Is Flixster Using Deceptive Viral Practices?

Talaria writes "The social networking movie review site Flixster is requesting their users' AOL, Gmail, Yahoo and Hotmail passwords, and then using them to access users' address books and send 'invitations' to join Flixster, making them appear to come from the user. The password prompt screen includes the ISP's logo right next to the password prompt. Rather than hiding this little 'feature,' Flixster brags about it in an interview after receiving $2 million in venture funding earlier this year." American Venture Magazine notes: "...such practices are becoming increasingly... common as new and even established web sites look to attract visitors without expensive marketing campaigns and a hefty advertising budget."

another nasty trick...

[advocate_one]

Most people try and keep their passwords and usernames to a small number so use the same password and username for several different sites... so a nasty trick could be to try using the password for flixter against the same username for a different account say google mail or myspace...

Some crazy man's "great business idea"

[suv4x4]

I can literally hear the devs arguing this idea is insane, but their boss insisting on being implemented.

And so it came to be. It's crazy not just because it's deceptive, but because it's a security nightmare. If you give your passwords to random sites even for the nicest purposes (which isn't even the case here) it's guaranteed they'll be leaked, and your accounts abused.

What's next: signing a warrant of attorney so the great Flixster, so they could send your buddies free gifts, funded by your bank accounts and credit cards? It's definitely in the same line of thought as this preposterous scheme here.

Maybe

[dysfunct]

This clearly looks like one of those great "thinking out of the box" ideas upper management come up with in order to pat themselves on their back (and explain their bonuses with) that - apart from being badly thought out in the first place - also was badly implemented. Sending a mail to every single contact in an address book without giving the user any kind of choice might not be the best way to make friends - although due to obvious reasons I didn't want to try and find out whether there's a confirmation or something who this will be sent to. Any volunteers?

The page in question is formatted to resemble a login gateway page of the various providers (think Microsoft Passport and the like) using the domain part of your email address to decide which provider login to display. Even though I consider myself quite knowledgeable when it comes to security related issues and have done security consulting for various companies, I *might* have fallen for this since it admittedly lowered my suspicions. I doubt Joe Sixpack or even many above-average users would have questioned the purpose of this form.

Worth noting is their elaborate privacy policy [flixster.com] and the cute picture of a monkey in their terms of service [flixster.com]. Also, the footnote "Flixster does not store this information in any way" seems to have been added after the screen shots in TFA were taken and I could not find any information on how they connect to the email services (i.e. via a cryptographically safe link or plain text via a Win98 proxy server in Nigeria)

Re:Not to mention

[MichaelSmith]

There is no way of telling if the password used is provided to a third party without consent or if the site is hacked. Be careful with your personal data, and keep your login to yourself as much as possible.

Anybody who gets an account on service X will be asked for a password and a contact email address. Chances are that the password will get you right into their email account, because people don't like having 100s of low security passwords.

Of course, I trust slashdot not to take my password and try to get into all my other accounts. Am I justified?

Why don't Gmail block them?

[TorKlingberg]

I suggest Google block Flixters IPs from logging in to Gmail. That should keep away some of this spam. In general, preventing a single IP from logging in to a lot of accounts sounds like a decent security measure.

So does Get-Messenger

[mcleaver]

I received an MSN message from a friend inviting me to see who had banned me from their MSN listing. I only had to log on to the site (http://www.get-messenger.com/) and give them my MSN name and password (also for Passport!)
My friend and apparently many others had done so. How do we close down crooks like this?

So be smart, don't use the same

[Moraelin]

So be smart and don't use the same password for your email and for accounts to random web sites.

If you have to re-use passwords, at the very least do something like having half a dozen passwords, one for each category. One for your email, one for web forums, one for work, one for the home computer (but use a firewall anyway), one for PayPal/Ebay/whatever, one for MMOs or whatever. Ok, maybe you don't like having 100 passwords, but you _can_ remember 5-6 passwords, right?

That way if one is compromised, basically the only access they get is within the same category. If someone gets your Slashdot password, they can at most then spam some other forum in your name. Maybe do some spam link. That's not even in the same class as having full access to your email and your address book and the password to your Ebay or PayPal accounts.

For best results, also consider having a different user name for each. E.g., I hope your PayPal account isn't under the username MichaelSmith.

The problem is that if your email is breached, not only can they read your email and spam your friends, they can also use that as a beachhead to get even more stuff. E.g., even if you didn't use the same password on, say, Paypal or Ebay, as long as they have your username and can read your email, it's trivial to just go to PayPal or Ebay and do a "I forgot my password" in your name. Congrats, now there's nothing to stop them from transferring your PayPal money to an account in East Bumfuckistan or from running some scam in your name on Ebay.

So basically please _be_ paranoid about these things. It's not just a case of "bah, all they can do is spam my friends a little" or "bah, none of my emails are secret anyway", as some people seem to assume. Email is used in so many aspects every day, or can be used without raising any alarm flags on the recepients' side, that losing control of it can be pretty much _the_ one most important step you could take towards getting your identity stolen. Do be careful.

Comments from a Flixster founder

[Flixster Guy]

Hi all,

I am one of the co-founders of flixster - a friend pointed me to this discussion. I would like to clarify a few things:

1. We DO offer the ability for users to select friends from their hotmail/yahoo/etc address books. This is a very common practice on social sites like ours - LinkedIn/Yelp/Facebook/MySpace/StumbleUpon/etc all do exactly the same thing. Its an optional convenience feature for users and we are not deceptive or misleading about it in any way.

2. We do NOT store anyone's username/pwd info in any way. We use it one-time only to retrieve their contacts as they go through the invitation process and that is it.

3. We NEVER send invitations without the user's consent. For users that access their address books are always the next screen is always just a list of their contacts and they get to select whom to invite.

4. We are a small company and we take our users privacy very seriously. Needless to say i am disappointed that we somehow became the example site around which to have this discussion - although it is actually a good discussion to have. The world would be a safer place for users if all of these social platforms (MySpace counts too - tons of sites ask for MySpace passwords to auto-post widgets onto your page - its the same thing) had secure APIs which would allow reputable companies to integrate with them in ways that were still user friendly. We and many others would welcome this - its just not there yet.

If you have questions about flixster or further thoughts on this in general - feel free to drop me a note via the link above.

Sincerely,
Joe G
Flixster Co-founder