Twitter Viral Hell With Launch Tree

The security risks for your customers running viral tell-a-friend scripts and widgets.

This post is a year overdue – I have held back the material and refrained from pointing the finger for that period of time, but there is something I have noticed:-

If you don’t kick up a big stink, possibly including names, any advice just gets swept under the carpet.

I was on a very good webinar last night – Mike Filsaime and Anik Singal were highlighting all the mistakes that have been made with various “free offer” or “just pay shipping” offers.
This didn’t just cover mistakes that might have led to a poorer conversion, but also what has become known as upsell hell.

11 months ago after a number of prior warning posts I made the following statement.

Over the last few months I have already taken the decision not to promote a number of sites and services launched by Internet Marketers using these dangerous scripts.

I have proven I can rank highly in the SERPs for any product. It is going to help conversions when on the first page of the SERPs for your product name potential customers find…

Product Name – WARNING: SECURITY RISK – Read This First!
Product Name by Marketer Name – Warning: Security Risk

The only problem is, this won’t be a typical fake affiliate promotion, but a real warning

Note: I also provided a number of solutions within that post that don’t require a viral tell-a-friend to ask for a username & password.

Viral Hell – Prosecution Exhibit 1

Probably the most prominent viral tell-a-friend script is Viral Inviter, beta tested by Mike Filsaime for the launch of his Butterfly Reports site, and that site was used as “proof” of the effectiveness of the script within the launch of Viral Inviter, and on the sales page.

Here is what it looks like embedded inside Butterfly Reports (screenshot taken just a few hours ago)

Viral Tell-A-Friend Inside Butterfly Reports

How bad or insecure is it?

Here is a direct link to the framed form on the site.

What could be tied to my Gmail account?

That is the key to unlocking:-

  • Multiple Email Accounts
  • Your Google Adsense Account
  • Your Google Adwords Account
  • Google Analytics
  • Google Website Optimizer
  • Your PayPal Account
  • Affiliate program passwords
  • Access Your Blogger account
  • Access any scripts that allow you to resend or reset passwords
  • Open any social media profile that used that email address
  • Did you use that address for domain records? Wave goodbye to your domains

This isn’t a case of whether the script itself is secure, but the server

There is probably no such thing as an open-source content management or blog software project that hasn’t had at least one security vulnerability discovered within the last year.

It only takes WordPress or another popular script to be hacked, and rather than injecting a few links, any script, including a viral tell-a-friend could be modified to do something unintended.

This sin’t even about that specific script running on Mike’s server, but all the 100s or even 1000s of customers of Viral Inviter who might not have a team of programmers and security geeks working for them.

Also Butterfly Marketing has been customized to work with Viral Inviter out of the box.

Butterfly Marketing may or may not be as secure as WordPress, but just like with blog software, that doesn’t matter if you are not storing or asking people to input into forms highly sensitive data.

If a script/site gets hacked, you hopefully have at a minimum daily backups, and all that might be accessed are a few email addresses plus your content – annoying for customers but ultimately not a business liability for anyone.

If you run Viral Inviter with Butterfly Marketing, and something gets hacked, the most profitable exploit of your high traffic site is to grab Gmail username & passwords, especially if your site is targetted to novice online marketers.

Viral Hell – Prosecution Exhibit 2 – Twitter Scripts

As Twitter has become all the rage among marketers, especially how to create a viral “buzz” effect on product launches, or use it to build up a massive number of followers, marketers have looked for ways to encourage people to tweet about them.

The innocent methods are things like the retweet buttons you will see on my blog, or encoded retweet links.

Aside – have you noticed on recent product launches that the retweet links haven’t included affiliate links, thus are effectively “leaks” in a landing page for which an affiliate gains no benefit, unless they are offering huge bonuses to benefit from the buzz?

The more nefarious solutions are the “free” scripts that you can receive just by tweeting about them, install on your server, and then use to offer small incentives to tweet about your upcoming product launch.

The most popular early solution was Viral Tweets and I have seen tons of otherwise very respectable marketers use this script or a variation of it as an incentive to gain viral exposure.

