Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Is Flixster Using Deceptive Viral Practices?

kdawson posted more than 7 years ago | from the password-please dept.

Privacy 190

Talaria writes "The social networking movie review site Flixster is requesting their users' AOL, Gmail, Yahoo and Hotmail passwords, and then using them to access users' address books and send 'invitations' to join Flixster, making them appear to come from the user. The password prompt screen includes the ISP's logo right next to the password prompt. Rather than hiding this little 'feature,' Flixster brags about it in an interview after receiving $2 million in venture funding earlier this year." American Venture Magazine notes: "...such practices are becoming increasingly... common as new and even established web sites look to attract visitors without expensive marketing campaigns and a hefty advertising budget."

cancel ×

190 comments

Sorry! There are no comments related to the filter you selected.

Facebook does this too. (4, Informative)

Anonymous Coward | more than 7 years ago | (#18485477)

Facebook does they same. They ask for your e-mail address and e-mail address password, then spam your contact list. I can't believe people will give them their password, but some actually do. Preposterous!

Re:Facebook does this too. (0)

Anonymous Coward | more than 7 years ago | (#18485585)

Easy solution:

1) Open a new hotmail account.
2) Don't add any contacts.
3) Use this address to open accounts on viral sites.

Re:Facebook does this too. (4, Insightful)

Zonk (troll) (1026140) | more than 7 years ago | (#18486227)

Better solution:

1) Boycott the scummers that use these tactics

Re:Facebook does this too. (2, Informative)

Anonymous Coward | more than 7 years ago | (#18485611)

Yes Facebook does this too, but differently. With Facebook, if you give them your email login/password, they'll grab your address book and see who else you can add as a friend. You can select who it will and won't send an email to. With this, on the other hand, it looks like it just blasts spam out to everyone in your address book.

Re:Facebook does this too. (5, Informative)

scsscs (669925) | more than 7 years ago | (#18485783)

The article makes it sound that way but it's not the case. They do prompt you to select which contacts to send an email to.

Re:Facebook does this too. (5, Insightful)

Tim C (15259) | more than 7 years ago | (#18485807)

The point remains that not only do these sites ask for your email account password, but people actually let them have them. I personally find it utterly incredible that they even ask; this is so open to potential abuse that I can hardly think where to start. Sure, you can always change your password if they do start to abuse it (if they don't change it first!), but by then the damage may already be done.

Re:Facebook does this too. (2, Insightful)

Ostsol (960323) | more than 7 years ago | (#18486457)

Yeah, that was my first reaction to this -- especially since 99.9% of products and services for which you set a password tell you never to give it to anyone. Add to that the frequent reports of identity and information theft in the media. . .

Re:Facebook does this too. (1)

AceJohnny (253840) | more than 7 years ago | (#18486645)

I personally find it utterly incredible that they even ask

That's exactly how social engineering works. Ask something incredible enough that people will think you've got a really good reason and have got the right authorizations to ask it in the first place!

It's exactly like walking out of the office purposefully with that very expensive projector. As long as it looks like you know what you're doing, people won't think twice.

What I can't believe.... (0, Offtopic)

EmbeddedJanitor (597831) | more than 7 years ago | (#18485695)

is that bastards that work like this don't get shut down/prosecuted. Yes, users should not be that stupid.

If a girl gets raped when walking through a park alone at night, or after drinking something that a stranger gave her at a party well perhaps she was stupid. That does not let the rapist off the hook!

Re:What I can't believe.... (2, Insightful)

Lavene (1025400) | more than 7 years ago | (#18486123)

is that bastards that work like this don't get shut down/prosecuted. Yes, users should not be that stupid.

If a girl gets raped when walking through a park alone at night, or after drinking something that a stranger gave her at a party well perhaps she was stupid. That does not let the rapist off the hook!

Sooo... if I ask you for your password and you give it to me... I'm to blame? Like I go; "Hi, I need your e-mail address and password so I can access your address book and send e-mails in your name" And you say "Sure, sounds good to me."

Some people are just too stupid. They're impossible to protect. They're the people that makes it necessary to have three pages of warnings on a knife, that need to be told that a hammer should not be used to smash insects on somebody's head. It's the people that smokes them self to death... They are the people so stupid that no one has the imagination to even come up with the necessary laws to protect them and you just have to look at them as an example of Darwin's theory of natural selection.

Re:What I can't believe.... (1)

DaveCar (189300) | more than 7 years ago | (#18486277)

It is a pretty despicable practice, but your analogy is not quite right (to the extent that any analogy can be, particularly something that is going to be as emotive as rape).

It would be more like the girl going into a park but having to sign a "By walking through this park you agree to have sexual intercourse with me -- A Rapist" disclaimer.

If they do only what they declare -- send invites to the selected contacts -- and don't use the addresses harvested or your account for any other purposes then fair enough. It might be hiding in plain sight, a bit sneaky, and a bit of a shit thing to do, but the user consented.

Clearly the girl who signs such a disclaimer in order to walk through the park or to accept a drink would be a fool.

Re:What I can't believe.... (0, Flamebait)

cdrudge (68377) | more than 7 years ago | (#18486297)

Your comparing the voluntary (but still deceptive) spamming of people with someone getting raped? That is wrong on so many levels. You win the award of bad analogy of the year.

Exactly; not new (5, Informative)

blowdart (31458) | more than 7 years ago | (#18485917)

sms.ac did exactly the same thing; but didn't ask permission to email people. Whilst you'd think people would know better even Joi Ito got caught by this, what's worse is they spammed before the signup process was complete. Joi immediately quit using the service and blogged a public apology [ito.com] , referring to sms.ac as spammers. Next thing you know they sent him a cease and desist [ito.com] demanding Joi stopped calling them spammers.

Re:Exactly; not new (1)

rjshields (719665) | more than 7 years ago | (#18485995)

You've gotta love their cease and decist letter:

The text, colors, drawings, images, and multiple logos are further protected under the Copyright laws of the United States as well as International treaties.
Their logo is a blatant rip-off of the ebay logo! Bunch of spamming cnuts!

