phrase that triggers a DMCA violation

        It's also the magic phrase that activates the Hunter-Seeker Death-Robots. I hope you've paid up your robot-insurance premiums...
  • Non-Issue (Score:5, Informative)

    by earnest murderer (888716) on Monday March 26, 2007 @04:52AM (#18485547)
    If you look at the lousy screen shots it is painfully obvious they are being up front and quite clear what they intend to do and how to skip the invitation process.

    I'm not saying I'm a fan of their scheme, but it's not like they're scamming anyone. You even get to select who you want to invite.

    I guess some people feel they have to produce content, even if they have to dress a non-story up in inflammatory language and ignore the facts of the situation. Gotta drive those Adsense impressions.
    • Re:Non-Issue (Score:4, Insightful)

      by forkazoo (138186) <wrosecrans.gmail@com> on Monday March 26, 2007 @05:18AM (#18485671) Homepage

      If you look at the lousy screen shots it is painfully obvious they are being up front and quite clear what they intend to do and how to skip the invitation process.

      I'm not saying I'm a fan of their scheme, but it's not like they're scamming anyone. You even get to select who you want to invite.

      I guess some people feel they have to produce content, even if they have to dress a non-story up in inflammatory language and ignore the facts of the situation. Gotta drive those Adsense impressions.


      I recently signed up with Facebook to get in touch with some old friends and generally pretend to be one of the cool kids. They have a similar feature where I was able to provide my login information for gmail or yahoo, and it would automatically dend friend requests to folks in my address books. Sure, it's a bit stupid to provide your login information to a third party. If that information is stored, then yes it could be breached. But, ultimately the facebook feature and the one in this article are apparently very straightforward. A user can choose to share the login information with a third party. As long as that third party does what they say they will, I'm not sure where the issue is.

      Ideally, webmail providers would get together with the folks who impliment these sorts of features, and make some sort of easy way to generate a one time use password that can only be used by an IP assigned to the domain that is supposed to use it. Then, you could impliment this sort of thing without needing as much trust. Then, the next time you login to your webmail, it pops up a message saying that "XYZ domain used the one time key you generated on X date to attempt the following actions. Please look over this log and make sure it is what you wanted them to do and click approve or deny."

      But, the security issue doesn't even seem to be the main complaint of the article. It's just all huffy about them doing what they say they will, and declaring it deceptive.
    • by Vincman (584156)
      I'm not sure about the "deceptive" part, but http://www.stumbleupon.com/ [stumbleupon.com] just did the exact same thing to me, causing me to send invites to 100s of people. And of course, I feel stupid now, though I can't say that Stumbler's intent was 100% clear--by which I mean, a warning spelled out in big bold red letters warning me that each of these people would be sent a mail. I'm sure it says it somewhere in the fine print, but is that really enough?
    • From what I can see from reading the article and its comments, they divided your address book into pages and made the default to send the email.

      So people would un-check most of the addresses in the first page, leaing only the ones they wanted to invite, and then hit submit.

      This resulted in all of the address book BUT the un-checked entries on the first page would be sent an email.

      So even if the software worked exactly as advertised, it might cause people to unintentionally spam many, many people, as it in f
  • by suv4x4 (956391) on Monday March 26, 2007 @04:55AM (#18485557)
    I can literally hear the devs arguing this idea is insane, but their boss insisting on being implemented.

    And so it came to be. It's crazy not just because it's deceptive, but because it's a security nightmare. If you give your passwords to random sites even for the nicest purposes (which isn't even the case here) it's guaranteed they'll be leaked, and your accounts abused.

    What's next: signing a warrant of attorney so the great Flixster, so they could send your buddies free gifts, funded by your bank accounts and credit cards? It's definitely in the same line of thought as this preposterous scheme here.
    • I can literally hear the devs arguing this idea is insane, but their boss insisting on being implemented.

      Really? Literally, actually hear them? Unless you work there, they must be screaming pretty loudly!

      Seriously though, any developer should not be screaming about this - it's a functional issue with this site, not a technical one. Their boss might "insist" on this being implemented, because it was in the signed off functional spec. which the developer is paid to implement.

