On the one hand, I'm not happy that Tagged and co are getting all this publicity, but on the other I'm hoping that it helps to stem the tide a bit. It's shocking how many people have not learned the importance of keeping passwords secret.
I work for a web dev firm, and one of the features a client wants is a facebook-style "invite your friends by giving us your e-mail and password" feature. I'm trying to think of a nice way of convincing the client that the feature they want is really a psychological bug that's going to cause long-term problems for, well, everyone on the internet.
Why not use bbauth? I know Yahoo and Google support it. That way you can grab their email contacts without requiring them to give you their email/password. It just sends them to the email provider to login, then back to your site with the api token to access their address book.
"I spoke to Greg Tseng, founder and chief executive of Tagged, to ask him what happened. He said all social networking sites invite you to e-mail your contact list to join up or discover which of your friends are already members, but that a software glitch meant an unusually large number of accidental invitations went out recently."
I'm confused, does it ask you to type in your email address and password for your email provider? I can't believe anybody would be stupid enough to fall for that.
If it doesn't, where did it get all of his contact info? Did he enter it in himself. If this is the case, what does the website say that prompts you to enter in your contact lists?
Yeah, that was my question too. I think what happens is, when you enter your email address and password to login to the site, the site assumes its the same password you use to login to your mail provider. Of course, that assumption could be wrong but apparently, it works often enough. And of course, this only works with the big web mail providers like Google and Yahoo. I got a similar spate of emails from friends asking me to register on their birthday calendar.
Not really, they aren't assuming you use the same password as your mail provider. These sorts of sites just ASK you outright for your login/password.. and a lot of users actually give this up voluntarily to a third party site.
Lots of information here on this sort of anti-pattern:
yep, it asks for your email login and pw - pretty common; facebook and twitter also do this (or did). people would rather allow them unfettered access than manually set up friends/followers.
I can't believe the author is so soft on Tagged and MyLife.com etc. I've seen this happen to my mother as well, who was very embarrassed. This needs to be regulated and be treated like spamming is.
First time I saw this happen was when my daughter signed up for doostang. All of us on her gmail address list got an invite, including some ex-boyfriends. She later sent an apology to the whole list. It was certainly a wake up call.
I had to read this like 3 times to understand that users were voluntarily typing their email password into a site. It's so ingrained in my behavior not to do that, I was trying to figure out, "how do they get the password?"
Wait -- are they just using the password you type for their site to log in and go through your gmail account (guessing that they're the same pw)? That's fraud. I don't care if it's in the fine print. I use multiple passwords, but not enough. If websites just start using my passwords to break into my private data on other sites, that's seriously fucked up.