Re:Facebook does this too. (3, Insightful)

RazzleDazzle (442937) | more than 7 years ago | (#18485947)

Well why do you think spamming is actually a productive/sucessful business model? Because dumbass people actually attempt to purchase freely give their bank acct # for a share of $1.5 billion from some poor African country scam, want increase their manly juice giver with see-al1s, are looking for a low 5.1% mortgage refinance, want to meet the local barely legals, etc.

Think about it, if people never clicked on the links, replied to the emails, or called the numbers these spammers would probably die off. It is the fault of the masses of people to are all too eager and ignorant. Power thru inaction would solve spamming. Well, at least curb it a bit.

So back to the topic at hand, while this is very dasterdly, I have never signed up with facebook, I do not have a myspace page, i don't do that school class reunion site. These sites with their ads also help keep these scary/shady companies alive too. If they do things that are as bad as this publicly, imagine what they're doing behind our digital backs. Let's see, they have just about your entire personal history, background, lifestyle, etc. not mention they probably have every single click on their own respective websites completely tracked. They own you and can probably easily guess all of your secret questions for password reminders on any site such as "Your pets name" or "city your high school was in" or "what is your favorite color", etc.

Sorry for the paranoia and cynicism. I just don't trust these people, especially without some regulatory oversight. I am totally against said regulatory oversight so I just exercise extreme caution and do not generally sign up for these types of sites.

Have a nice day.

Re: Facebook does this too. (1)

mikiN (75494) | more than 7 years ago | (#18486075)

And so does Tagged.com.

So does Get-Messenger (3, Interesting)

mcleaver (105698) | more than 7 years ago | (#18486263)

I received an MSN message from a friend inviting me to see who had banned me from their MSN listing. I only had to log on to the site (http://www.get-messenger.com/) and give them my MSN name and password (also for Passport!)
My friend and apparently many others had done so. How do we close down crooks like this?

My Gmail password?! (4, Insightful)

mpiktas (740253) | more than 7 years ago | (#18485483)

They can pry it only from my cold unresisting hands. If any site asked for it, not only I would not give it, but I would write a nasty letter, telling to shove their request so high up the ass, that it would be possible to see, when they open their mouths.

Re:My Gmail password?! (3, Funny)

joshier (957448) | more than 7 years ago | (#18485601)

If any company does this to me, I shit in a bag and send it to them.
If they want to send me some of their shit, I send them some of fucking mine.

Re:My Gmail password?! (2, Informative)

bkr1_2k (237627) | more than 7 years ago | (#18486607)

Fair warning, don't put a return address on that. It's a federal offense to send hazardous material (feces being classified as biohazard) through the mail. At least in the USA.

Not to mention (2, Informative)

Z00L00K (682162) | more than 7 years ago | (#18485489)

that this technique is a goldmine for spammers, phishers and other malware producers.

There is no way of telling if the password used is provided to a third party without consent or if the site is hacked. Be careful with your personal data, and keep your login to yourself as much as possible.

If you create a site with interactive content - think twice before if you really need your visitors to log in to request the content.

Re:Not to mention (3, Interesting)

MichaelSmith (789609) | more than 7 years ago | (#18485969)

There is no way of telling if the password used is provided to a third party without consent or if the site is hacked. Be careful with your personal data, and keep your login to yourself as much as possible.

Anybody who gets an account on service X will be asked for a password and a contact email address. Chances are that the password will get you right into their email account, because people don't like having 100s of low security passwords.

Of course, I trust slashdot not to take my password and try to get into all my other accounts. Am I justified?

So be smart, don't use the same (2, Interesting)

Moraelin (679338) | more than 7 years ago | (#18486283)

So be smart and don't use the same password for your email and for accounts to random web sites.

If you have to re-use passwords, at the very least do something like having half a dozen passwords, one for each category. One for your email, one for web forums, one for work, one for the home computer (but use a firewall anyway), one for PayPal/Ebay/whatever, one for MMOs or whatever. Ok, maybe you don't like having 100 passwords, but you _can_ remember 5-6 passwords, right?

That way if one is compromised, basically the only access they get is within the same category. If someone gets your Slashdot password, they can at most then spam some other forum in your name. Maybe do some spam link. That's not even in the same class as having full access to your email and your address book and the password to your Ebay or PayPal accounts.

For best results, also consider having a different user name for each. E.g., I hope your PayPal account isn't under the username MichaelSmith.

The problem is that if your email is breached, not only can they read your email and spam your friends, they can also use that as a beachhead to get even more stuff. E.g., even if you didn't use the same password on, say, Paypal or Ebay, as long as they have your username and can read your email, it's trivial to just go to PayPal or Ebay and do a "I forgot my password" in your name. Congrats, now there's nothing to stop them from transferring your PayPal money to an account in East Bumfuckistan or from running some scam in your name on Ebay.

So basically please _be_ paranoid about these things. It's not just a case of "bah, all they can do is spam my friends a little" or "bah, none of my emails are secret anyway", as some people seem to assume. Email is used in so many aspects every day, or can be used without raising any alarm flags on the recepients' side, that losing control of it can be pretty much _the_ one most important step you could take towards getting your identity stolen. Do be careful.

Re:Not to mention (2, Informative)

ZachPruckowski (918562) | more than 7 years ago | (#18486291)

A most PHP-based sites don't actually store your password, they store a hash of your password. So at a lot of honest sites, this isn't even a concern. This is why they have to reset your password for you instead of just emailing it to you.

Re:Not to mention (0)

Anonymous Coward | more than 7 years ago | (#18486513)

they store a hash of your password. So at a lot of honest sites, this isn't even a concern.

That's absurd -- regardless of how the passwords are encrypted, the site has a chance to get the plaintext every time you log in. The only real solution is public-key crypto, but you need an IQ of around 110 to understand the basics, so most of the population simply cannot use it.

Unethical behavior = $$$ (1)

ServerIrv (840609) | more than 7 years ago | (#18485499)

I'm not really surprised that another company on the way to the venture capital bank lost any sense of morals it used to have.

If you give a website your password to your email account, you are to blame. If the company is hacking into your accounts to send out its viral invites...that's when the crap needs to hit the fan.