      D.

      • Re: (Score:3, Insightful)

        by Stooshie (993666)

        ... Their boss might "insist" on this being implemented, because it was in the signed off functional spec. which the developer is paid to implement. ...

        I was only doing my job M'Lud.

        Now where have I heard that one before.

        • I was only doing my job M'Lud.
          Well, try refusing to implement a feature in some in-the-scheme-of-things unimportant software and you'll find yourself without a job to be "only doing".

          Kinda different if you were being asked to implement features which were in breach of law - but this isn't kinda different like that.
  • Other mainstream companies that use are Plaxo, Facebook and Taggedmail.

    I'm just surprised how these guys get funded at all. Anyone will tell you that this practice is unsustainable, not to mention unethical.

    • Anyone will tell you that this practice is unsustainable, not to mention unethical.

      Ethics and sustainability only serve to limit the return on the VC's investment.
  • From the 2nd article-

    "We make it easy to invite your friends. Other sites don't provide good ways for people to spread the word."

    What, like calling your friend and saying "Hey, this is a great site" or emailing them and saying "Hey, this is a great site" or texting them and saying "Hey, this is a great site" or walking up to them and saying "Hey, this is a great site"? (Did I make my point?)

    From "Blaster.virus.com"- "Hey, we have a great site and we're going to check out you email address list and send ema
  • Maybe (Score:4, Interesting)

    by dysfunct (940221) * on Monday March 26, 2007 @05:15AM (#18485661)
    This clearly looks like one of those great "thinking out of the box" ideas upper management come up with in order to pat themselves on their back (and explain their bonuses with) that - apart from being badly thought out in the first place - also was badly implemented. Sending a mail to every single contact in an address book without giving the user any kind of choice might not be the best way to make friends - although due to obvious reasons I didn't want to try and find out whether there's a confirmation or something who this will be sent to. Any volunteers?

    The page in question is formatted to resemble a login gateway page of the various providers (think Microsoft Passport and the like) using the domain part of your email address to decide which provider login to display. Even though I consider myself quite knowledgeable when it comes to security related issues and have done security consulting for various companies, I *might* have fallen for this since it admittedly lowered my suspicions. I doubt Joe Sixpack or even many above-average users would have questioned the purpose of this form.

    Worth noting is their elaborate privacy policy [flixster.com] and the cute picture of a monkey in their terms of service [flixster.com]. Also, the footnote "Flixster does not store this information in any way" seems to have been added after the screen shots in TFA were taken and I could not find any information on how they connect to the email services (i.e. via a cryptographically safe link or plain text via a Win98 proxy server in Nigeria)

  • Phishing made easy (Score:5, Insightful)

    by the_doctor_23 (945852) on Monday March 26, 2007 @05:16AM (#18485663)
    After spending time and again to train our users not to give out passwords and other sensitive information, this feels like a smack in the face.
    As this practice gets more common, people will lower their guards (if they had them in the first place) and become conditioned to give out their password to anyone who asks.
    I can already hear them say "... but the website asked me for it... was that wrong?" *sigh*

    • by Kjella (173770)
      Well, let them burn... your email account typically has a bunch of password emails, and even if you delete those most sites have a simple "I forgot my password" form that doesn't require anything. One thing would be to give someone access to your contact list, but this is basicly giving them the whole motherload. Plus a very nice way to create a very credible trojan horse so you'll run it on your machine, like say taking any jpg attachment and replace it with an identical mail but with a .jpg.exe instead. I
    • I can already hear them say "... but the website asked me for it... was that wrong?" *sigh*

      Several swimming pools near my home will give out locker keys but require your car keys as security. Whenever I go along I have this huge argument about it. I will happily give them a fifty dollar note as security. The car is worth a lot more than that to me and a replacement locker key is perhaps 10 dollars. They should be happy with the 50.

