For all the talk about privacy and security, it seems that a lot of people are downright sloppy when it comes to who they provide personal information.
A couple of prime examples this week where large numbers of unsuspecting or naive happily handed over their usernames and passwords to a third-party simply because the service looked cool.
First up was SocialMinder, which is offering a service that lets you get control of your GMail and LinkedIn contacts. To use it, you have to hand over usernames and passwords to an unknown company offering a beta service. Even worse, SocialMinder is using the information to spam your contacts, unless you realize what they are trying to do, and opt out.
Next is Twitterank, which I noticed because Louis Grey had a Twitter post about his ranking. To get a sense of where you stand in the Twittersphere, you have to give Twitterank your username and password.
ZDNet’s Oliver Marks has a post that “Twitterrank has no apparent purpose beyond a sketchy numerical rating, and there are rumors circulating on Twitter this afternoon that it is basically a fishing expedition”.
Twitterank suggested it needed the information due to issues with Twitter’s API, which is hard to believe given so many services play well with Twitter. Right now, Twitterank is down.
My advice if you used SocialMinder or Twitterank is changes you passwords NOW.
As well, it should be a wake-up call for everyone to be a lot more careful about sharing your personal information. It should also be a reminder that changing your passwords on a regular basis, and not using the same password for every online service is a good digital habit.
More: Louis Gray has a post about Twitterank, and how he’s not too concerned about people hacking into his Twitter account.
3 Comments
1st Tweets Chart… http://tweetip.us/lkvhi
Twitterank is not to be scared of. What about FriendBinder or Twitter Karma or SocialToo and all those other sites that ask for the combo? The embarrassment is on Twitter, not the services.
This is the author: http://twitter.com/ryochiji
Not to be scared of.
Sites like that do definitely do need user’s username/passwords for this type of thing otherwise they are limited to 100 requests/hour for everyone who visits the site which totally unworkable. You can even bust this limit just listing the friends of one user i.e. 100 request * 100 friends = 10,000 friends and people like Robert Scoble (http://twitter.com/scobleizer) have over 20,000 friends.
This started being the case when Twitter locked stuff down a lot more, details:
http://louisgray.com/live/2008/07/twitter-chokes-unauthenticated-api.html
They have been talking about oAuth for a long time now and those changes they made in July have made it much more needed than before.
For a site built on the API it’s amazing they haven’t implemented this by now. Flickr and Facebook have had similar systems for years now.
The problem affects sites like us (http://friendbinder.com) because people don’t trust us sometimes to look after their password. If there smart they’ll realize they don’t need to just trust the site owner not to miss use the data, but also that they are doing when it comes to security.
4 Trackbacks
[...] more, check out this post on my tech blog, Mark Evans [...]
[...] Read the rest of this post Print all_things_di220:http://voices.allthingsd.com/20081114/getting-sloppy-with-datapasswords/ SHARETHIS.addEntry({ title: “Getting Sloppy With Data/Passwords”, url: “http://voices.allthingsd.com/20081114/getting-sloppy-with-datapasswords/” }); Sphere Comment Tagged: Gmail, LinkedIn, Mark Evans, Mark Evans Tech, SocialMinder, Voices, data, passwords, privacy, security, usernames | permalink [...]
[...] Getting Sloppy With Data/Passwords [...]
[...] [From Getting Sloppy With Data/Passwords | Mark Evans] [...]