How To Screw Up Your Internet Business

Jeff over at Coding Horror has just been taking a small pop at Yelp for requiring email account access to find friends

 

Email is the de-facto master password for a huge swath of your online identity. Tread carefully:

* As a software developer, you should never ask a user for their email credentials. It’s unethical. It’s irresponsible. It is wrong. If someone is asking you to code this, why? For what purpose?
* As a user, you should never provide your email credentials to anyone except your email service. Sites that ask you for this information are to be regarded with extreme suspicion if not outright distrust.

This is the same terrible system used by many large social networks, and 2 scripts I recently strongly advised internet marketers not to use.

  • Optin Accelerator – due to be relaunched soon
  • Then there was Viral Optin Generator
  • Coming soon is Viral Inviter which has some redeeming qualities, it works with old address books from Outlook etc, but it is still asking for highly personal passwords, and there are some other security faults.

Viral Inviter, with even heavier marketing and endorsements, will have a huge long-term negative effect on email marketing, with the rewards quickly being overtaken by a backlash of negative sentiment and poorer email delivery which will be universal.

Plurk which has very recently become very popular also suffers from this evil invite and finding friends method, but at least has a redeeming feature.


http://mail.google.com/mail/?view=cm&cmid=0&fs=1&su=Invitation+to+Plurk.com&body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21%0A%0AAccept+my+invitation+by+going+to%3A%0Ahttp%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2%0A%0ACheck+out+my+profile+at%3A%0Ahttp%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard%0A%0APlurk.com+-+Your+life%2C+on+the+line&tearoff=1&shva=1&ui=1


http://compose.mail.yahoo.com/?Subj=Invitation+to+Plurk.com&Body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21+Accept+my+invitation+by+going+to%3A+http%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2.+Check+out+my+profile+by+going+to%3A+http%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard


http://www.hotmail.msn.com/secure/start?action=compose&subject=Invitation+to+Plurk.com&body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21%0A%0AAccept+my+invitation+by+going+to%3A%0Ahttp%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2%0A%0ACheck+out+my+profile+at%3A%0Ahttp%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard%0A%0APlurk.com+-+Your+life%2C+on+the+line

That first line for instance brings up an invite email inside Gmail, no need to scrape Gmail contacts, and then you can use Gmail’s own address book to access contacts.

Plurk Mailto

They also use Facebook

Existing APIs

Google Yahoo and Microsoft also have APIs for this kind of stuff which can also be used for finding friends.

Google Contacts API
Yahoo! Contact API
Windows Live Contact API

Over the last few months I have already taken the decision not to promote a number of sites and services launched by Internet Marketers using these dangerous scripts.

I have proven I can rank highly in the SERPs for any product. It is going to help conversions when on the first page of the SERPs for your product name potential customers find…

Product Name – WARNING: SECURITY RISK – Read This First!
or
Product Name by Marketer Name – Warning: Security Risk

The only problem is, this won’t be a typical fake affiliate promotion, but a real warning

Update

Tim has provided the code so that anyone who buys one of these viral tell a friend scripts can easily modify it so that it stores all the personal data entered in a form. It would take a typical script kiddie less than 2 minutes.

Doing it on someone else’s server is a little more work, plus they would need to get access, but how many people really think their websites running 3rd party scripts are totally secure.

Tim points out Paypal… how many marketers use Gmail for Paypal access, along with their Adwords, Adsense, Domain registrations etc. I know I do, because I trust Google with the data more than I trust my ISP – plus it would be a thankless task changing everything if you changed ISP.

Marketers are the perfect target

  • Running lots of 3rd party scripts on a site
  • Often running outdated versions of WordPress
  • Have multiple sites on the same server
  • Have a “set and forget” mentality

Liked this post? Follow this blog to get more. Follow

Comments

  1. says

    Andy are you saying this sites want access to your email account/s in order to access you contacts lists? If that is the case it does not seem safe to me.

    On the flip side are there good plugins such as “tell your friends about us” that will use existing APIs like those mentioned above?

