Jeff over at Coding Horror has just been taking a small pop at Yelp for requiring email account access to find friends
Email is the de-facto master password for a huge swath of your online identity. Tread carefully:
* As a software developer, you should never ask a user for their email credentials. It’s unethical. It’s irresponsible. It is wrong. If someone is asking you to code this, why? For what purpose?
* As a user, you should never provide your email credentials to anyone except your email service. Sites that ask you for this information are to be regarded with extreme suspicion if not outright distrust.
This is the same terrible system used by many large social networks, and 2 scripts I recently strongly advised internet marketers not to use.
- Optin Accelerator – due to be relaunched soon
- Then there was Viral Optin Generator
- Coming soon is Viral Inviter which has some redeeming qualities, it works with old address books from Outlook etc, but it is still asking for highly personal passwords, and there are some other security faults.
Viral Inviter, with even heavier marketing and endorsements, will have a huge long-term negative effect on email marketing, with the rewards quickly being overtaken by a backlash of negative sentiment and poorer email delivery which will be universal.
Plurk which has very recently become very popular also suffers from this evil invite and finding friends method, but at least has a redeeming feature.
http://mail.google.com/mail/?view=cm&cmid=0&fs=1&su=Invitation+to+Plurk.com&body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21%0A%0AAccept+my+invitation+by+going+to%3A%0Ahttp%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2%0A%0ACheck+out+my+profile+at%3A%0Ahttp%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard%0A%0APlurk.com+-+Your+life%2C+on+the+line&tearoff=1&shva=1&ui=1 http://compose.mail.yahoo.com/?Subj=Invitation+to+Plurk.com&Body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21+Accept+my+invitation+by+going+to%3A+http%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2.+Check+out+my+profile+by+going+to%3A+http%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard http://www.hotmail.msn.com/secure/start?action=compose&subject=Invitation+to+Plurk.com&body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21%0A%0AAccept+my+invitation+by+going+to%3A%0Ahttp%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2%0A%0ACheck+out+my+profile+at%3A%0Ahttp%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard%0A%0APlurk.com+-+Your+life%2C+on+the+line
That first line for instance brings up an invite email inside Gmail, no need to scrape Gmail contacts, and then you can use Gmail’s own address book to access contacts.
They also use Facebook
Google Yahoo and Microsoft also have APIs for this kind of stuff which can also be used for finding friends.
Over the last few months I have already taken the decision not to promote a number of sites and services launched by Internet Marketers using these dangerous scripts.
I have proven I can rank highly in the SERPs for any product. It is going to help conversions when on the first page of the SERPs for your product name potential customers find…
Product Name – WARNING: SECURITY RISK – Read This First!
Product Name by Marketer Name – Warning: Security Risk
The only problem is, this won’t be a typical fake affiliate promotion, but a real warning
Tim has provided the code so that anyone who buys one of these viral tell a friend scripts can easily modify it so that it stores all the personal data entered in a form. It would take a typical script kiddie less than 2 minutes.
Doing it on someone else’s server is a little more work, plus they would need to get access, but how many people really think their websites running 3rd party scripts are totally secure.
Tim points out Paypal… how many marketers use Gmail for Paypal access, along with their Adwords, Adsense, Domain registrations etc. I know I do, because I trust Google with the data more than I trust my ISP – plus it would be a thankless task changing everything if you changed ISP.
Marketers are the perfect target
- Running lots of 3rd party scripts on a site
- Often running outdated versions of WordPress
- Have multiple sites on the same server
- Have a “set and forget” mentality