The security risks for your customers running viral tell-a-friend scripts and widgets.
This post is a year overdue – I have held back the material and refrained from pointing the finger for that period of time, but there is something I have noticed:-
If you don’t kick up a big stink, possibly including names, any advice just gets swept under the carpet.
I was on a very good webinar last night – Mike Filsaime and Anik Singal were highlighting all the mistakes that have been made with various “free offer” or “just pay shipping” offers.
This didn’t just cover mistakes that might have led to a poorer conversion, but also what has become known as upsell hell.
11 months ago after a number of prior warning posts I made the following statement.
Over the last few months I have already taken the decision not to promote a number of sites and services launched by Internet Marketers using these dangerous scripts.
I have proven I can rank highly in the SERPs for any product. It is going to help conversions when on the first page of the SERPs for your product name potential customers find…
Product Name – WARNING: SECURITY RISK – Read This First!
Product Name by Marketer Name – Warning: Security Risk
The only problem is, this won’t be a typical fake affiliate promotion, but a real warning
Note: I also provided a number of solutions within that post that don’t require a viral tell-a-friend to ask for a username & password.
Viral Hell – Prosecution Exhibit 1
Probably the most prominent viral tell-a-friend script is Viral Inviter, beta tested by Mike Filsaime for the launch of his Butterfly Reports site, and that site was used as “proof” of the effectiveness of the script within the launch of Viral Inviter, and on the sales page.
Here is what it looks like embedded inside Butterfly Reports (screenshot taken just a few hours ago)
How bad or insecure is it?
Here is a direct link to the framed form on the ButterflyReports.com site.
What could be tied to my Gmail account?
That is the key to unlocking:-
- Multiple Email Accounts
- Your Google Adsense Account
- Your Google Adwords Account
- Google Analytics
- Google Website Optimizer
- Your PayPal Account
- Affiliate program passwords
- Access Your Blogger account
- Access any scripts that allow you to resend or reset passwords
- Open any social media profile that used that email address
- Did you use that address for domain records? Wave goodbye to your domains
This isn’t a case of whether the script itself is secure, but the server
There is probably no such thing as an open-source content management or blog software project that hasn’t had at least one security vulnerability discovered within the last year.
It only takes WordPress or another popular script to be hacked, and rather than injecting a few links, any script, including a viral tell-a-friend could be modified to do something unintended.
This sin’t even about that specific script running on Mike’s server, but all the 100s or even 1000s of customers of Viral Inviter who might not have a team of programmers and security geeks working for them.
Also Butterfly Marketing has been customized to work with Viral Inviter out of the box.
Butterfly Marketing may or may not be as secure as WordPress, but just like with blog software, that doesn’t matter if you are not storing or asking people to input into forms highly sensitive data.
If a script/site gets hacked, you hopefully have at a minimum daily backups, and all that might be accessed are a few email addresses plus your content – annoying for customers but ultimately not a business liability for anyone.
If you run Viral Inviter with Butterfly Marketing, and something gets hacked, the most profitable exploit of your high traffic site is to grab Gmail username & passwords, especially if your site is targetted to novice online marketers.
Viral Hell – Prosecution Exhibit 2 – Twitter Scripts
As Twitter has become all the rage among marketers, especially how to create a viral “buzz” effect on product launches, or use it to build up a massive number of followers, marketers have looked for ways to encourage people to tweet about them.
The innocent methods are things like the retweet buttons you will see on my blog, or encoded retweet links.
Aside – have you noticed on recent product launches that the retweet links haven’t included affiliate links, thus are effectively “leaks” in a landing page for which an affiliate gains no benefit, unless they are offering huge bonuses to benefit from the buzz?
The more nefarious solutions are the “free” scripts that you can receive just by tweeting about them, install on your server, and then use to offer small incentives to tweet about your upcoming product launch.
The most popular early solution was Viral Tweets and I have seen tons of otherwise very respectable marketers use this script or a variation of it as an incentive to gain viral exposure.
Just like with Tell-A-Friend scripts that ask for your gmail account, the danger isn’t necessarily with the Tell-A-Friend script, but hosting it on a server which might be insecure in other ways.
A twitter account isn’t anywhere near as valuable as a primary email address with password, and accounts taken over can possibly be recovered with the help of the Twitter engineers and support.
- Why subject potential customers to something that might be a security hazzard?
- If you are a respected marketing guru, isn’t it your responsibility to promote best practice, especially as whatever tactics you do use in your campaigns will be mimiced by others, often with less precautions such as server security and audits.
- Some implementations might be scraping off the cream that your afiliates have earned.
Viral Hell – Prosecution Exhibit 3 – Twitter Pyramid Scripts
If you missed being exposed to TweeterGetter on Twitter you were among the lucky ones.
The true “viral” effect lasted less than a weekend, and from then on, the viral exponent (a term I learned from Mike Filsaime’s Butterfly Report) was less than 1.00.
The headline claim was for users to achieve “19,530 followers”, a target only just achieved by the site creator within the 30 days – from memory he reached that number after 27 days.
