Thus I am glad to see Twitter will switch off access to their API using standard authentication of username and password, and providing access only by OAuth.

For that I applaud the Twitter team for taking a positive step for online security.

Do As I Say, Not As I Do?

Twitter are still scraping friend information from email accounts.

It doesn’t matter what they claim they scrape, or that they claim to not store the information

• Not using OAuth is now totally hypocritical
• Twitter have been hacked in the past
• A few hundred million people giving up their email passwords is quite a valuable target

I realise Facebook only fixed their Friend Finding / Tell-A-Friend system after they purchased Octazen (and shut it down to new customers), but if Twitter expect their developers to use OAuth, the least they should do is use it themselves.

Update

Just saw this in Facebook – I know that Skype contacts are hardly the key to your online business like a Gmail account, but I thought they were finally past all this account scraping crap.

Facebook sucks for privacy again… well even more… well you know.

Now in the space of just a week I have been able to highlight a solution based upon one of my own blog posts that uses a slightly ghetto, but K.I.S.S method to achieve extremely effective viral tell-a-friend functionality, and now I want to mention another more sophisticated solution.

In my last post I mention that Stompernet currently have an offer to get their Stomping The Search Engines STSE2 SEO Course 100% Free with no credit card requirements.

Now if I am going to state that something is 100% free, I really want to be sure that there are no strings attached.

So I tested the signup procedure and created an account for my wife.

Stompernet Tell-A-Friend Process

As you can see, lots of import options, and whilst a few of them do require username/password, the most important business centric address for online marketers, Google, uses an API hosted by Google.

Remember, Google Account is Key To:-

• Gmail (Paypal, Domain registration, Hosting)
• Adwords
• Analytics
• Adsense
• Private Calendar

Entering your email and password into a form on a 3rd party site is a security liability.

Asking your customers to do it is a security liability for them, thus a business liability for you.

Stompernet are the first in the “Internet Marketing” niche that I am aware of to use a legitimate, safe process for gathering contacts for use with incentive based Tell-A-Friend, and do it better than Twitter, Facebook & LinkedIn.

Probably due to time constraints, one visible blooper is that they haven’t registered with Google (I am not sure of the procedure), and it might take a while to process.

Here is the email that gets sent to your friends.

It would be good if there was a way to edit it before sending

I Skipped Something

The observant will notice I skipped the import stage as I felt it wrong to crop the image, for impact. Whilst I am on a lot of email lists, and have a fair few contacts, I don’t think this situation is unusual.

This is going to be a usability issue with almost any primary email account used by an online marketer., unless they are ruthless with their email list pruning.
The more ghetto version doesn’t have this usability issue, because emails are filled out within the native email interface.

The script that Stompernet are using is Octazen which looks very capable, and they list lots of social networks among their customers. They also have a WordPress plugin though I am not sure of the capabilities – something I will be looking into myself.
I have no idea why so many sites still ask for passwords. Maybe they are using an old version of the script that doesn’t use the APIs for some reason.
I must admit that acted as a negative advert for them – I had been to the site previously, seen the logos for Twitter and LinkedIn – remembered how bad their systems were asking for Gmail passwords, and just ignored them.

Oh… that list of contacts – this rivalled John Reese’s 40 page Traffic Secrets sales letter… around 40 pages in this screenshot, though that only takes us up to letter “T” – my screengrab software was having problems with a file over 30,000 pixels high.

Gmail Imported Email Addresses

I am not sure what drove me to sign up as a JV partner with Dan, though the following factors almost certainly played a factor.

• Supreme confidence in the value of his product just oozes out of the videos he produces (there are lots of them)
• Lots of professional landing pages – it is obvious he has spent a lot of time working on them
• A great JV Opportunity but to be honest I would highlight this anyway… you will see why in a moment

Unobtrusive Marketing

I have spent a fair amount of time since I signed up with Dan chatting with him on Skype – his commitment to his JV partners is exceptional, but I am sure that has also lead to significant improvements in his sales funnel as affiliates give him direct feedback.

We have all seen various improvements to sales funnels over time, and a lot of what Dan is doing will seem very familiar. The overall design of the landing pages, the opt-in etc, but Dan has added a few of his own twists that take things to a new level.