Unethical behavior = SUED FOR $$$?? (1)

Dogtanian (588974) | more than 7 years ago | (#18485913)

If you give a website your password to your email account, you are to blame. If the company is hacking into your accounts to send out its viral invites...that's when the crap needs to hit the fan.
The users are partly to blame for being stupid, but the use of the logos in the article's screenshots *could* reasonably be taken to imply Hotmail/AOL's endorsement. Even simply asking for an AOL/Hotmail password could lead some to assume that there's an association.

Yes, they shouldn't assume; but that's the way things normally work. Flickr asks for your Yahoo account, because they're associated, so this is the same thing? Wrong, of course.

But I think that this is a whole world of legal pain for Flixster. (Disclaimer, IANAL). For one thing, regardless of whether they think they have given "permission", what they are doing is probably against the Hotmail/AOL terms of service. That the account owners may have broken these by giving away the password does not entitle Flixster to access the accounts or exclude them from charges of unauthorised access.

And, as stated above, the use of logos may be considered misleading or indicative of some (nonexistent) endorsement, and if AOL/Hotmail can demonstrate that some users may have been given this impression (even simply by the lack of sufficient disclaimers on the same page), Flixster could be legally up to their necks in it.

Personally, I think they could be sued into oblivion.

blogspam (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18485505)

This is the real original article [tinyurl.com] . Posted anonymous to avoid whoring.

Re:blogspam (2, Funny)

Anonymous Coward | more than 7 years ago | (#18485631)

That's pretty tragic when you can't figure out how to create a tinyurl for goatse, mate.

Re:blogspam (-1, Offtopic)

alphamugwump (918799) | more than 7 years ago | (#18485653)

sigh. I know.

another nasty trick... (4, Interesting)

advocate_one (662832) | more than 7 years ago | (#18485509)

Most people try and keep their passwords and usernames to a small number so use the same password and username for several different sites... so a nasty trick could be to try using the password for flixter against the same username for a different account say google mail or myspace...

Re:another nasty trick... (3, Insightful)

pla (258480) | more than 7 years ago | (#18485963)

Most people try and keep their passwords and usernames to a small number so use the same password and username for several different sites... so a nasty trick could be to try using the password for flixter against the same username for a different account say google mail or myspace...

That, however, would fall squarely under the category of "cracking". By asking for it, they can claim to have (at least as a pretense) your "permission" to spam your friends and contacts.

I do have to wonder, though, whether this might not count as a DMCA violation for Flixster, regardless of the appearance of having your permission... Virtually all free email hosts have a clause in their terms saying basically that you and only you may use your account. By using it "on your behalf", Flixster has used your password to circumvent an access control mechanism, the magical phrase that triggers a DMCA violation.

Re:another nasty trick... (1)

ajs318 (655362) | more than 7 years ago | (#18486133)

I would have thought that handing over the passwords in the first place would constitute a ToS violation.

Part of me hopes people will end up getting themselves banned from GMail, AOL, Hotmail &c. because of this, if only in order to generate some publicity and draw some attention. You wouldn't give a shady stranger the keys to your home. Why let them into your email accounts?

If you want... (1)

spammeister (586331) | more than 7 years ago | (#18485537)

You can just put your /. username and password as a reply to this reply and I'll be sure to send all your friends invites to Slashdot (as if we didn't have enough hosers already)...

Re:If you want... (1)

nick1000 (914998) | more than 7 years ago | (#18485709)

Does you service help people who don't have any friends?

Re:If you want... (0)

Anonymous Coward | more than 7 years ago | (#18485855)

Username: AC
Password: 5318008

Non-Issue (4, Informative)

earnest murderer (888716) | more than 7 years ago | (#18485547)

If you look at the lousy screen shots it is painfully obvious they are being up front and quite clear what they intend to do and how to skip the invitation process.

I'm not saying I'm a fan of their scheme, but it's not like they're scamming anyone. You even get to select who you want to invite.

I guess some people feel they have to produce content, even if they have to dress a non-story up in inflammatory language and ignore the facts of the situation. Gotta drive those Adsense impressions.

Re:Non-Issue (1)

mpiktas (740253) | more than 7 years ago | (#18485589)

I looked again at the screenshots, and yes it is possible to skip the invitation process. But still, you cannot say that this is a non-issue. If the Flixster script for accessing contacts has a bug, you are running risk of becoming a spammer, through no fault of your own. And from other comments you can see that this is exactly the case.

Re:Non-Issue (1)

earnest murderer (888716) | more than 7 years ago | (#18485649)

The point of the article is that users are being scammed into providing their login information. This is not the case.

Sure there is a different security issue regarding providing login information to 3rd parties... a quite serious problem I agree, but that's not the point of the article. That they missed the much more credible and important argument on security policy speaks volumes. Cynical perhaps, but security articles don't bring in nearly as many readers as "OMG SPAMMER!@!!!one!1"

I'll point out again that their content is designed to match their Google Adsense ad's. This is not someone who is terribly concerned with what they are writing about as much as getting (or confusing) people into clicking some ad's.

Re:Non-Issue (3, Insightful)

forkazoo (138186) | more than 7 years ago | (#18485671)

If you look at the lousy screen shots it is painfully obvious they are being up front and quite clear what they intend to do and how to skip the invitation process.

I'm not saying I'm a fan of their scheme, but it's not like they're scamming anyone. You even get to select who you want to invite.

I guess some people feel they have to produce content, even if they have to dress a non-story up in inflammatory language and ignore the facts of the situation. Gotta drive those Adsense impressions.


I recently signed up with Facebook to get in touch with some old friends and generally pretend to be one of the cool kids. They have a similar feature where I was able to provide my login information for gmail or yahoo, and it would automatically dend friend requests to folks in my address books. Sure, it's a bit stupid to provide your login information to a third party. If that information is stored, then yes it could be breached. But, ultimately the facebook feature and the one in this article are apparently very straightforward. A user can choose to share the login information with a third party. As long as that third party does what they say they will, I'm not sure where the issue is.