      But everbody else hands over their keys. Pool staff could be out on the roa

      • by Dogtanian (588974)

        The car is worth a lot more than that to me and a replacement locker key is perhaps 10 dollars.
        Remember that they also need to change the locks if you steal the keys.
      • by Chelloveck (14643)

        Several swimming pools near my home will give out locker keys but require your car keys as security. Whenever I go along I have this huge argument about it.

        No, they require a car key. They have no idea if it belongs to you, fits your car door, or if it indeed unlocks anything. If it's a hassle, go get a duplicate key made, file it down so it no longer works, and give them the dummy key.

        In any case, it's not worth your time to argue with the person behind the desk. If you're really annoyed by it, fin

  • What's interesting is that apparently some people are supplying this information to Flixster without a second thought, and perhaps under the impression that they're actually submitting it to AOL/Yahoo/whatever.

    So the next question would be; if they had a similar page with the Bank Of America/Barclays/whatever logo, would people be just as happy to give their details for them?

    Either way, it's scary. Scary that Flixster thinks this is an acceptable way to market themselves, scary that people are letting them
  • FUD (Score:2, Informative)

    by scsscs (669925)
    This isn't new, it's done by almost every social network. As long as it doesn't automatically spam your entire address book it's a perfectly acceptable feature.
    • There is no way I would allow a company to use my name or email address to send email on my behalf. This is misrepresentation and is simply illegal. To put this in perspective, what do you think would happen if you sent an email in the name of George Bush to the FBI?

      In this case it's certainly worth reading the Terms & Conditions - if that 'feature' isn't in there you ought to be able to sue the hell out of them.
    • by gsslay (807818)
      Well it's new to me.

      I know of lots of websites that do something similar, but the important difference would be that;

        - they only spoof your address, the email does not actually come from your email account
        - they don't need your password
        - you supply the addresses, they don't rifle your address book

      Or so I thought, I'd never use such a thing. If the website was that good I'd tell my friends myself, not fire spam at them. Real friends don't spam you.
    • Re: (Score:2, Informative)

      by scsscs (669925)
      One of the Co-founder's of Flixster posted in the article's comments. Since many wont even read the article let alone the comments here it is: Hi Anne, I am one of the founders of flixster. I happened upon your article via technorati. As a social community on the web, we take issues of email privacy and permission very seriously. Obviously i am saddened by the way your article describes us. Let me clarify a couple things... 1. We do allow users to access common web-address books to select friends to inv
      • Facebook/myspace are social networking/ friends sites... you sir have a movie rating site. Big difference. What happens when this is allowed by all companies, there will be no end to the unwanted invites.

        Imagine a Porn website using this capability? You may think you know your friends and they may think they know you (and maybe they do) but do you really trust them not to let porn emails get sent to you?

        Here's the bigger problem:

        4. Once registered, users can control their settings on every single email we s

      • More people should read this response.
  • by Joebert (946227) on Monday March 26, 2007 @05:38AM (#18485747) Homepage
    Name any marketing campaign ever done by any company & I bet at least one person here at Slashdot can come up with at least one thing deceptive about each of them.
    • by JetScootr (319545)
      Agreed. I've come to equate "marketing" with "lying with intent to steal", almost synonmous with "fraud".
  • I can't understand why this is a problem. You already trust these networking sites with pretty detailed information on your own preferences, tastes, friends, location etc., so your e-mail password is not much of an asset to them. Any abuse would obviously lead to people changing their passwords.

    The feature is really useful, and presented properly it is not abusive at all. What it does, is log in to your e-mail account and grab your address book. Then you are able to check off people you want to invite and

    • Your email certainly looks like astroturf, by the way. Which would fit right in with the kind of tactics used by a company that asks for user passwords to other networks.
      But to give you the benefit of the doubt:
      There is absolutely no reason, security or otherwise, for a user's password to be anywhere but between the user's ears or typed in to the one correct "password" box where it applies. Even the company who provides the password-protected service has no need of it, unless they have a severely damage
  • by bocaJWho (1080217) on Monday March 26, 2007 @06:25AM (#18485959)
    Google and other mainstream mail-service providers can put a stop to these messages pretty easily. Sending these messages violate several points in gmail's Terms of Use and Program Policies. Specifically:

