Twitter Viral Hell With Launch Tree: The security risks for your customers running viral tell-a-friend scripts a.. http://tinyurl.com/d4frhj
John Sullivan
· 7 months ago
It's amazing how easy it is to get people's info Great work Andy I wouldn't loose any sleep over loosing my twitter acct but sadly my password for that and gmail,bank acct etc is the same. This post raises awareness BIG time great to see you back in action Excellent Stumbled and sent around the World :) Thanks
Informative article. Thanks for the video links and the heads up about the $1 deal for the StomperNet video.
The Agra Indian
· 7 months ago
This is not at all secure from the user point of view, giving out user id and password over the internet and that too to some other web site is very risky.
Sports Betting Guide
· 7 months ago
Great article. I need to start using social networking sites. This has given me a good heads up about some aspects of twitter.
Ed (Ed Shahzade)
· 7 months ago
I was thrilled enough that one of the great tech-savvy business bloggers @AndyBeard is hot keyboard again: http://is.gd/xyBb [cont'd]>>
rohin
· 7 months ago
twitter is going to end up being a place for spammers to annoy people
Jeet
· 7 months ago
OAuth was long pending from twitter and I see many twitter clients are trying to move to the public beta they had launched recently. About Viral Inviter, don't you think they would just use the password once and discard it right away? BTW, Google also has a contact API that uses OAuth as well as 2 other third party auth methods.
AndyBeard
· 7 months ago
Hackers often gain access to poorly managed servers - not just one hosting account, but the whole systems, often 100s of accounts. On a well managed system, your hosting accounts are vulnerable, thus just because you have something like WordPress installed on a completely different different domain might not matter at all, they could still access scripts somewhere else.
If I was that way inclined, even if you were running the latest version of WordPress, I am sure there are still a few undiscovered vulnerabilities, or things that are not yet made public. Just hire some Russian security experts.
It doesn't matter the intention of the inviter script, or that it was designed not to store data - just 2 lines of code added is enough to grab the account details of anyone who uses it. I tinker with code, but I could do that part easily. Users become numb to certain actions due to repetition - already we see people very careless about Twitter passwords, and the same is true for inviter scripts Both Comcast and MPAA/RIAA have been hacked in the last year - are their server admins incompetent? Ultimately there is only so much you can do, the safest method is not to ask for personal data on your own site Risk aversion in business is important - both from a legal and reputation management standpoint
If you do ANY business online and use Twitter, bookmark this crucial post by @AndyBeard. Now. http://is.gd/xyBb
Brian Baulch
· 7 months ago
Great information Andy very helpful to know these security issues taking place and social net workers be aware of all this information you share, also thanks for the free tool you kindly shared to us all, as well but not least Stomping The Search Engines 2 bargain deal
This is ridiculous - I didn't know all this stuff was going on. You'd hope that the average user would be wary of a web form that asks you to supply your username and password on an account for which the website is not the official source, but apparently there are quite a few people who are okay with giving out this information to just anyone who promises to keep it safe. There is no gauge for truth on the internet; people are always going to believe what they want to believe.
-Jay
Chuggin McCoffee
· 7 months ago
I missed TwitterGetter, but I know that the only effective retweeting actually comes from organic traffic and followers not some other kind of spamming motivation.
Matthew the sports guru
· 7 months ago
The video links are excellent but what I'm not very sure is about the giving of password online. I think the users identity is not secure at all because it would be published on the internet. Great post. Thanks for sharing.
Paul Hancox (.com)
· 7 months ago
I agree with this post. I would not give out my passwords to any third-party scripts unless I were absolutely sure they were (a) on my site, and (b) secure.
I would think that with a Twitter viral, if someone wants to try it the simplest solution would be to change their password first, make use of the viral system, and then change their password back.
Twitter & Tell-A-Friend Viral Hell: I don't endorse Google, Linkedin, Facebook et al scraping email acco.. http://tinyurl.com/d4frhj
Luana @ N0t.info
· 7 months ago
I'm glad I didn't start using Twitter that way :( It doesn't seem like I'd have turned out with so good profits... Thanks for sharing this very useful article.
- Luana
mfornas (mfornas)
· 7 months ago
Security risks in Launch Tree et al: http://is.gd/xyBb Very worth the time to read it in full.
Single Maria
· 7 months ago
I began using Twitter some times ago, but each day I get annoyed more and more. There are many disadvantages. and spams. I am tired of it. Hope people who dont recognize it yet, soon will do it. The end of Twitter is inevitable!
John
· 7 months ago
Excellent post Andy - I couldn't agree more.
It amazes me how many people don't even think twice about entering their login info for Gmail, Twitter or whatever into these scripts. Especially since some of them come from people who aren't very well known, if at all.
