Is Flixster Using Deceptive Viral Practices?

Talaria writes "The social networking movie review site Flixster is requesting their users' AOL, Gmail, Yahoo and Hotmail passwords, and then using them to access users' address books and send 'invitations' to join Flixster, making them appear to come from the user. The password prompt screen includes the ISP's logo right next to the password prompt. Rather than hiding this little 'feature,' Flixster brags about it in an interview after receiving $2 million in venture funding earlier this year." American Venture Magazine notes: "...such practices are becoming increasingly... common as new and even established web sites look to attract visitors without expensive marketing campaigns and a hefty advertising budget."

Facebook does this too.

[Anonymous Coward]

Facebook does they same. They ask for your e-mail address and e-mail address password, then spam your contact list. I can't believe people will give them their password, but some actually do. Preposterous!

Not to mention

[Z00L00K]

that this technique is a goldmine for spammers, phishers and other malware producers.

There is no way of telling if the password used is provided to a third party without consent or if the site is hacked. Be careful with your personal data, and keep your login to yourself as much as possible.

If you create a site with interactive content - think twice before if you really need your visitors to log in to request the content.

Non-Issue

[earnest murderer]

If you look at the lousy screen shots it is painfully obvious they are being up front and quite clear what they intend to do and how to skip the invitation process.

I'm not saying I'm a fan of their scheme, but it's not like they're scamming anyone. You even get to select who you want to invite.

I guess some people feel they have to produce content, even if they have to dress a non-story up in inflammatory language and ignore the facts of the situation. Gotta drive those Adsense impressions.

Re:Facebook does this too.

[Anonymous Coward]

Yes Facebook does this too, but differently. With Facebook, if you give them your email login/password, they'll grab your address book and see who else you can add as a friend. You can select who it will and won't send an email to. With this, on the other hand, it looks like it just blasts spam out to everyone in your address book.

FUD

[scsscs]

This isn't new, it's done by almost every social network. As long as it doesn't automatically spam your entire address book it's a perfectly acceptable feature.

Re:Facebook does this too.

[scsscs]

The article makes it sound that way but it's not the case. They do prompt you to select which contacts to send an email to.

Re:FUD

[scsscs]

One of the Co-founder's of Flixster posted in the article's comments. Since many wont even read the article let alone the comments here it is: Hi Anne, I am one of the founders of flixster. I happened upon your article via technorati. As a social community on the web, we take issues of email privacy and permission very seriously. Obviously i am saddened by the way your article describes us. Let me clarify a couple things... 1. We do allow users to access common web-address books to select friends to invite. The whole point of flixster is sharing movie ratings with friends - so making it easy to invite people is very important for us. (This is also incredibly common practice around the web - see yelp/facebook/myspace and many others that also offer it. Plaxo actually offers a popular widget to allow any site to offer this feature). 2. We don't do anything tricky or misleading. The invite friends screens are all clearly explained (visible even in your slightly fuzzy screenshots) and to actually send anything the user must click a button labelled "send invitations" on a screen with their friends names and a list of checkboxes. 2. We use the user's credentials only to retrieve the contact list and then do not store them in any way. We absolutely don't do anything malicious or affect their account in any way. 3. The user is then ALWAYS given the list of contacts and asked to select whom to invite. We do not invite anyone they do not select. Of course we want people to invite friends to come try our site - but it absolutely does not benefit us to send invites they didn't intend and end up with angry users. 4. Once registered, users can control their settings on every single email we send - from weekly movie summaries to new friend requests. If you choose, you can receive no email from us at all. 5. We never sell, rent or buy email addresses from anyone. We are a small company. The intro to our terms of service was intended to be funny. In no way does it reflect us taking privacy issues lightly - which is exactly why we wrote our privacy policy in such clear terms. Anyway, if you have any questions or want to discuss with me, drop me a note at the email above. i appreciate that your efforts are to help protect people from malicious or dangerous sites - a noble endeavor - i'm really sorry that you felt like our site fell into that category. Sincerely, Joe G

Exactly; not new

[blowdart]

sms.ac did exactly the same thing; but didn't ask permission to email people. Whilst you'd think people would know better even Joi Ito got caught by this, what's worse is they spammed before the signup process was complete. Joi immediately quit using the service and blogged a public apology [ito.com], referring to sms.ac as spammers. Next thing you know they sent him a cease and desist [ito.com] demanding Joi stopped calling them spammers.

Some are much worse

[rduke15]

Apparently, the user has to manually select the addresses that will be spammed ("invited"), and click a button.

This is by far not as bad as what wayn.com does (or at least used to do). They were just sending out their spam through your account without your knowledge. See "WAYN - Where Are You Now? Warning [misterorange.com]" or Wayn.com : phishing alert, ne vous faites pas couillonner ! [pingouin.be] (the last one in French). (found these at the end of a French blog post about other deceptive practices of Wayn.com [alma.ch])

Re:Not to mention

[ZachPruckowski]

A most PHP-based sites don't actually store your password, they store a hash of your password. So at a lot of honest sites, this isn't even a concern. This is why they have to reset your password for you instead of just emailing it to you.

Re:My Gmail password?!

[bkr1_2k]

Fair warning, don't put a return address on that. It's a federal offense to send hazardous material (feces being classified as biohazard) through the mail. At least in the USA.

In the case of Myspace this almost makes sense

[screeble]

I logged into Google Video today and the feature you describe doesn't seem to exist anymore. Unlike Flixster, Google has a deal with News Corp to provide search features and targeted ads for Myspace. Google's logos are plastered all over Myspace to the point where it almost looks like the site IS Google from time to time. So, the concept that you could crosspost seems almost sane.

Hell, Blogger (which is google) has a "feature" that will let the service p0wn your FTP server by posting directly to the server. This sort of behaviour isn't new and I'm surprised Flixster gets tagged as horrible and evil for doing something everyone is already doing.

I hate to admit it but I fell for the FTP one and used the service for a good six months until it dawned on me what I had done. I immediately cancelled my shell account and moved my blog to blogspot. Sometimes even people who understand the security implications can get tripped up. This doesn't excuse the now absent behaviour of posting videos within your account but at least the idea seems somewhat understandable. Plus, Google has a history of doing these sort of things in the interest of "interoperability."

Yeah, right... interoperability. I'll keep telling myself that. Maybe it will make it true.

Re:So be smart, don't use the same

[Greyfox]

I thought technology should be able to solve this problem. A quick google search turns up The Firefox Password Maker Plugin. [passwordmaker.org] Looks like it'll generate secure unique passwords that you don't even have to know to use a given service, and control them all with a master password.