Ideally, webmail providers would get together with the folks who impliment these sorts of features, and make some sort of easy way to generate a one time use password that can only be used by an IP assigned to the domain that is supposed to use it. Then, you could impliment this sort of thing without needing as much trust. Then, the next time you login to your webmail, it pops up a message saying that "XYZ domain used the one time key you generated on X date to attempt the following actions. Please look over this log and make sure it is what you wanted them to do and click approve or deny."

But, the security issue doesn't even seem to be the main complaint of the article. It's just all huffy about them doing what they say they will, and declaring it deceptive.

Re:Non-Issue (1)

bazorg (911295) | more than 7 years ago | (#18486223)

Ideally, webmail providers would get together with the folks who impliment these sorts of features, and make some sort of easy way to generate a one time use password that can only be used by an IP assigned to the domain that is supposed to use it

Either that or all of them could support import/export contacts in CSV or whatever so that the user does not need to allow an invisible/untraceable transaction with his/her passwword.

Re:Non-Issue (1)

Vincman (584156) | more than 7 years ago | (#18485743)

I'm not sure about the "deceptive" part, but http://www.stumbleupon.com/ [stumbleupon.com] just did the exact same thing to me, causing me to send invites to 100s of people. And of course, I feel stupid now, though I can't say that Stumbler's intent was 100% clear--by which I mean, a warning spelled out in big bold red letters warning me that each of these people would be sent a mail. I'm sure it says it somewhere in the fine print, but is that really enough?

Re:Non-Issue (0)

Anonymous Coward | more than 7 years ago | (#18485809)

"You are about to open the gates of Spam Hell upon the unsuspecting world- Cancel or Allow?"

Some people don't read or understand the fine print. Some other people count upon that behavior.

Some crazy man's "great business idea" (4, Interesting)

suv4x4 (956391) | more than 7 years ago | (#18485557)

I can literally hear the devs arguing this idea is insane, but their boss insisting on being implemented.

And so it came to be. It's crazy not just because it's deceptive, but because it's a security nightmare. If you give your passwords to random sites even for the nicest purposes (which isn't even the case here) it's guaranteed they'll be leaked, and your accounts abused.

What's next: signing a warrant of attorney so the great Flixster, so they could send your buddies free gifts, funded by your bank accounts and credit cards? It's definitely in the same line of thought as this preposterous scheme here.

Re:Some crazy man's "great business idea" (1)

DavidpFitz (136265) | more than 7 years ago | (#18485639)

I can literally hear the devs arguing this idea is insane, but their boss insisting on being implemented.
Really? Literally, actually hear them? Unless you work there, they must be screaming pretty loudly!

Seriously though, any developer should not be screaming about this - it's a functional issue with this site, not a technical one. Their boss might "insist" on this being implemented, because it was in the signed off functional spec. which the developer is paid to implement.

D.

Re:Some crazy man's "great business idea" (0, Troll)

suv4x4 (956391) | more than 7 years ago | (#18485689)

Really? Literally, actually hear them?

Yes, literally. It's a mental disorder.

Their boss might "insist" on this being implemented, because it was in the signed off functional spec. which the developer is paid to implement.

Since I work in this industry, I know it's the industry with the most terrible feature creep of all. I bet their boss didn't have a clue what he wanted when they started it and they were making up their mind as they go.

Re:Some crazy man's "great business idea" (1)

DavidpFitz (136265) | more than 7 years ago | (#18486387)

Since I work in this industry, I know it's the industry with the most terrible feature creep of all
Sorry, but you'd need either more experience in a lot of other industries to base that against, or have read a detailed study (which wouldn't need you to have any experience in any industry) - either way, just working in one industry (or two, or three) does not qualify you to make that statement.

And anyway, feature creep is only that if the feature was not part of the initial spec - which it might well have been. In fact, I'd lay money on it. Feature creep, you know, is generally regarded as the number of features/requirements which get raised after the initial sign-off.

Re:Some crazy man's "great business idea" (1)

suv4x4 (956391) | more than 7 years ago | (#18486537)

Sorry, but you'd need either more experience in a lot of other industries to base that against, or have read a detailed study (which wouldn't need you to have any experience in any industry) - either way, just working in one industry (or two, or three) does not qualify you to make that statement.

Common sense still beats the logical fallacy I'm supposed to participate in. How often do you believe (and I don't use a study for this, warning) these happen in the real world:

Building a house. Almost done, the client says: "hm.. I knew it, this kinda makes the street look dark, chop off the last floor, won't be hard I think".

Building a sedan, the entire factory is set and ready to start mass production. Client shows up: "guys, good news, we're making this a truck! Cool huh!?"

Re:Some crazy man's "great business idea" (1)

DavidpFitz (136265) | more than 7 years ago | (#18486621)

Building a sedan, the entire factory is set and ready to start mass production. Client shows up: "guys, good news, we're making this a truck! Cool huh!?"
Have you ever seen a Citroen Berlingo!? :-)

Re:Some crazy man's "great business idea" (3, Insightful)

Stooshie (993666) | more than 7 years ago | (#18485691)

... Their boss might "insist" on this being implemented, because it was in the signed off functional spec. which the developer is paid to implement. ...

I was only doing my job M'Lud.

Now where have I heard that one before.

Re:Some crazy man's "great business idea" (1)

DavidpFitz (136265) | more than 7 years ago | (#18486403)

I was only doing my job M'Lud.
Well, try refusing to implement a feature in some in-the-scheme-of-things unimportant software and you'll find yourself without a job to be "only doing".

Kinda different if you were being asked to implement features which were in breach of law - but this isn't kinda different like that.

Re:Some crazy man's "great business idea" (1)

Stooshie (993666) | more than 7 years ago | (#18486591)

... try refusing to implement a feature in some in-the-scheme-of-things unimportant software ...

I know what you are saying, and implenting the code on Flixster is a small, unimportant thing. However, it's like a rolling snowball. Take 1930's Germany as an example. The trouble didn't start by implementing a policy of killing all Jews/Disabled/Homosexuals/Gypsies... It started with a small number of people blaming the jews for Germany's ills and then gathering more people, then escalting violence against the jews resulting in Kristallnacht [wikipedia.org] , then starting to implement a policy of not allowing Jews to own property and then implementing concentration camps.