    -Section 2. Personal Use: "The Service is made available to you for your personal use only."
        I see two violations here. First of all, they are giving the use of the service to someone other than themselves, violating the word "your". Secondly, they violate the word "personal" - this is clearly a business application
    -Section 3. Proper Use: "... Your use of the Service is subject to your acceptance of and compliance with the Agreement, including the Gmail Program Policies ..."
        Violations of the program policies include:
        - "Generate or facilitate unsolicited commercial email ("spam"). Such activity includes, but is not limited to ... selling, exchanging or distributing to a third party the email addresses of any person without such person's knowing and continued consent to such disclosure ... Interfere with other Gmail users' enjoyment of the Service" [spam certainly interferes with my enjoyment of gmail].
    -Additionally in Section 3: You shall not "(i) use the Service to upload, transmit or otherwise distribute any content that is unlawful, defamatory, harassing, abusive, fraudulent, obscene, contains viruses, or is otherwise objectionable as reasonably determined by Google;" Again, I find spam harassing.

    Given these violation, Google would be well within their rights to terminate the accounts (actually, according to the Terms of Use, they can do that whenever they feel like it, but lets assume they don't want to look too evil). Alternatively, They could send out notices that they will terminate any accounts that have been violated if they don't change their password in the next 10 days. Since so many people would lose, or face impending loss of their email accounts, services such as Flixster would suddenly have to find a new business model.

    While I didn't check, I would bet hotmail, yahoo mail etc. have similar terms of use.

    Even if Flixster decided to keep being an ass and collect passwords anyways, that would just mean that people stupid enough to give out their passwords would no longer have email accounts. Either way, I see no loss. Get to it Google et al.
    • Re: (Score:3, Insightful)

      by ettlz (639203)
      Quite. Hotmail's Terms of Use (don't know about others) require you to keep your password secret. The webmail providers should be having strong words with those who divulge this information.
    • by Dogtanian (588974)

      Sending these messages violate several points in gmail's Terms of Use and Program Policies. [..] Google would be well within their rights to terminate the accounts

      As I said elsewhere [slashdot.org], Flixster themselves may also be open to legal action- if not "hacking" charges- because they aren't authorised to access these systems. If this was just one individual accessing another's account with permission, I don't see that it would be treated too seriously. But although Flixster weren't the ones who agreed to the TOSs, they are likely *more* aware of them than the account owners, simply because any normal business would have a lawyer look into that sort of thing first. (Or at le

  • Okay, who tagged the article "yes"? Own up.
  • by TorKlingberg (599697) on Monday March 26, 2007 @06:39AM (#18486019)
    I suggest Google block Flixters IPs from logging in to Gmail. That should keep away some of this spam. In general, preventing a single IP from logging in to a lot of accounts sounds like a decent security measure.
    • Re: (Score:3, Insightful)

      by Tim C (15259)
      There are three issues with this idea:

      1) There's nothing to prevent Flixster from sending employees out to Internet cafés to send the mails, or getting them to do it from home, etc. Sure, it's an inconvenience, but if they're truly determined they could do it. Alternatively, just buy a bunch of modems and get some free dial-up accounts, or use proxies, etc.

      2) My company, like probably the vast majority, NATs its LAN. To the outside world, almost every single desktop appears to be behind the same IP a
    • Re: (Score:3, Insightful)

      by discord5 (798235)

      I suggest Google block Flixters IPs from logging in to Gmail. That should keep away some of this spam. In general, preventing a single IP from logging in to a lot of accounts sounds like a decent security measure.

      Your idea will fail because:

      • a specific blocked IP is easy to circumvent if you have an entire range at your disposal
      • a blocked range can always use a proxy (money buys a good proxy, and if you really wanted to I'm sure that some sites ending in .ru will provide you with daily updated lists for
  • As a former network admin, i'd bet quite a large sum of money that in the majority of cases, the password the user chooses for the new site registration and the password they're using for email - probably the same email they gave for the signup! - are identical anyway.