Viral Tweets Tell A Friend

Just like with Tell-A-Friend scripts that ask for your gmail account, the danger isn’t necessarily with the Tell-A-Friend script, but hosting it on a server which might be insecure in other ways.

A twitter account isn’t anywhere near as valuable as a primary email address with password, and accounts taken over can possibly be recovered with the help of the Twitter engineers and support.


  • Why subject potential customers to something that might be a security hazzard?
  • If you are a respected marketing guru, isn’t it your responsibility to promote best practice, especially as whatever tactics you do use in your campaigns will be mimiced by others, often with less precautions such as server security and audits.
  • Some implementations might be scraping off the cream that your afiliates have earned.

Viral Hell – Prosecution Exhibit 3 – Twitter Pyramid Scripts

If you missed being exposed to TweeterGetter on Twitter you were among the lucky ones.

The true “viral” effect lasted less than a weekend, and from then on, the viral exponent (a term I learned from Mike Filsaime’s Butterfly Report) was less than 1.00.

The headline claim was for users to achieve “19,530 followers”, a target only just achieved by the site creator within the 30 days – from memory he reached that number after 27 days.


Tweeter Getter Viral Hell

Now in this case the “viral hell” isn’t for the users of the site, though there have been a number of individual Twitter applications where it was suggested the account details were being abused. As far as I am aware the script isn’t being sold (though it might be a backend offer), thus there is only one potential vulnerability.

The “viral hell” is for the readers. After the first week the only people tweeting links were:-

  • Spam accounts
  • Desperate newbies
  • Otherwise automated accounts

I am sure some people still abuse their email lists in this way, but it certainly isn’t the pinnacle of marketing excellence.

Viral Hell – Prosecution Exhibit 4 – Twiveaway

About a month ago Brad Callen, a marketer I generally respect and whose products I have purchased (e.g. SEO Elite many moons ago) released a new script/service for Twitter giveaways.
I contacted him directly, and suggested ways to improve it, and that requiring passwords was not only a security vulnerability, but for giveaways it isn’t actually something that is needed.

Requiring a password for a 3rd party service is FRICTION – much more than an email address

It looks like a month later, the scripts out in the wild, such as used by Launch Tree, still require passwords.
It is highly possible that Anik actually has a beta version of the script, and that Brad is generally only providing this as “software as a service” to most users.

I expected much better

Danny Sullivan I think coined the phrase “craphat SEO” for the SEO tactics that exploit vulnerabilities such as link injection in blogs.

Jeff at Coding Horror described this kind of programming as:-

Email is the de-facto master password for a huge swath of your online identity. Tread carefully:

* As a software developer, you should never ask a user for their email credentials. It’s unethical. It’s irresponsible. It is wrong. If someone is asking you to code this, why? For what purpose?
* As a user, you should never provide your email credentials to anyone except your email service. Sites that ask you for this information are to be regarded with extreme suspicion if not outright distrust.

But it in many ways is worse, because this script from Brad doesn’t even provide any real protection, or that is the case from examples I have seen.

e.g. You can get a Twiveaway account here without using their forced retweet form, and I accessed that just looking at the form source code.

Viral Hell – Prosecution Exhibit 5 – Launch Tree

Launch Tree already have retweet links in various places, including on the main landing page. In theory, the majority of traffic to the site is landing there, and giving an email address to get access to free content.

Now as an additional barrier, for what might be one of the hottest videos with Andy Jenkins, they also require you to tweet about it.


These guys run companies making $10M+ a year, yet they are using Brad’s craphat software, and asking people for passwords to their Twitter accounts.

I am not worried about them collecting passwords, not even a huge amount with server security (well at least I hope they have that buttoned down).

The biggest problem is their position in the industry and endorsing this method as acceptable.

There is a reason on the TV they use a phrase

“Don’t try this at home kids”

I don’t endorse Google, Linkedin, Facebook et al scraping email accounts for viral marketing, but lets face it, they can do a better job with server security than the average internet marketer, and even then it is only one security vector being attacked.

A good implementation – maybe take a look at the way Dopplr uses APIs – just a small startup with a little funding, much less than the income from one major product launch.