Now, I'm not arguing that implementing the above code could lead to Secret police or Naz-ism but if we have certain principles, we should stick by them.

Plaxo, facebook, Taggedmail do it too (1)

romit_icarus (613431) | more than 7 years ago | (#18485579)

Other mainstream companies that use are Plaxo, Facebook and Taggedmail.

I'm just surprised how these guys get funded at all. Anyone will tell you that this practice is unsustainable, not to mention unethical.

Re:Plaxo, facebook, Taggedmail do it too (1)

BiggerIsBetter (682164) | more than 7 years ago | (#18485757)

Anyone will tell you that this practice is unsustainable, not to mention unethical.

Ethics and sustainability only serve to limit the return on the VC's investment.

Is this guy serious? (1)

bryan1945 (301828) | more than 7 years ago | (#18485635)

From the 2nd article-

"We make it easy to invite your friends. Other sites don't provide good ways for people to spread the word."

What, like calling your friend and saying "Hey, this is a great site" or emailing them and saying "Hey, this is a great site" or texting them and saying "Hey, this is a great site" or walking up to them and saying "Hey, this is a great site"? (Did I make my point?)

From "Blaster.virus.com"- "Hey, we have a great site and we're going to check out you email address list and send email to everyone on it and tell them 'Hey, we have a great virus'."

This most be the most redundent post ever on /.

I'm almost ashamed. Except these idiots are worse. Well, there is also the RIAA, MPAA, Microsoft on certain weeks, SCO, various politicos, sometimes the USA, generally always the BSA, Taco Bell for getting rid of the burrito chiwawa (I have no idea how to spell that), George Lucas for his "remakes", Brannon Braga for screwing up Star Trek, the Sci-Fi channel for canceling Stargate, TNT for screwing up Bab5, whoever cancelled Threshold, L Ron Hubbard for going nuts after writing "Battelfield Earth", Scientology in general, the 4 Horsemen, cats and dogs living together, and general anarachy!

Did I miss anyone? :>

Wow (0)

kahei (466208) | more than 7 years ago | (#18485641)

That's breathtakingly evil. But like a lot of breathtakingly evil things, especially the smaller-scale ones, it first requires breathtaking stupidity on the part of the victim.

So in a sense it balances out.

Re:Wow (1)

nick1000 (914998) | more than 7 years ago | (#18485881)

That's breathtakingly evil. But like a lot of breathtakingly evil things, especially the smaller-scale ones, it first requires breathtaking stupidity on the part of the victim.
I don't think this means, what you think it means.


More seriously though, Victim???


Personally, I don't give a damn whether these sites contact people on my contacts list, as long as they keep providing me with the service that I signed up for.

It's not stupidity of any kind. Of course I only sign up for these systems when the service is decently well known like Technocrati, Orkut or such. The worst they can do is to steal my account and send unauthorized mails. If this starts to happen, while I'll just create a new email account; these companies would lose a big client base.

Myspace, facebook, gmail, yahoo (-1, Flamebait)

descil (119554) | more than 7 years ago | (#18485659)

Who the fuck cares, everyone does it and it's no big deal. They tell you exactly what they're doing and they do it only when you say so. So what? Get over your puny idea that robots knowing your passwords is bad. It's a Good Thing(tm).

Watch, Microsoft will patent it, and then it will be another "great idea" microsoft has stolen from the world. *snrk*

I care (0)

Anonymous Coward | more than 7 years ago | (#18486077)

I care,

I care because it's unwanted behavior.
I care because it's private information.
I care because some of the sites other mention here as also doing this, I have signed up to and I didn't know they were doing this.

I care. I care enough to wonder how I can get a CEO prosecuted.

"everyone does it and it's no big deal"
No, only a few are doing this and think they've got away with it because nobody noticed.

Maybe (4, Interesting)

dysfunct (940221) | more than 7 years ago | (#18485661)

This clearly looks like one of those great "thinking out of the box" ideas upper management come up with in order to pat themselves on their back (and explain their bonuses with) that - apart from being badly thought out in the first place - also was badly implemented. Sending a mail to every single contact in an address book without giving the user any kind of choice might not be the best way to make friends - although due to obvious reasons I didn't want to try and find out whether there's a confirmation or something who this will be sent to. Any volunteers?

The page in question is formatted to resemble a login gateway page of the various providers (think Microsoft Passport and the like) using the domain part of your email address to decide which provider login to display. Even though I consider myself quite knowledgeable when it comes to security related issues and have done security consulting for various companies, I *might* have fallen for this since it admittedly lowered my suspicions. I doubt Joe Sixpack or even many above-average users would have questioned the purpose of this form.

Worth noting is their elaborate privacy policy [flixster.com] and the cute picture of a monkey in their terms of service [flixster.com] . Also, the footnote "Flixster does not store this information in any way" seems to have been added after the screen shots in TFA were taken and I could not find any information on how they connect to the email services (i.e. via a cryptographically safe link or plain text via a Win98 proxy server in Nigeria)

Phishing made easy (5, Insightful)

the_doctor_23 (945852) | more than 7 years ago | (#18485663)

After spending time and again to train our users not to give out passwords and other sensitive information, this feels like a smack in the face.
As this practice gets more common, people will lower their guards (if they had them in the first place) and become conditioned to give out their password to anyone who asks.
I can already hear them say "... but the website asked me for it... was that wrong?" *sigh*

Re:Phishing made easy (1)

Kjella (173770) | more than 7 years ago | (#18486001)

Well, let them burn... your email account typically has a bunch of password emails, and even if you delete those most sites have a simple "I forgot my password" form that doesn't require anything. One thing would be to give someone access to your contact list, but this is basicly giving them the whole motherload. Plus a very nice way to create a very credible trojan horse so you'll run it on your machine, like say taking any jpg attachment and replace it with an identical mail but with a .jpg.exe instead. If it looks like it comes from your friend, even the contents are real then 99.9% of all people will fall for it.

Re:Phishing made easy (1)

ockegheim (808089) | more than 7 years ago | (#18486155)

Yes, what's with emailing passwords? My ISP, which I have few complaints otherwise, made me go through an arduous process to pick a password, then the modem arrived pre-configured with the password and the username and password printed out in their letter. It makes it easy for a beginner to configure but makes a mockery of secure passwords.

