Is Flixster Using Deceptive Viral Practices? 190
Talaria writes "The social networking movie review site Flixster is requesting their users' AOL, Gmail, Yahoo and Hotmail passwords, and then using them to access users' address books and send 'invitations' to join Flixster, making them appear to come from the user. The password prompt screen includes the ISP's logo right next to the password prompt. Rather than hiding this little 'feature,' Flixster brags about it in an interview after receiving $2 million in venture funding earlier this year." American Venture Magazine notes: "...such practices are becoming increasingly... common as new and even established web sites look to attract visitors without expensive marketing campaigns and a hefty advertising budget."
My Gmail password?! (Score:4, Insightful)
Phishing made easy (Score:5, Insightful)
As this practice gets more common, people will lower their guards (if they had them in the first place) and become conditioned to give out their password to anyone who asks.
I can already hear them say "... but the website asked me for it... was that wrong?" *sigh*
Re:Non-Issue (Score:4, Insightful)
I recently signed up with Facebook to get in touch with some old friends and generally pretend to be one of the cool kids. They have a similar feature where I was able to provide my login information for gmail or yahoo, and it would automatically dend friend requests to folks in my address books. Sure, it's a bit stupid to provide your login information to a third party. If that information is stored, then yes it could be breached. But, ultimately the facebook feature and the one in this article are apparently very straightforward. A user can choose to share the login information with a third party. As long as that third party does what they say they will, I'm not sure where the issue is.
Ideally, webmail providers would get together with the folks who impliment these sorts of features, and make some sort of easy way to generate a one time use password that can only be used by an IP assigned to the domain that is supposed to use it. Then, you could impliment this sort of thing without needing as much trust. Then, the next time you login to your webmail, it pops up a message saying that "XYZ domain used the one time key you generated on X date to attempt the following actions. Please look over this log and make sure it is what you wanted them to do and click approve or deny."
But, the security issue doesn't even seem to be the main complaint of the article. It's just all huffy about them doing what they say they will, and declaring it deceptive.
Re:Some crazy man's "great business idea" (Score:3, Insightful)
I was only doing my job M'Lud.
Now where have I heard that one before.
Re:Facebook does this too. (Score:5, Insightful)
Re:Facebook does this too. (Score:4, Insightful)
Think about it, if people never clicked on the links, replied to the emails, or called the numbers these spammers would probably die off. It is the fault of the masses of people to are all too eager and ignorant. Power thru inaction would solve spamming. Well, at least curb it a bit.
So back to the topic at hand, while this is very dasterdly, I have never signed up with facebook, I do not have a myspace page, i don't do that school class reunion site. These sites with their ads also help keep these scary/shady companies alive too. If they do things that are as bad as this publicly, imagine what they're doing behind our digital backs. Let's see, they have just about your entire personal history, background, lifestyle, etc. not mention they probably have every single click on their own respective websites completely tracked. They own you and can probably easily guess all of your secret questions for password reminders on any site such as "Your pets name" or "city your high school was in" or "what is your favorite color", etc.
Sorry for the paranoia and cynicism. I just don't trust these people, especially without some regulatory oversight. I am totally against said regulatory oversight so I just exercise extreme caution and do not generally sign up for these types of sites.
Have a nice day.
Here's how to stop these scams (Score:5, Insightful)
-Section 2. Personal Use: "The Service is made available to you for your personal use only."
I see two violations here. First of all, they are giving the use of the service to someone other than themselves, violating the word "your". Secondly, they violate the word "personal" - this is clearly a business application
-Section 3. Proper Use: "... Your use of the Service is subject to your acceptance of and compliance with the Agreement, including the Gmail Program Policies
Violations of the program policies include:
- "Generate or facilitate unsolicited commercial email ("spam"). Such activity includes, but is not limited to
-Additionally in Section 3: You shall not "(i) use the Service to upload, transmit or otherwise distribute any content that is unlawful, defamatory, harassing, abusive, fraudulent, obscene, contains viruses, or is otherwise objectionable as reasonably determined by Google;" Again, I find spam harassing.
Given these violation, Google would be well within their rights to terminate the accounts (actually, according to the Terms of Use, they can do that whenever they feel like it, but lets assume they don't want to look too evil). Alternatively, They could send out notices that they will terminate any accounts that have been violated if they don't change their password in the next 10 days. Since so many people would lose, or face impending loss of their email accounts, services such as Flixster would suddenly have to find a new business model.