Now in this case the “viral hell” isn’t for the users of the site, though there have been a number of individual Twitter applications where it was suggested the account details were being abused. As far as I am aware the script isn’t being sold (though it might be a backend offer), thus there is only one potential vulnerability.
The “viral hell” is for the readers. After the first week the only people tweeting links were:-
- Spam accounts
- Desperate newbies
- Otherwise automated accounts
I am sure some people still abuse their email lists in this way, but it certainly isn’t the pinnacle of marketing excellence.
Viral Hell – Prosecution Exhibit 4 – Twiveaway
About a month ago Brad Callen, a marketer I generally respect and whose products I have purchased (e.g. SEO Elite many moons ago) released a new script/service for Twitter giveaways.
I contacted him directly, and suggested ways to improve it, and that requiring passwords was not only a security vulnerability, but for giveaways it isn’t actually something that is needed.
Requiring a password for a 3rd party service is FRICTION – much more than an email address
It looks like a month later, the scripts out in the wild, such as used by Launch Tree, still require passwords.
It is highly possible that Anik actually has a beta version of the script, and that Brad is generally only providing this as “software as a service” to most users.
I expected much better
Danny Sullivan I think coined the phrase “craphat SEO” for the SEO tactics that exploit vulnerabilities such as link injection in blogs.
Jeff at Coding Horror described this kind of programming as:-
Email is the de-facto master password for a huge swath of your online identity. Tread carefully:
* As a software developer, you should never ask a user for their email credentials. It’s unethical. It’s irresponsible. It is wrong. If someone is asking you to code this, why? For what purpose?
* As a user, you should never provide your email credentials to anyone except your email service. Sites that ask you for this information are to be regarded with extreme suspicion if not outright distrust.
But it in many ways is worse, because this script from Brad doesn’t even provide any real protection, or that is the case from examples I have seen.
e.g. You can get a Twiveaway account here without using their forced retweet form, and I accessed that just looking at the form source code.
Viral Hell – Prosecution Exhibit 5 – Launch Tree
Launch Tree already have retweet links in various places, including on the main landing page. In theory, the majority of traffic to the site is landing there, and giving an email address to get access to free content.
Now as an additional barrier, for what might be one of the hottest videos with Andy Jenkins, they also require you to tweet about it.
These guys run companies making $10M+ a year, yet they are using Brad’s craphat software, and asking people for passwords to their Twitter accounts.
I am not worried about them collecting passwords, not even a huge amount with server security (well at least I hope they have that buttoned down).
The biggest problem is their position in the industry and endorsing this method as acceptable.
There is a reason on the TV they use a phrase
“Don’t try this at home kids”
I don’t endorse Google, Linkedin, Facebook et al scraping email accounts for viral marketing, but lets face it, they can do a better job with server security than the average internet marketer, and even then it is only one security vector being attacked.
A good implementation – maybe take a look at the way Dopplr uses APIs – just a small startup with a little funding, much less than the income from one major product launch.
I still think Launch Tree is a highly valuable product for any marketer looking to promote a product and optimize their conversions and ultimate launch profitability.
Maybe even more so because of these issues raised, because it provides a central knowledgebse of what works, and what is acceptable. Such as one of Mike’s launches mentioned last might where even if someone only wanted the initial offer, and none of the upsells/downsells, it would take them 37 minutes to actually finish their order… real upsell hell that Mike learned from.
How good is the free material being provided during the Launch Tree launch?
As an example after the Brian Johnson interview (where they only revealed part of the launch details) I decided that I needed some notes, both to aid my long-term learning by writing things down in some way, and as an aid to actually understand what was being said.
So I put together a detailed process map, with all the numbers, and I was going to use it as some kind of squeeze page or purchase incentive.
I have decided to release this right here, for free, with no obligation for anything.
I have linked this one image as an attachment, so click the image, or here to get a full size version.
I created that using Xmind, and if this post reaches 100 retweets I will release the source file so you can edit it for your own personal use.
That is another important factor – I am sick of products that include mindmaps and process maps that don’t include files that can be edited. Procedures change, or get customized. A file that can be edited is worth 5x more, even if just for personal use.
No Passwords Link
So the newest video is Andy Jenkins being interviewed about their Stomping The Search Engines 2 launch, which made millions by giving away a high ticket SEO training course, just for the cost of shipping.
It is a very good course, and has just been rereleased, you can get it for $1, immediate online access. (but be quick, I don’t expect the offer to remain open forever)
STSE2 with this offer is probably the best value SEO training from an authority source currently online, though be warned, there is an attached continuity to the offer – the very upfront “ethical bribe” to try out their “Net Effect”
With Launch Tree, I honestly don’t feel comfortable sending you to a site which is asking you for Twitter passwords – it is that “ethical streak” in me, part genetic, part top grammar school education.
Fortunately as I have mentioned Brad’s script is easy to bypass.
Now whilst some might look on this as me bypassing security, before posting this I did make sure the page was indexed in Google already, without any help from me.
Also it is set up as a landing page, and I am using Anik’s smart affiliate system which supports deep linking.