What is special is that the things Dan has added are smart and unobtrusive, but still catch the eye and achieve the desired effect – many of them he has coded himself.

It is a rare thing for me to see something and immediately reach for Skype and ask “Where did you get that script from?”

Long Term Commitment To Success

I am going to swipe a small excerpt that Dan sent out in one of his JV emails – if you are a successful online marketer, this is the kind of email that might make you emotional, because you can almost see before you a guy that is just about to hit a home run.

******************************
1 Year In The Making!
******************************
Someone asked me the other day if I am starting to get excited, because launch is getting so close. I find it hard to put into words how excited i am getting. To give you an idea, I have been working on this project since September last year. 20 hours a week at first, then 50 – 60 hours a week for the last 9 months… and it finally feels like it’s within reach. So am I excited? What do you think?

The fact that I am so exited is only part of the contributing factor to me not sleeping at night. The other thing is the fact that I am on the other side of the world to pretty much everyone, and I spend hours on the phone. Amongst other things, I have spent ages on the phone making sure that I will be able to handle a huge launch in every respect.

The Personal Touch & Proof

There is nothing quite so powerful in establishing relationships with a JV partner than a personal greeting. The one I received from Dan was remarkable, not because of big promises of huge commissions, special access or anything else you might normally expect – the greeting I received was really personal, and at the same time provides me with something more valuable than even a $2000 boxed product… proof

I have been given permission to publish whatever I like, but here is just a small excerpt.

Thanks for coming onboard with TheBossBuster launch. Just thought I’d drop you a quick hello and welcome, and also let you know something that I learned from you that is going to make me a lot of money (and already has done alright for me).

Ok so that grabbed my attention but on its own isn’t much to go on, lets grab a few more snippets…

Originally I bought viral inviter, and was going to use that on my site. After ■■■■■■■, and ■■■■■■■, I went looking for another solution. What I found was a solution on your site, where you can just pass parameters to gmail, hotmail etc, and do effectively the same thing straight through them. This has a number of advantages over viral inviter (which I am sure you are aware of, so I won’t tell you how to suck eggs).

Yes I have ■ out some of this. I will quite happily criticise an application on specific technical issues that represent a risk to my readers, but I am not going to address other aspects that may be hearsay, or subject to specific circumstances.

But I digress…

So long story short, when I tested this with one of my affiliates, I made ■■■■■■■. I was also getting people to do some social networking referrals, but most of the extra was from the emails. The best bit about this is ■■■■■■■, so it doubled my income! Now I am rolling it out on this major launch, and I expect it will make me 6 figures!

I am keeping exact numbers confidential but suffice it to say most people would be able to live for an extra month on the additional income made on one relatively small test.

Now I can’t give you any specific reference, but a frequently quoted figure is that a Tell-A-Friend script, even some of the “viral” ones with features copying Facebook & Myspace rarely add more than 10-20% additional subscribers.

For a tell-a-friend implementation to double Dan’s income, and notice he was specifically tracking the emails compared to social media referrals, that is a huge revenue increase… from one of my blog posts.

Dan absolutely nailed the best possible way to encourage me to write something… providing me with some proof that helps me with any future product launch.

Tell-A-Friend Implementation

Dan didn’t just take an idea from my blog and implement it, he ran with it adding nuances that work so well, he doubled revenue.

Here is just a small part of his Tell-A-Friend page

This Tell-A-Friend implementation I endorse fully (though I did agree to disagree on a couple of details)

• No password is requested
• It is bullet-proof – it doesn’t even use APIs
• Email deliverability is most likely much higher than other solutions
• Emails are sent from a “natural environment” that the end user is familiar with
• Dan figured out a way to even add incentives that are delivered automatically
• The incentive system is multi-tier, rewarding people who refer more friends

Ultimately it is better than anything I have seen used by 6, 7 even 8 figure online marketers, and in many ways better than what is used by Facebook, Myspace and other social networks.

There are a whole load of other smart things he has added to the page that work very well, but I don’t want to spoil it for you for when you sign up to check things out.