While I didn't check, I would bet hotmail, yahoo mail etc. have similar terms of use.
Even if Flixster decided to keep being an ass and collect passwords anyways, that would just mean that people stupid enough to give out their passwords would no longer have email accounts. Either way, I see no loss. Get to it Google et al.
Re:another nasty trick... (Score:4, Insightful)
That, however, would fall squarely under the category of "cracking". By asking for it, they can claim to have (at least as a pretense) your "permission" to spam your friends and contacts.
I do have to wonder, though, whether this might not count as a DMCA violation for Flixster, regardless of the appearance of having your permission... Virtually all free email hosts have a clause in their terms saying basically that you and only you may use your account. By using it "on your behalf", Flixster has used your password to circumvent an access control mechanism, the magical phrase that triggers a DMCA violation.
Abuse, not Convenience (Score:3, Insightful)
But to give you the benefit of the doubt:
There is absolutely no reason, security or otherwise, for a user's password to be anywhere but between the user's ears or typed in to the one correct "password" box where it applies. Even the company who provides the password-protected service has no need of it, unless they have a severely damaged concept of security.
Asking for someone's password shows a flaming disregard for data security and the privacy of users. It's also an insult to the intelligence of the user. Morally, if you ask for a password, you accept the same responsibility of using that password as the original user. I doubt flixster (or any company) would willingly accept the terms of service that companies usually force on users.
The only reasons to ask for a user's passwords are:
1> To pretend to be that user, which is certain to be against the terms of service of ANY security-conscious provider;
2> To access that user's private data, which would not be password protected without reason.
This is about as severe a character flaw as an internet company could possibly have.
Also, email sent from a password protected account will stain your reputation. Especially if used in court against you. Even though it can easily be challenged, the judge and jury would probably still think hmmmmmmmmmmmmm.
most of the time it's the same password anyway (Score:2, Insightful)
This is just asking permission. Nine out of ten times, they've already got the information.
Still don't like it. The real solution is for the mail providers to provide a secondary authentication measure to provide information from a users' account, like calendar or address book info, without giving away their password
Re:What I can't believe.... (Score:2, Insightful)
If a girl gets raped when walking through a park alone at night, or after drinking something that a stranger gave her at a party well perhaps she was stupid. That does not let the rapist off the hook!
Some people are just too stupid. They're impossible to protect. They're the people that makes it necessary to have three pages of warnings on a knife, that need to be told that a hammer should not be used to smash insects on somebody's head. It's the people that smokes them self to death... They are the people so stupid that no one has the imagination to even come up with the necessary laws to protect them and you just have to look at them as an example of Darwin's theory of natural selection.
Re:Facebook does this too. (Score:5, Insightful)
1) Boycott the scummers that use these tactics
Re:Here's how to stop these scams (Score:3, Insightful)
Re:Why don't Gmail block them? (Score:3, Insightful)
1) There's nothing to prevent Flixster from sending employees out to Internet cafés to send the mails, or getting them to do it from home, etc. Sure, it's an inconvenience, but if they're truly determined they could do it. Alternatively, just buy a bunch of modems and get some free dial-up accounts, or use proxies, etc.
2) My company, like probably the vast majority, NATs its LAN. To the outside world, almost every single desktop appears to be behind the same IP address. If Google did prevent a single IP address from accessing more than some small-ish number of accounts, that would inconvenience far more people than just Flixster. I imagine that most other organisations (eg universities, schools, etc) have similar network setups - the days of every desktop having a publicly-routable IP address are long gone.
3) You suggest that Google spends time, money and effort fixing something that almost certainly isn't even a problem for them. The amount of mail this sort of service sends out is going to be a tiny fraction of the total that Google carries; I can't imagine that they even notice it.
Re:Facebook does this too. (Score:2, Insightful)
Re:Why don't Gmail block them? (Score:3, Insightful)
Your idea will fail because:
The problem really isn't google's concern. Their users should be more careful with whom they give their data to. It's like giving someone on the phone your credit card info because he said you might have won the credit-card-lottery. The best thing google can do is inform their users, but the truth is that they really don't need to do that.
Re:Some crazy man's "great business idea" (Score:2, Insightful)
Ok, I know. If I had spent longer I'm sure I could have come up with another analogy.