Launch Tree

I still think Launch Tree is a highly valuable product for any marketer looking to promote a product and optimize their conversions and ultimate launch profitability.

Maybe even more so because of these issues raised, because it provides a central knowledgebse of what works, and what is acceptable. Such as one of Mike’s launches mentioned last might where even if someone only wanted the initial offer, and none of the upsells/downsells, it would take them 37 minutes to actually finish their order… real upsell hell that Mike learned from.

How good is the free material being provided during the Launch Tree launch?


As an example after the Brian Johnson interview (where they only revealed part of the launch details) I decided that I needed some notes, both to aid my long-term learning by writing things down in some way, and as an aid to actually understand what was being said.

So I put together a detailed process map, with all the numbers, and I was going to use it as some kind of squeeze page or purchase incentive.

I have decided to release this right here, for free, with no obligation for anything.

Internet Business Strategy Brian Johnson Strategic Profits Interviewed-by-mike-filsaime
I have linked this one image as an attachment, so click the image, or here to get a full size version.

I created that using Xmind, and if this post reaches 100 retweets I will release the source file so you can edit it for your own personal use.

That is another important factor – I am sick of products that include mindmaps and process maps that don’t include files that can be edited. Procedures change, or get customized. A file that can be edited is worth 5x more, even if just for personal use.

No Passwords Link

So the newest video is Andy Jenkins being interviewed about their Stomping The Search Engines 2 launch, which made millions by giving away a high ticket SEO training course, just for the cost of shipping.

It is a very good course, and has just been rereleased, you can get it for $1, immediate online access. (but be quick, I don’t expect the offer to remain open forever)

STSE2 with this offer is probably the best value SEO training from an authority source currently online, though be warned, there is an attached continuity to the offer – the very upfront “ethical bribe” to try out their “Net Effect”

With Launch Tree, I honestly don’t feel comfortable sending you to a site which is asking you for Twitter passwords – it is that “ethical streak” in me, part genetic, part top grammar school education.

Fortunately as I have mentioned Brad’s script is easy to bypass.

Andy Jenkins Launch Tree Interview Direct Link

Click Here For Andy Jenkins Launch Tree Interview

Direct Link (no password)

Now whilst some might look on this as me bypassing security, before posting this I did make sure the page was indexed in Google already, without any help from me.

Also it is set up as a landing page, and I am using Anik’s smart affiliate system which supports deep linking.

Liked this post? Follow this blog to get more. Follow


  1. says

    It’s amazing how easy it is to get people’s info
    Great work Andy
    I wouldn’t loose any sleep over loosing my twitter acct but sadly my password for that and gmail,bank acct etc is the same.
    This post raises awareness BIG time
    great to see you back in action
    Stumbled and sent around the World :)

  2. The Agra Indian says

    This is not at all secure from the user point of view, giving out user id and password over the internet and that too to some other web site is very risky.

  3. Sports Betting Guide says

    Great article. I need to start using social networking sites. This has given me a good heads up about some aspects of twitter.

  4. Jeet says

    OAuth was long pending from twitter and I see many twitter clients are trying to move to the public beta they had launched recently. About Viral Inviter, don’t you think they would just use the password once and discard it right away? BTW, Google also has a contact API that uses OAuth as well as 2 other third party auth methods.

    • says

      Hackers often gain access to poorly managed servers – not just one hosting account, but the whole systems, often 100s of accounts.
      On a well managed system, your hosting accounts are vulnerable, thus just because you have something like WordPress installed on a completely different different domain might not matter at all, they could still access scripts somewhere else.

      If I was that way inclined, even if you were running the latest version of WordPress, I am sure there are still a few undiscovered vulnerabilities, or things that are not yet made public. Just hire some Russian security experts.