It isn’t perfect (but pre-launch doesn’t officially start until Monday)

• The page needs a privacy statement
• A few trust marks could probably boost conversion even more
• I have encouraged Dan to change the way videos are being streamed, but more on that at a later date

Exit Strategy

This is what prompted me at 3am to immediately fire up Skype and contact Dan this morning (there are some advantages with him being in Australia)

• We have all seen corner-peel ads – they are effective to a degree
• We have seen automated “live support” robots on exit, which we all know are fake
• More recently the fashion has been to redirect to a new offer page, opt-in or other alternative, which is often confusing for me which button needs to be pressed to actually stay and read the damn things, I don’t know about anyone else.

What Dan has implemented is different… unique, apparently he coded it himself, and it was quite simple to do

It grabbed my attention as a geek, but I am sure it is something that would grab the attention of any audience, though it is something you would want to split-test extensively – it is something that can be split tested very effectively.

Just watch what happens on the page when you try to exit before opting in…

I am sure the code is very similar to a Page Peel, but the effect is quite different.

Video Use

Dan has made some great use of video in his prelaunch to JVs, keeping them informed on a regular basis. This is one thing I have strongly urged him to tweak however, but more on that at a later date.

I am not going to say he has done things better than others, but he has used video extremely well at every stage of the sales funnel that I have seen so far, and for regular JV updates.

JV Tools

Dan is quite proud of his JV Tools area that is pretty effective – plenty of preprepared emails and banners without the usual long confusing page. I can’t remember the last time I just used even part of someone else’s copy but that is just me. I tend to highlight things in a different way.

Smart Autoresponder Pages

This part isn’t quite unique, I know Big Jason Henderson sells a similar script, but it was very well implemented and no doubt increases email confirmation rates significantly as it is “smart” specific to each email service.

Product Fit For Your Audience?

Who knows, Dan is running a 2-tier affiliate program using Delavo which is fairly robust and has some interesting features in itself. I know lots of affiliates who love it.
The product is a little risqué for some territories, sports arbitrage, but Dan certainly seems to know what he is talking about, and the videos I have seen suggest he is an exceptional teacher – of course he provides a solid guarantee as well.

Apparently he has tested in multiple niches with some quite interesting results.

The Purpose Of This Post?

• Above all, I think Dan has been working his #$%^ off for months assembling this launch
• I love people taking action based upon my blog posts – Dan isn’t the only one who has seen remarkable success, but there is a danger in bragging about things like SEO. I want you to see Dan’s Sales Funnel
• I believe the product might be of interest to some of my audience.
• I love 2-tier affiliate programs and I know some of my readers are a great match. Sign up to JV with Dan

(Note: I will add in the links to the squeeze page on Monday, but you can navigate your way through easily enough – I wouldn’t want to be accused of emailing early for the launch)

This post is a year overdue – I have held back the material and refrained from pointing the finger for that period of time, but there is something I have noticed:-

If you don’t kick up a big stink, possibly including names, any advice just gets swept under the carpet.

I was on a very good webinar last night – Mike Filsaime and Anik Singal were highlighting all the mistakes that have been made with various “free offer” or “just pay shipping” offers.
This didn’t just cover mistakes that might have led to a poorer conversion, but also what has become known as upsell hell.

11 months ago after a number of prior warning posts I made the following statement.

Over the last few months I have already taken the decision not to promote a number of sites and services launched by Internet Marketers using these dangerous scripts.

I have proven I can rank highly in the SERPs for any product. It is going to help conversions when on the first page of the SERPs for your product name potential customers find…

Product Name – WARNING: SECURITY RISK – Read This First!
or
Product Name by Marketer Name – Warning: Security Risk

The only problem is, this won’t be a typical fake affiliate promotion, but a real warning

Note: I also provided a number of solutions within that post that don’t require a viral tell-a-friend to ask for a username & password.

Viral Hell – Prosecution Exhibit 1

Probably the most prominent viral tell-a-friend script is Viral Inviter, beta tested by Mike Filsaime for the launch of his Butterfly Reports site, and that site was used as “proof” of the effectiveness of the script within the launch of Viral Inviter, and on the sales page.