In some ways, it's part of the same problem that causes a lot of viruses and malware to spread so quickly. People don't pay attention to what they're doing, they just click where they're told to click.
Using a computer or the internet should be like driving - you have to pass a test before you get your license :-)
This is ridiculous - I didn't know all this stuff was going on. You'd hope that the average user would be wary of a web form that asks you to supply your username and password on an account for which the website is not the official source.
Terri
· 7 months ago
Wow what great information, thanks for posting, of course some of the warnings came to late because I have fallen prey to some of the things you mentioned, bet lot of us did.
Hope this isn't off topic but I like entrecard but I have to practice safe dropping on blogs I know are safe because I had to pay over $200 to have dell support clean up viruses etc picked up from blogs who have the entrecard widget and viciously infect your site. Some things look and sound harmless especially to non-tech type.
Thank you for an excellent post - sharing a very ethical perspective on launches. You are really adding to the thought of what is going on in IM. Thank you! Kenny
Paul Hancox (.com)
· 7 months ago
Andy, after giving this further thought I realize there's another danger of these scripts asking for the password...
I have no doubt the scripts themselves are legitimate, but what's to stop a hacker or scammer from simply creating a page with WHAT APPEARS TO BE the same script, but which really just serves to provide the scammer with your Twitter password?
How is a user supposed to tell the difference between a legitimate use of a script, and one used for the purpose of scamming? The answer is: you can't, unless you ABSOLUTELY trust the site owner.
That's why I won't be using any script that asks me for my Twitter or Gmail password - and I would encourage everybody to use them with extreme *caution*. After all, if a person's account gets hacked, and they've given out their password to a site other than the official one (i.e. Twitter.com or Gmail.com), isn't there the *possibility* that THAT PERSON may be responsible for their account being hacked, because they gave it to some site that claimed to be using a trusted script?
Paul Hancox
P.S: Andy, I will be launching a Twitter viral marketing tool shortly which will *not* require anybody's password - I'd love for you to test and review it... just drop me an email if you're up for that. Hopefully it will give you some points for comparison :)
All Comments
Great work Andy
I wouldn't loose any sleep over loosing my twitter acct but sadly my password for that and gmail,bank acct etc is the same.
This post raises awareness BIG time
great to see you back in action
Excellent
Stumbled and sent around the World :)
Thanks
On a well managed system, your hosting accounts are vulnerable, thus just because you have something like WordPress installed on a completely different different domain might not matter at all, they could still access scripts somewhere else.
If I was that way inclined, even if you were running the latest version of WordPress, I am sure there are still a few undiscovered vulnerabilities, or things that are not yet made public. Just hire some Russian security experts.
It doesn't matter the intention of the inviter script, or that it was designed not to store data - just 2 lines of code added is enough to grab the account details of anyone who uses it. I tinker with code, but I could do that part easily.
Users become numb to certain actions due to repetition - already we see people very careless about Twitter passwords, and the same is true for inviter scripts
Both Comcast and MPAA/RIAA have been hacked in the last year - are their server admins incompetent? Ultimately there is only so much you can do, the safest method is not to ask for personal data on your own site
Risk aversion in business is important - both from a legal and reputation management standpoint
-Jay
- Luana
It amazes me how many people don't even think twice about entering their login info for Gmail, Twitter or whatever into these scripts. Especially since some of them come from people who aren't very well known, if at all.
In some ways, it's part of the same problem that causes a lot of viruses and malware to spread so quickly. People don't pay attention to what they're doing, they just click where they're told to click.
Using a computer or the internet should be like driving - you have to pass a test before you get your license :-)
Hope this isn't off topic but I like entrecard but I have to practice safe dropping on blogs I know are safe because I had to pay over $200 to have dell support clean up viruses etc picked up from blogs who have the entrecard widget and viciously infect your site. Some things look and sound harmless especially to non-tech type.
Kenny
I have no doubt the scripts themselves are legitimate, but what's to stop a hacker or scammer from simply creating a page with WHAT APPEARS TO BE the same script, but which really just serves to provide the scammer with your Twitter password?
How is a user supposed to tell the difference between a legitimate use of a script, and one used for the purpose of scamming? The answer is: you can't, unless you ABSOLUTELY trust the site owner.
That's why I won't be using any script that asks me for my Twitter or Gmail password - and I would encourage everybody to use them with extreme *caution*. After all, if a person's account gets hacked, and they've given out their password to a site other than the official one (i.e. Twitter.com or Gmail.com), isn't there the *possibility* that THAT PERSON may be responsible for their account being hacked, because they gave it to some site that claimed to be using a trusted script?
Paul Hancox
P.S: Andy, I will be launching a Twitter viral marketing tool shortly which will *not* require anybody's password - I'd love for you to test and review it... just drop me an email if you're up for that. Hopefully it will give you some points for comparison :)