    • says

      Michael I am sure you are a member of lots of the big ones that have used this tactic

      Facebook
      Myspace
      YouTube

      The problem is these scripts are available for less than $100, anyone can buy them – they are not programmers and many of the scripts call home because they can’t keep up with the changes in the backend for scraping the data.

      It is a disaster waiting to happen.

  2. says

    Thanks for another great article Andy. I’ve hesitated to use the find friend feature in social sites that asks for my email password as it seems like too much of a security risk.

  3. says

    I have been alarmed to see social networks asking for access to email accounts to add friends.
    I have a hard time believing someone would give their email address and its password to anyone. I think it is a dumb idea to even ask for it. Even if they are trustworthy, just the fact that they ask for this stuff must make them a target for hackers and scammers. I would think they would think about the liability.
    Giving an email address and password is worse than leaving your wallet somewhere in public. To many financial sites will let you reset passwords if you give them the email for an account.
    Does Microsoft still use Hotmail accounts for the .net network?

  4. says

    Hi Andy,
    Thanks for bringing this issue to the fore. I see it everyday in the many sites that I visit or try to join, but I haven’t come across anyone speaking out against this practice. Maybe I wasn’t looking hard enough.:)

    When I see such prompts for my email credentials, I just instinctively click the back button. No site is worth putting up with that kind of security risk, I’d get a similar service elsewhere. Thankfully, none of the sites I really consider important use that kind of script, but if I do encounter one, I’d probably just take my business elsewhere again.

  5. says

    Thanks for the “Security Alert!”, Andy.

    I’m not a fan of any sort of “Tell-A-Friend” promotion, but asking for account credentials to import contacts is even somewhat more intrusive, isn’t it. A while ago I added a line to my personal email’s signature “This is an unlisted, private email address. You must not share it with anybody!” Well, my friends are ‘smart’ and I never had problems,… but just in case.

    My advice to programmers, marketers, and service providers:

    * Give the user a choice of creating a login ID, which does not show up anywhere (different from screen name, different from email address). I say “choice” in reference to Guy Kawasaki who said on his Blog, “I don’t use services that don’t allow me to use my email address as login.” Okay, if you want to (dear user, you can). I guess you could be proud, if someone like Guy uses your service … no need to lock him out.

    * Don’t store passwords in plain text. Therefore you cannot send them via email as well! But don’t forget to implement a password recovery procedure.

    * Continuing with what you wrote, Andy. Don’t ask for too much information anyway. At first earn the users trust and respect, then an kind of ‘tell-a-friend’ will work much better for you.

    Yours John

    P.S. I hope that was not too long Andy, but I think security (technical) and ethics (marketing,promotion) is very important for the Internet marketplace. As you do.

  6. says

    I’ve been brought up in a kind of internet environment that has the number one rule of “never give out your password” for anything or for anyone. I haven’t encountered a website asking for my email credentials yet but I think that even if it is a social networking website, I wouldn’t dare give away my password.

    This is post is very helpful. Thank you for sharing this. I wasn’t aware that certain websites practice this so I’ll keep an eye out now.

  7. says

    I had wondered about these “optin accelerators.” I didn’t promote them either for the simple fact that I hate getting emails for things I didn’t sign up for in the first place.

    But I would think that maybe the worst part would be that the creators might be able to spy on every email you add.

    Maybe not, but then again, maybe so….

    I guess it was just an attempt to make money…

  8. says

    Andy-
    THanks for the great article on this, I hadn’t been aware of the issues with the email access on many of these systems. THansk again.
    -Suz

  9. Home_Security_Systems says

    Hi! Its one of the best blog and this is very useful for the readers like me,it helps me a lot which I can't describe,bcoz I'm speechless anyway great job and one of the superb,Thanks for the job,keep up post cont………Thanks a lot.

Trackbacks

  1. [...] 11 months ago after a number of prior warning posts I made the following statement. Over the last few months I have already taken the decision not to promote a number of sites and services launched by Internet Marketers using these dangerous scripts. [...]