Here is what it looks like embedded inside Butterfly Reports (screenshot taken just a few hours ago)

How bad or insecure is it?

Here is a direct link to the framed form on the ButterflyReports.com site.

What could be tied to my Gmail account?

That is the key to unlocking:-

• Multiple Email Accounts
• Your Google Adsense Account
• Your Google Adwords Account
• Google Analytics
• Google Website Optimizer
• Your PayPal Account
• Affiliate program passwords
• Access Your Blogger account
• Access any scripts that allow you to resend or reset passwords
• Open any social media profile that used that email address
• Did you use that address for domain records? Wave goodbye to your domains

This isn’t a case of whether the script itself is secure, but the server

There is probably no such thing as an open-source content management or blog software project that hasn’t had at least one security vulnerability discovered within the last year.

It only takes WordPress or another popular script to be hacked, and rather than injecting a few links, any script, including a viral tell-a-friend could be modified to do something unintended.

This sin’t even about that specific script running on Mike’s server, but all the 100s or even 1000s of customers of Viral Inviter who might not have a team of programmers and security geeks working for them.

Also Butterfly Marketing has been customized to work with Viral Inviter out of the box.

Butterfly Marketing may or may not be as secure as WordPress, but just like with blog software, that doesn’t matter if you are not storing or asking people to input into forms highly sensitive data.

If a script/site gets hacked, you hopefully have at a minimum daily backups, and all that might be accessed are a few email addresses plus your content – annoying for customers but ultimately not a business liability for anyone.

If you run Viral Inviter with Butterfly Marketing, and something gets hacked, the most profitable exploit of your high traffic site is to grab Gmail username & passwords, especially if your site is targetted to novice online marketers.

Viral Hell – Prosecution Exhibit 2 – Twitter Scripts

As Twitter has become all the rage among marketers, especially how to create a viral “buzz” effect on product launches, or use it to build up a massive number of followers, marketers have looked for ways to encourage people to tweet about them.

The innocent methods are things like the retweet buttons you will see on my blog, or encoded retweet links.

Aside – have you noticed on recent product launches that the retweet links haven’t included affiliate links, thus are effectively “leaks” in a landing page for which an affiliate gains no benefit, unless they are offering huge bonuses to benefit from the buzz?

The more nefarious solutions are the “free” scripts that you can receive just by tweeting about them, install on your server, and then use to offer small incentives to tweet about your upcoming product launch.

The most popular early solution was Viral Tweets and I have seen tons of otherwise very respectable marketers use this script or a variation of it as an incentive to gain viral exposure.

Just like with Tell-A-Friend scripts that ask for your gmail account, the danger isn’t necessarily with the Tell-A-Friend script, but hosting it on a server which might be insecure in other ways.

A twitter account isn’t anywhere near as valuable as a primary email address with password, and accounts taken over can possibly be recovered with the help of the Twitter engineers and support.

But…

• Why subject potential customers to something that might be a security hazzard?
• If you are a respected marketing guru, isn’t it your responsibility to promote best practice, especially as whatever tactics you do use in your campaigns will be mimiced by others, often with less precautions such as server security and audits.
• Some implementations might be scraping off the cream that your afiliates have earned.

Viral Hell – Prosecution Exhibit 3 – Twitter Pyramid Scripts

If you missed being exposed to TweeterGetter on Twitter you were among the lucky ones.

The true “viral” effect lasted less than a weekend, and from then on, the viral exponent (a term I learned from Mike Filsaime’s Butterfly Report) was less than 1.00.

The headline claim was for users to achieve “19,530 followers”, a target only just achieved by the site creator within the 30 days – from memory he reached that number after 27 days.

Now in this case the “viral hell” isn’t for the users of the site, though there have been a number of individual Twitter applications where it was suggested the account details were being abused. As far as I am aware the script isn’t being sold (though it might be a backend offer), thus there is only one potential vulnerability.

The “viral hell” is for the readers. After the first week the only people tweeting links were:-

• Spam accounts
• Desperate newbies
• Otherwise automated accounts

I am sure some people still abuse their email lists in this way, but it certainly isn’t the pinnacle of marketing excellence.