      It doesn’t matter the intention of the inviter script, or that it was designed not to store data – just 2 lines of code added is enough to grab the account details of anyone who uses it. I tinker with code, but I could do that part easily.
      Users become numb to certain actions due to repetition – already we see people very careless about Twitter passwords, and the same is true for inviter scripts
      Both Comcast and MPAA/RIAA have been hacked in the last year – are their server admins incompetent? Ultimately there is only so much you can do, the safest method is not to ask for personal data on your own site
      Risk aversion in business is important – both from a legal and reputation management standpoint

  5. First Home Buying says

    This is ridiculous – I didn’t know all this stuff was going on. You’d hope that the average user would be wary of a web form that asks you to supply your username and password on an account for which the website is not the official source, but apparently there are quite a few people who are okay with giving out this information to just anyone who promises to keep it safe. There is no gauge for truth on the internet; people are always going to believe what they want to believe.


  6. Chuggin McCoffee says

    I missed TwitterGetter, but I know that the only effective retweeting actually comes from organic traffic and followers not some other kind of spamming motivation.

  7. says

    Great information Andy very helpful to know these security issues taking place and social net workers be aware of all this information you share, also thanks for the free tool you kindly shared to us all, as well but not least Stomping The Search Engines 2 bargain deal

  8. Matthew the sports guru says

    The video links are excellent but what I’m not very sure is about the giving of password online. I think the users identity is not secure at all because it would be published on the internet. Great post. Thanks for sharing.

  9. Motorbike Jacket says

    I would think that with a Twitter viral, if someone wants to try it the simplest solution would be to change their password first, make use of the viral system, and then change their password back.

  10. Luana @ says

    I’m glad I didn’t start using Twitter that way :( It doesn’t seem like I’d have turned out with so good profits… Thanks for sharing this very useful article.

    – Luana

  11. says

    I agree with this post. I would not give out my passwords to any third-party scripts unless I were absolutely sure they were (a) on my site, and (b) secure.

  12. Single Maria says

    I began using Twitter some times ago, but each day I get annoyed more and more. There are many disadvantages. and spams. I am tired of it. Hope people who dont recognize it yet, soon will do it. The end of Twitter is inevitable!

  13. says

    Excellent post Andy – I couldn’t agree more.

    It amazes me how many people don’t even think twice about entering their login info for Gmail, Twitter or whatever into these scripts. Especially since some of them come from people who aren’t very well known, if at all.

    In some ways, it’s part of the same problem that causes a lot of viruses and malware to spread so quickly. People don’t pay attention to what they’re doing, they just click where they’re told to click.

    Using a computer or the internet should be like driving – you have to pass a test before you get your license :-)

  14. says

    This is ridiculous – I didn’t know all this stuff was going on. You’d hope that the average user would be wary of a web form that asks you to supply your username and password on an account for which the website is not the official source.

  15. Terri says

    Wow what great information, thanks for posting, of course some of the warnings came to late because I have fallen prey to some of the things you mentioned, bet lot of us did.

    Hope this isn’t off topic but I like entrecard but I have to practice safe dropping on blogs I know are safe because I had to pay over $200 to have dell support clean up viruses etc picked up from blogs who have the entrecard widget and viciously infect your site. Some things look and sound harmless especially to non-tech type.

  16. says

    Thank you for an excellent post – sharing a very ethical perspective on launches. You are really adding to the thought of what is going on in IM. Thank you!

  17. says

    Andy, after giving this further thought I realize there’s another danger of these scripts asking for the password…

    I have no doubt the scripts themselves are legitimate, but what’s to stop a hacker or scammer from simply creating a page with WHAT APPEARS TO BE the same script, but which really just serves to provide the scammer with your Twitter password?

    How is a user supposed to tell the difference between a legitimate use of a script, and one used for the purpose of scamming? The answer is: you can’t, unless you ABSOLUTELY trust the site owner.

    That’s why I won’t be using any script that asks me for my Twitter or Gmail password – and I would encourage everybody to use them with extreme *caution*. After all, if a person’s account gets hacked, and they’ve given out their password to a site other than the official one (i.e. or, isn’t there the *possibility* that THAT PERSON may be responsible for their account being hacked, because they gave it to some site that claimed to be using a trusted script?

    Paul Hancox

    P.S: Andy, I will be launching a Twitter viral marketing tool shortly which will *not* require anybody’s password – I’d love for you to test and review it… just drop me an email if you’re up for that. Hopefully it will give you some points for comparison :)