    This is just asking permission. Nine out of ten times, they've already got the information.

    Still don't like it. The real solution is for the mail providers to provide a secondary authentication measure to provide information from a users' acco
    • Flixster is asking for the user's password to *other* networks, not to its own. Whether a user chooses the same password in more than one app is irrelevant. No honest reputable business would ask for your password to some other company's services.
      This is just asking permission. Nine out of ten times, they've already got the information.
      NO, they don't have the info - that's why they're asking for it. They put up a display that borders on phishing (some would say it IS phishing), without explaining what
  • I saw this recently at Google Video.
    You click the 'add to myspace' button and google video asks for your myspace username and password so that it can login and add the video.
    I lol'd pretty hard at the idea that people would actually do that. But I see it is pretty common.

    Who needs security when nobody actually cares enough about their data to protect it.
    I'm imagining a future of malware infested web applications. fun fun fun!!!
    • I logged into Google Video today and the feature you describe doesn't seem to exist anymore. Unlike Flixster, Google has a deal with News Corp to provide search features and targeted ads for Myspace. Google's logos are plastered all over Myspace to the point where it almost looks like the site IS Google from time to time. So, the concept that you could crosspost seems almost sane.

      Hell, Blogger (which is google) has a "feature" that will let the service p0wn your FTP server by posting directly to the server.
      • by Jessta (666101)
        1. Go to any video on http://video.google.com/ [google.com]
        2. Click on the 'Email - Blog - Post to myspace' button in the frame on the right(it's a big blue button, you can't miss it.)
        3. Just under it you will now see 'Post to: myspace - blogger - live journal - typepad'
        4. Click myspace.

  • Some are much worse (Score:3, Informative)

    by rduke15 (721841) <rduke15 AT gmail DOT com> on Monday March 26, 2007 @07:12AM (#18486145)
    Apparently, the user has to manually select the addresses that will be spammed ("invited"), and click a button.

    This is by far not as bad as what wayn.com does (or at least used to do). They were just sending out their spam through your account without your knowledge. See "WAYN - Where Are You Now? Warning [misterorange.com]" or Wayn.com : phishing alert, ne vous faites pas couillonner ! [pingouin.be] (the last one in French). (found these at the end of a French blog post about other deceptive practices of Wayn.com [alma.ch])
    • by msimm (580077)
      You should use it first. I'm still getting these spam and the friend who signed up for Flixster is *still* apologizing. See, she had no idea it was going to gain access to here entire address book. She certainly didn't click 100+ OK's or pick any addresses (from what she says).

      Even if it says somewhere in the fine print the fact that she provided her login information allowing this worm to hi-jack her address book says a lot about what's deceptive. Not everyone is a paranoid system admin or computer savy.
  • Sorry MR RIAA lawyer... I didn't download the mp3's.... try Flixster they use my account too...
  • When I clicked on the link, I got a picture of a Monkey with the comment "We can't believe you clicked this"! That pretty much sealed the deal for me. :D
  • I noticed that Flickster or whatever also scans your sent items and any email addresses that have been cached. I was very dismayed to find out that some business contacts of mine were sent these invites after a friend sent me an invite. This is out and out bad.
  • My friend was foolish enough to supply his username and password (it's arguable that it's possibly his fault for doing so, but it was my understanding he had been drinking ;-) At any rate he was just under the impression that he was importing his address book. Unfortunately the gmail address he supplied flixster with was used for corresponding with all of his business and university contacts.

    For weeks following this he was constantly being angrily confronted by the same "Can you stop sending me those invi
  • Hi all,

    I am one of the co-founders of flixster - a friend pointed me to this discussion. I would like to clarify a few things:

    1. We DO offer the ability for users to select friends from their hotmail/yahoo/etc address books. This is a very common practice on social sites like ours - LinkedIn/Yelp/Facebook/MySpace/StumbleUpon/etc all do exactly the same thing. Its an optional convenience feature for users and we are not deceptive or misleading about it in any way.

    2. We do NOT store anyone's us

Your fault -- core dumped

Working...