Viral Hell – Prosecution Exhibit 4 – Twiveaway

About a month ago Brad Callen, a marketer I generally respect and whose products I have purchased (e.g. SEO Elite many moons ago) released a new script/service for Twitter giveaways.
I contacted him directly, and suggested ways to improve it, and that requiring passwords was not only a security vulnerability, but for giveaways it isn’t actually something that is needed.

Requiring a password for a 3rd party service is FRICTION – much more than an email address

It looks like a month later, the scripts out in the wild, such as used by Launch Tree, still require passwords.
It is highly possible that Anik actually has a beta version of the script, and that Brad is generally only providing this as “software as a service” to most users.

I expected much better

Danny Sullivan I think coined the phrase “craphat SEO” for the SEO tactics that exploit vulnerabilities such as link injection in blogs.

Jeff at Coding Horror described this kind of programming as:-

Email is the de-facto master password for a huge swath of your online identity. Tread carefully:

* As a software developer, you should never ask a user for their email credentials. It’s unethical. It’s irresponsible. It is wrong. If someone is asking you to code this, why? For what purpose?
* As a user, you should never provide your email credentials to anyone except your email service. Sites that ask you for this information are to be regarded with extreme suspicion if not outright distrust.

But it in many ways is worse, because this script from Brad doesn’t even provide any real protection, or that is the case from examples I have seen.

e.g. You can get a Twiveaway account here without using their forced retweet form, and I accessed that just looking at the form source code.

Viral Hell – Prosecution Exhibit 5 – Launch Tree

Launch Tree already have retweet links in various places, including on the main landing page. In theory, the majority of traffic to the site is landing there, and giving an email address to get access to free content.

Now as an additional barrier, for what might be one of the hottest videos with Andy Jenkins, they also require you to tweet about it.

These guys run companies making $10M+ a year, yet they are using Brad’s craphat software, and asking people for passwords to their Twitter accounts.

I am not worried about them collecting passwords, not even a huge amount with server security (well at least I hope they have that buttoned down).

The biggest problem is their position in the industry and endorsing this method as acceptable.

There is a reason on the TV they use a phrase

“Don’t try this at home kids”

I don’t endorse Google, Linkedin, Facebook et al scraping email accounts for viral marketing, but lets face it, they can do a better job with server security than the average internet marketer, and even then it is only one security vector being attacked.

A good implementation – maybe take a look at the way Dopplr uses APIs – just a small startup with a little funding, much less than the income from one major product launch.

Launch Tree

I still think Launch Tree is a highly valuable product for any marketer looking to promote a product and optimize their conversions and ultimate launch profitability.

Maybe even more so because of these issues raised, because it provides a central knowledgebse of what works, and what is acceptable. Such as one of Mike’s launches mentioned last might where even if someone only wanted the initial offer, and none of the upsells/downsells, it would take them 37 minutes to actually finish their order… real upsell hell that Mike learned from.

How good is the free material being provided during the Launch Tree launch?

Exceptional

As an example after the Brian Johnson interview (where they only revealed part of the launch details) I decided that I needed some notes, both to aid my long-term learning by writing things down in some way, and as an aid to actually understand what was being said.

So I put together a detailed process map, with all the numbers, and I was going to use it as some kind of squeeze page or purchase incentive.

I have decided to release this right here, for free, with no obligation for anything.

I have linked this one image as an attachment, so click the image, or here to get a full size version.

I created that using Xmind, and if this post reaches 100 retweets I will release the source file so you can edit it for your own personal use.

That is another important factor – I am sick of products that include mindmaps and process maps that don’t include files that can be edited. Procedures change, or get customized. A file that can be edited is worth 5x more, even if just for personal use.

No Passwords Link

So the newest video is Andy Jenkins being interviewed about their Stomping The Search Engines 2 launch, which made millions by giving away a high ticket SEO training course, just for the cost of shipping.