Re:Phishing made easy (1)

MichaelSmith (789609) | more than 7 years ago | (#18486043)

I can already hear them say "... but the website asked me for it... was that wrong?" *sigh*

Several swimming pools near my home will give out locker keys but require your car keys as security. Whenever I go along I have this huge argument about it. I will happily give them a fifty dollar note as security. The car is worth a lot more than that to me and a replacement locker key is perhaps 10 dollars. They should be happy with the 50.

But everbody else hands over their keys. Pool staff could be out on the road kidnapping children for sex and running over little old ladies for all anybody knows. My car keys stay in my pocket. I am such a paranoid idiot.

Re:Phishing made easy (0)

Anonymous Coward | more than 7 years ago | (#18486319)

"I can already hear them say "... but the website asked me for it... was that wrong?" *sigh*"

And the problem is that businesses are becoming more and more thieverous in the first place, the line between "business plan" and extortion and being a criminal is becoming paper thin. Perhaps it always was, this is capitalism after all: Take in more money (energy) then goes out, the perpetual motion machine, no wonder the system requires constant growth. The fact is trust is breaking down at an incredible rate, if it gets too bad people will stop using websites for fear of being screwed again.

Some people will fill in anything on the web (1)

gsslay (807818) | more than 7 years ago | (#18485693)

What's interesting is that apparently some people are supplying this information to Flixster without a second thought, and perhaps under the impression that they're actually submitting it to AOL/Yahoo/whatever.

So the next question would be; if they had a similar page with the Bank Of America/Barclays/whatever logo, would people be just as happy to give their details for them?

Either way, it's scary. Scary that Flixster thinks this is an acceptable way to market themselves, scary that people are letting them.

Re:Some people will fill in anything on the web (1)

Zelos (1050172) | more than 7 years ago | (#18485703)

I don't understand why anyone would do it, but I've seen otherwise perfectly sensible people do it. I've even explained why it's a bad idea, had the person say "oh, right", and then a few weeks later they've gone and done it anyway. Apart from anything else, how many sites are there that allow you to recover a lost password through email? Do you really want some guy at Flixster to be able to get your Amazon password?

FUD (2, Informative)

scsscs (669925) | more than 7 years ago | (#18485705)

This isn't new, it's done by almost every social network. As long as it doesn't automatically spam your entire address book it's a perfectly acceptable feature.

Re:FUD (0)

Anonymous Coward | more than 7 years ago | (#18485727)

This is true. The real issue with Flixster is that they don't just send one email, they continue to do so until the person registers an account.

Bullshit - this is plain vanilla misrepresentation (1)

cheros (223479) | more than 7 years ago | (#18485791)

There is no way I would allow a company to use my name or email address to send email on my behalf. This is misrepresentation and is simply illegal. To put this in perspective, what do you think would happen if you sent an email in the name of George Bush to the FBI?

In this case it's certainly worth reading the Terms & Conditions - if that 'feature' isn't in there you ought to be able to sue the hell out of them.

Re:FUD (1)

gsslay (807818) | more than 7 years ago | (#18485795)

Well it's new to me.

I know of lots of websites that do something similar, but the important difference would be that;

  - they only spoof your address, the email does not actually come from your email account
  - they don't need your password
  - you supply the addresses, they don't rifle your address book

Or so I thought, I'd never use such a thing. If the website was that good I'd tell my friends myself, not fire spam at them. Real friends don't spam you.

Re:FUD (2, Informative)

scsscs (669925) | more than 7 years ago | (#18485847)

One of the Co-founder's of Flixster posted in the article's comments. Since many wont even read the article let alone the comments here it is: Hi Anne, I am one of the founders of flixster. I happened upon your article via technorati. As a social community on the web, we take issues of email privacy and permission very seriously. Obviously i am saddened by the way your article describes us. Let me clarify a couple things... 1. We do allow users to access common web-address books to select friends to invite. The whole point of flixster is sharing movie ratings with friends - so making it easy to invite people is very important for us. (This is also incredibly common practice around the web - see yelp/facebook/myspace and many others that also offer it. Plaxo actually offers a popular widget to allow any site to offer this feature). 2. We don't do anything tricky or misleading. The invite friends screens are all clearly explained (visible even in your slightly fuzzy screenshots) and to actually send anything the user must click a button labelled "send invitations" on a screen with their friends names and a list of checkboxes. 2. We use the user's credentials only to retrieve the contact list and then do not store them in any way. We absolutely don't do anything malicious or affect their account in any way. 3. The user is then ALWAYS given the list of contacts and asked to select whom to invite. We do not invite anyone they do not select. Of course we want people to invite friends to come try our site - but it absolutely does not benefit us to send invites they didn't intend and end up with angry users. 4. Once registered, users can control their settings on every single email we send - from weekly movie summaries to new friend requests. If you choose, you can receive no email from us at all. 5. We never sell, rent or buy email addresses from anyone. We are a small company. The intro to our terms of service was intended to be funny. In no way does it reflect us taking privacy issues lightly - which is exactly why we wrote our privacy policy in such clear terms. Anyway, if you have any questions or want to discuss with me, drop me a note at the email above. i appreciate that your efforts are to help protect people from malicious or dangerous sites - a noble endeavor - i'm really sorry that you felt like our site fell into that category. Sincerely, Joe G

Re:FUD (1)

scsscs (669925) | more than 7 years ago | (#18485889)

Ignore the bad formatting:

Hi Anne,

I am one of the founders of flixster. I happened upon your article via technorati.

As a social community on the web, we take issues of email privacy and permission very seriously. Obviously i am saddened by the way your article describes us. Let me clarify a couple things...

1. We do allow users to access common web-address books to select friends to invite. The whole point of flixster is sharing movie ratings with friends - so making it easy to invite people is very important for us. (This is also incredibly common practice around the web - see yelp/facebook/myspace and many others that also offer it. Plaxo actually offers a popular widget to allow any site to offer this feature).

