-
Website
http://andybeard.eu/ -
Original page
http://andybeard.eu/1472/opt-in-accelerator-warning-security-risk-read-this-first.html -
Subscribe
All Comments -
Community
-
-
Top Commenters
-
Popular Threads
All Comments
Thanks for the great info.
Dave Sherwin
In the past week I have been using it i saw a crazy jump in traffic so that's good for me... But yeah the risks are certainly there - more so on the users side than the person running the script
All the best
J
Running WP2.3.2?
You are currently sharing servers with 561 other websites, how many of them are yours, and are any of them running something that could compromise your system?
http://www.seoegghead.com/tools/what-is-hosted-...
I have examined live examples of Viral Inviter, rather than the code itself, but it would be easy to hack changes on any compromised site, it is just an iframe of an insecure php page that contains a form.
I don't think it is a matter of trust. If people enter their information, that means they trust my site enough to let me handle the work, perhaps there should be a privacy policy.
I may trust Facebook or MySpace, but what if the recipients don't? Isn't it the same problem with Optin Accelerator on my site?
Facebook has permission but not your site, that's the difference.
It is more a problem of terms of service too. If the mail account providers disallow it, and also Aweber, then I want to stay on the safe side.
I've always used Viral Friend Generator. Perhaps you can review that one in the future if you touch on this subject again.
Thanks for an interesting post.
But you should never trust a 3rd party site asking for those details enough to actually even think about entering them.
Thus anyone using one of these scripts hasn't really evaluated the risk vs reward, and their sites really are a security risk even if they have no bad intentions.
You will of course get sites offering a free Wii every day, who are only after farming passwords. How do you tell the difference?
Thanks for evaluating the risks and sharing that information.
oh, by the way ACK!!! I remember David Airey's post on how his gmail got hacked and as a result, he lost his domain name!!!
(My post on that is the link above.)
Also, can't you sue them too if someone sues you?
"But you should never trust a 3rd party site asking for those details enough to actually even think about entering them."
I don't really agree with that statement. Companies like Facebook and MySpace use it. Why should you trust them?
And I don't really think that someone has actually compromised the security of these scripts...
(a) Phish the email owner to a "new site"
(b) Capture new sign-ups and steal passwords
(c) Spam the snot out of all the jucy addresses inside
It is on point C that these sites become a spammers wet dream. As such it's not the script kiddies you will need to look out for but the profesional guys. The same guys that only need the hashed version of the password (if they store it) and some time alone with a pass word cracker - rainbow tables make the job of years into the work of seconds.
I get freaked out about people wanting my twitter login data.
Now what happens if the domain expires and some evil person takes it over?
OUCH!
Those API are there for our protection.
I think this approach of wondering if you can "trust" a particular person/site is also flawed. One should worry about the webmaster's tech-savvy first. For example, I might completely trust my hypothetical grandma who's running a knitting tips website, but I sure wouldn't want to let her maintain a database of credit card data.
I don't have one, I can't say I never thought about it in passing, but having read your post, I will need to start paying more attention to the scripts and softwares being offered.
Andrew
But you should never trust a 3rd party site asking for those details enough to actually even think about entering them.
Thus anyone using one of these scripts hasn't really evaluated the risk vs reward, and their sites really are a security risk even if they have no bad intentions.
You will of course get sites offering a free Wii every day, who are only after farming passwords. How do you tell the difference?
I know one of the guys behind the Optin Accelerator, and he points out that the Password is Encrypted (Hashed Out). So theoretically the servers can read it but humans can't.
I don't know enough about it to say on way or the other. But the other script you mentioned, the Viral Optin Generator, sounds interesting, and for the low price it may be worth checking out.
Thanks!
Steve Renner
Another thing Ive always worried about was those automatic scanners. Im sure everyone has run into one at one point or another. Your on a webpage minding your own business and a second later a popup says its scanning your computer. And it really is because I can see MY files being scanned by each name. How do people get away with this crap?!?
Have you abandoned this blog or are you on vacation, or other?
How damaging is this to their reputation? Hope they made enough to pay for lawyers.
Thanks for the heads up!
However, I remain grateful that I took the time to read and become informed.
This information is very practical and good to know. Thanks for providing the information.
Thank you and i hope we could build a community of watchdogs against these sites.
Charles
Money Making and Blogging Tips
http://www.resourcesandmoney.blogspot.com
I was literally on this site yesterday then found your blog post today.
Thanks again for the warning.
U remember the issue with gmail archiver? it also had similar issues lik opt-in accelerator! I think people are there still using gmail archiver! (pss... i got that free with a computr magazine)
Also sorts all those spam mails about paypal problems too.
The other problem with these invite scripts is that people (like me) see them as spam. OK they have my mates name on them but they're nothing less than a spammy sell sell sell message and make me disinclined to join a site that sends them.
It is an awful lot riding on one password:(
If they are secure, are they a good value?
Lord Matt - that's the first thing I thought of as a security concern "SQL Injection Attacks". Once someone has grabbed that huge database who knows what will happen next. In our virtual office and serviced offices we're very conscience of security with clients personal information, it's about time others follow suit.
Thanks for the great post :)
Thanks for the post! I had no idea that entering your password into a form like this could make it possible for someone to unlock everything from your Gmail account to all you domain names.
It sounds like we should all be using security certificates on all our membership sites.
All the best!
Last year I installed a TAF form on one of my sites (coded by myself) and had to shut it down less than a week later due to member abuse. Now I'm using a "mailto" link which just triggers users e-mail client.
Not any more! Thanks!!!
Dr Andrew
Plus like the screen shots. I guess they are now more vital to be part of the posts
Cheers / Jessica
I just used this script or a similar one.
BUT i changed my gmail password before and right after.
But the script was flawed and didn't show me all my 2000+ address, to uncheck the ones i didn't want to send to, so i ended up spamming a TON of people.
And got 700 bounce backs or Mail delivery failed, as the address books a bit outdated, my gmail address was blocked & the server was blacklisted...
boy what a mess.
I am so glad i didn't use my domain to send emails from, that could have been a disaster.
This is a good insightfull take on very important issue.
while i am trying to understand the issues regarding the privacy in the internet space. face book and similar sites are using these details for their purpose so why not others if they show a terms of use agreement.
Thanks
BUT i changed my gmail password before and right after.
But the script was flawed and didn't show me all my 2000+ address, to uncheck the ones i didn't want to send to, so i ended up spamming a TON of people.Thank Andy for such a nice post. Although I am not a user and might have never used the program. But just to see that guys like you are watching our interest. They are doing our dirty work for us so to speak so that we won't get into any trouble.
Thanks for the great post!