It is a very good course, and has just been rereleased, you can get it for $1, immediate online access. (but be quick, I don’t expect the offer to remain open forever)

STSE2 with this offer is probably the best value SEO training from an authority source currently online, though be warned, there is an attached continuity to the offer – the very upfront “ethical bribe” to try out their “Net Effect”

With Launch Tree, I honestly don’t feel comfortable sending you to a site which is asking you for Twitter passwords – it is that “ethical streak” in me, part genetic, part top grammar school education.

Fortunately as I have mentioned Brad’s script is easy to bypass.

Click Here For Andy Jenkins Launch Tree Interview

Direct Link (no password)

Now whilst some might look on this as me bypassing security, before posting this I did make sure the page was indexed in Google already, without any help from me.

Also it is set up as a landing page, and I am using Anik’s smart affiliate system which supports deep linking.

Anyone can make a mistake, release a product without considering all the possible ramifications, but to release Opt-in Accelerator again without major changes is irresponsible.

The Irresponsible Viral Tell-A-Friend Trio

So far there have been 3 such scripts I have written about, and there is a 4th “coming soon”

• My first coverage of Opt-in Accelerator
• Then there was Viral Optin Generator which may well have been a private label or resale rights product
• Viral Inviter is launching soon – last I saw of this script installed “out in the wild” it was a security risk
• There is another one I know about, TrafficXplode 2.0 which also features the same security risks

Relook @ Opt-In Accelerator

You see that big red circle I added?

That is the key to unlocking:-

• Your Email
• Your Google Adsense Account
• Your Google Adwords Account
• Google Analytics
• Google Website Optimizer
• Your PayPal Account
• Affiliate program passwords
• Access Your Blogger account
• Access any scripts that allow you to resend or reset passwords
• Open any social media profile that used that email address
• Did you use that address for domain records? Wave goodbye to your domains

I am not claiming that anyone creating such as script is dishonest, or even the people who might use them, but it takes a huge investment of manpower and financial muscle to keep personal data secure, and those are things most internet marketers don’t have.

All it takes is a script kiddie to come along and compromise the script running on your server, and then rather than acting as an “innocent” tell-a-friend script to boost your email subscribers, it would collect login and password information and forward it to an anonymous server.

All it would take is 2 lines of additional code

We will ignore many of the other potential problems with scraping the email services against their terms of service, potentially breaking the terms of the autoresponder service you use, or totally trashing your email deliverability as 100s of people flag your messages as spam.

I think Robert Plank covered that aspect of Opt-in Accelerator quite adequately.

Solutions

Password data should never be entered in an insecure form hosted by someone without exceptional security in place.

Very Simple Mail To:

This example from Plurk (they also use the insecure method, and have been accused of spam with their Facebook implementation)

http://mail.google.com/mail/?view=cm&cmid=0&fs=1&su=Invitation+to+Plurk.com&body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21%0A%0AAccept+my+invitation+by+going+to%3A%0Ahttp%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2%0A%0ACheck+out+my+profile+at%3A%0Ahttp%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard%0A%0APlurk.com+-+Your+life%2C+on+the+line&tearoff=1&shva=1&ui=1

http://compose.mail.yahoo.com/?Subj=Invitation+to+Plurk.com&Body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21+Accept+my+invitation+by+going+to%3A+http%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2.+Check+out+my+profile+by+going+to%3A+http%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard

http://www.hotmail.msn.com/secure/start?action=compose&subject=Invitation+to+Plurk.com&body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21%0A%0AAccept+my+invitation+by+going+to%3A%0Ahttp%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2%0A%0ACheck+out+my+profile+at%3A%0Ahttp%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard%0A%0APlurk.com+-+Your+life%2C+on+the+line

This code is wonderful because people use their own email server to send the emails, no strain on your servers, so it could be used on any server, even a shared account which has limitations on how many emails you can send per hour.

Existing APIs

Google Yahoo and Microsoft also have APIs for this kind of stuff which can also be used for finding friends.

Google Contacts API
Yahoo! Contact API
Windows Live Contact API

I should also mention the ongoing Oath efforts being made to create a unified interface for retrieving contact and other personal information with permission.

To be fair, I am going to give Jason a link with some partial counter arguments. He seems to think it is worth the risk.

The problem with that argument is that there is no need for this to be a security risk. It is just junk programming.