2. We don't do anything tricky or misleading. The invite friends screens are all clearly explained (visible even in your slightly fuzzy screenshots) and to actually send anything the user must click a button labelled "send invitations" on a screen with their friends names and a list of checkboxes.

2. We use the user's credentials only to retrieve the contact list and then do not store them in any way. We absolutely don't do anything malicious or affect their account in any way.

3. The user is then ALWAYS given the list of contacts and asked to select whom to invite. We do not invite anyone they do not select. Of course we want people to invite friends to come try our site - but it absolutely does not benefit us to send invites they didn't intend and end up with angry users.

4. Once registered, users can control their settings on every single email we send - from weekly movie summaries to new friend requests. If you choose, you can receive no email from us at all.

5. We never sell, rent or buy email addresses from anyone. We are a small company. The intro to our terms of service was intended to be funny. In no way does it reflect us taking privacy issues lightly - which is exactly why we wrote our privacy policy in such clear terms.

Anyway, if you have any questions or want to discuss with me, drop me a note at the email above. i appreciate that your efforts are to help protect people from malicious or dangerous sites - a noble endeavor - i'm really sorry that you felt like our site fell into that category.

Sincerely,
Joe G

Re:FUD (0)

Anonymous Coward | more than 7 years ago | (#18485999)

Slashdotters don't use social networks so they wouldn't know this. This story is such a none issue it's embarrassing.

Marketing IS deception (2, Funny)

Joebert (946227) | more than 7 years ago | (#18485747)

Name any marketing campaign ever done by any company & I bet at least one person here at Slashdot can come up with at least one thing deceptive about each of them.

Re:Marketing IS deception (1)

JetScootr (319545) | more than 7 years ago | (#18486047)

Agreed. I've come to equate "marketing" with "lying with intent to steal", almost synonmous with "fraud".

W00t \fp (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18485765)

What kind of idiot? (0)

Anonymous Coward | more than 7 years ago | (#18485885)

What kind of idiot gives away their password anyways?

Got to be pretty fucking stupid.

Phishing (0)

Anonymous Coward | more than 7 years ago | (#18485901)

Well lets see, they access your email account without permission, without preagreement, and with a deceptive screen indicating it is used for YOU to send out invites to your friends on the next screen.

Phishing. It's no different from a phishing screen trying to get your account passwords by deception or any other phishing site.

Arrest them, make it the criminal matter that it is.

Captcha (0)

Anonymous Coward | more than 7 years ago | (#18485909)

If I were an email-Provider, I'd do a captcha if a Flixster-IP is accessing the address book.

Convenience, not abuse (1)

say (191220) | more than 7 years ago | (#18485949)

I can't understand why this is a problem. You already trust these networking sites with pretty detailed information on your own preferences, tastes, friends, location etc., so your e-mail password is not much of an asset to them. Any abuse would obviously lead to people changing their passwords.

The feature is really useful, and presented properly it is not abusive at all. What it does, is log in to your e-mail account and grab your address book. Then you are able to check off people you want to invite and send a premade invitation message. To the end user, the alternative is to manually type or copy-paste in all the e-mail addresses.

As far as I know, Flixster (and Facebook) have not abused the passwords they are given. When they do, make a case of it. If you don't want to give them your password, don't (or, if you need the feature, change the password after your address book has been downloaded). Don't force your paranoid, ineffective habits on the rest of us.

Abuse, not Convenience (2, Insightful)

JetScootr (319545) | more than 7 years ago | (#18486027)

Your email certainly looks like astroturf, by the way. Which would fit right in with the kind of tactics used by a company that asks for user passwords to other networks.
But to give you the benefit of the doubt:
There is absolutely no reason, security or otherwise, for a user's password to be anywhere but between the user's ears or typed in to the one correct "password" box where it applies. Even the company who provides the password-protected service has no need of it, unless they have a severely damaged concept of security.
Asking for someone's password shows a flaming disregard for data security and the privacy of users. It's also an insult to the intelligence of the user. Morally, if you ask for a password, you accept the same responsibility of using that password as the original user. I doubt flixster (or any company) would willingly accept the terms of service that companies usually force on users.
The only reasons to ask for a user's passwords are:
1> To pretend to be that user, which is certain to be against the terms of service of ANY security-conscious provider;
2> To access that user's private data, which would not be password protected without reason.
This is about as severe a character flaw as an internet company could possibly have.
Also, email sent from a password protected account will stain your reputation. Especially if used in court against you. Even though it can easily be challenged, the judge and jury would probably still think hmmmmmmmmmmmmm.

Here's how to stop these scams (5, Insightful)

bocaJWho (1080217) | more than 7 years ago | (#18485959)

Google and other mainstream mail-service providers can put a stop to these messages pretty easily. Sending these messages violate several points in gmail's Terms of Use and Program Policies. Specifically:

-Section 2. Personal Use: "The Service is made available to you for your personal use only."
    I see two violations here. First of all, they are giving the use of the service to someone other than themselves, violating the word "your". Secondly, they violate the word "personal" - this is clearly a business application
-Section 3. Proper Use: "... Your use of the Service is subject to your acceptance of and compliance with the Agreement, including the Gmail Program Policies ..."
    Violations of the program policies include:
    - "Generate or facilitate unsolicited commercial email ("spam"). Such activity includes, but is not limited to ... selling, exchanging or distributing to a third party the email addresses of any person without such person's knowing and continued consent to such disclosure ... Interfere with other Gmail users' enjoyment of the Service" [spam certainly interferes with my enjoyment of gmail].
-Additionally in Section 3: You shall not "(i) use the Service to upload, transmit or otherwise distribute any content that is unlawful, defamatory, harassing, abusive, fraudulent, obscene, contains viruses, or is otherwise objectionable as reasonably determined by Google;" Again, I find spam harassing.

Given these violation, Google would be well within their rights to terminate the accounts (actually, according to the Terms of Use, they can do that whenever they feel like it, but lets assume they don't want to look too evil). Alternatively, They could send out notices that they will terminate any accounts that have been violated if they don't change their password in the next 10 days. Since so many people would lose, or face impending loss of their email accounts, services such as Flixster would suddenly have to find a new business model.

While I didn't check, I would bet hotmail, yahoo mail etc. have similar terms of use.

Even if Flixster decided to keep being an ass and collect passwords anyways, that would just mean that people stupid enough to give out their passwords would no longer have email accounts. Either way, I see no loss. Get to it Google et al.

Re:Here's how to stop these scams (2, Insightful)

ettlz (639203) | more than 7 years ago | (#18486287)

Quite. Hotmail's Terms of Use (don't know about others) require you to keep your password secret. The webmail providers should be having strong words with those who divulge this information.

Hilarious. (1)

Sockatume (732728) | more than 7 years ago | (#18486005)

Okay, who tagged the article "yes"? Own up.

Why don't Gmail block them? (2, Interesting)

TorKlingberg (599697) | more than 7 years ago | (#18486019)

I suggest Google block Flixters IPs from logging in to Gmail. That should keep away some of this spam. In general, preventing a single IP from logging in to a lot of accounts sounds like a decent security measure.

Re:Why don't Gmail block them? (2, Insightful)

Tim C (15259) | more than 7 years ago | (#18486381)

There are three issues with this idea:

1) There's nothing to prevent Flixster from sending employees out to Internet cafés to send the mails, or getting them to do it from home, etc. Sure, it's an inconvenience, but if they're truly determined they could do it. Alternatively, just buy a bunch of modems and get some free dial-up accounts, or use proxies, etc.

2) My company, like probably the vast majority, NATs its LAN. To the outside world, almost every single desktop appears to be behind the same IP address. If Google did prevent a single IP address from accessing more than some small-ish number of accounts, that would inconvenience far more people than just Flixster. I imagine that most other organisations (eg universities, schools, etc) have similar network setups - the days of every desktop having a publicly-routable IP address are long gone.

3) You suggest that Google spends time, money and effort fixing something that almost certainly isn't even a problem for them. The amount of mail this sort of service sends out is going to be a tiny fraction of the total that Google carries; I can't imagine that they even notice it.

most of the time it's the same password anyway (2, Insightful)

level4 (1002199) | more than 7 years ago | (#18486037)

As a former network admin, i'd bet quite a large sum of money that in the majority of cases, the password the user chooses for the new site registration and the password they're using for email - probably the same email they gave for the signup! - are identical anyway.

This is just asking permission. Nine out of ten times, they've already got the information.

Still don't like it. The real solution is for the mail providers to provide a secondary authentication measure to provide information from a users' account, like calendar or address book info, without giving away their password .. wider adoption of OpenID could be part of the solution to this problem.

RTFA (1)

JetScootr (319545) | more than 7 years ago | (#18486071)

Flixster is asking for the user's password to *other* networks, not to its own. Whether a user chooses the same password in more than one app is irrelevant. No honest reputable business would ask for your password to some other company's services.
This is just asking permission. Nine out of ten times, they've already got the information.
NO, they don't have the info - that's why they're asking for it. They put up a display that borders on phishing (some would say it IS phishing), without explaining what they're going to do while pretending to be you.

Protect them from themselves. (1)

apodyopsis (1048476) | more than 7 years ago | (#18486085)

This is another case where we have to protect the stupid from their own actions.

Or educate them. Rapidly.

I saw this recently at Google Video. (1)

Jessta (666101) | more than 7 years ago | (#18486127)

I saw this recently at Google Video.
You click the 'add to myspace' button and google video asks for your myspace username and password so that it can login and add the video.
I lol'd pretty hard at the idea that people would actually do that. But I see it is pretty common.

Who needs security when nobody actually cares enough about their data to protect it.
I'm imagining a future of malware infested web applications. fun fun fun!!!

Some are much worse (2, Informative)

rduke15 (721841) | more than 7 years ago | (#18486145)

Apparently, the user has to manually select the addresses that will be spammed ("invited"), and click a button.

This is by far not as bad as what wayn.com does (or at least used to do). They were just sending out their spam through your account without your knowledge. See "WAYN - Where Are You Now? Warning [misterorange.com] " or Wayn.com : phishing alert, ne vous faites pas couillonner ! [pingouin.be] (the last one in French). (found these at the end of a French blog post about other deceptive practices of Wayn.com [alma.ch] )

No, RTFA (0)

Anonymous Coward | more than 7 years ago | (#18486185)

No, it sends an email to everyone in your address list just like WAYN.

Enough already, they should prosecute one of them.

Re:Some are much worse (0)

Anonymous Coward | more than 7 years ago | (#18486655)

> Apparently, the user has to manually select the addresses that will be spammed ("invited"), and click a button.

Not quite. The user has to manually *un*select the addresses they *don't* want spammed. There is no "deselect all" button either. Imagine having to deselect 300 addresses individually, across several pages of address book.

Is it any wonder I get spammed by these people a lot?

RIAA (1)

JohnHegarty (453016) | more than 7 years ago | (#18486231)

Sorry MR RIAA lawyer... I didn't download the mp3's.... try Flixster they use my account too...

Most of the social networking sites do this (0)

Anonymous Coward | more than 7 years ago | (#18486267)

If you look at any of the major social networking sites you will see that they all do this (Friendster, Hi5, Facebook). The funny thing is that most aren't even using SSL to submit your credentials!

How about their TOS? (2, Funny)

punterjoe (743063) | more than 7 years ago | (#18486293)

When I clicked on the link, I got a picture of a Monkey with the comment "We can't believe you clicked this"! That pretty much sealed the deal for me. :D

Adding "friends" automatically (0)

Anonymous Coward | more than 7 years ago | (#18486475)

In addition to the scary (but in my case ignored) feature of asking for your email password and spamming your friends they also automatically add friends to your friends list to make it seem like you are more active and connected than you actually are. I was invited by one friend and within a week or so received 5 emails that so-and-so has accepted your friend request. Crazy thing is, I hadn't been back onto the service since I initially checked it out, and had NEVER invited any friends. I didn't know the people who'd "accepted" my invitation.

They're a scam.

Are you kiding me? (1)

bkr1_2k (237627) | more than 7 years ago | (#18486573)

Who in their right mind provides that information? Seriously, is it just me or is the general public getting stupider? No way am I providing my passwords to anyone, let alone some website.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>