Over the last few days I’ve been “tagged” a few times from “tagged.com”.
I hid the names to protect the guilty, though I’m not actually sure why I would want to do such a thing.
Anyway, a Google search revealed some people posting unbelievable things about it. One person even suggested that it required users to give it their email account’s password - and that they do it!
This had to be verified. I set up a Yahoo mail account, and signed up for Tagged. Turns out it didn’t ask you to give your email password. It requires you to give your email account’s password. It actually checks, as you’re doing this, that it is the right password.
Wow.
People really are idiots.
After this, you get to click through - I kid you not - 10, count ‘em, 10, offers, at after which you get to do whatever, I guess.
Meanwhile, having gained access to your email account, it logs and sends emails to spams everyone in your address book. Presumably it will then sell every address it finds to spammers.
The really shocking thing is, some of the people “tagging” me with this work in IT. They seem reasonably intelligent people, even. Yet they’re still giving the password for their primary (yes, their primary) email account to some site they just found on the internet, presumably because it spammed them!
Social engineering will never be solved. How can it be, if even so-called-professionals will surrender their passwords that easily?
April 30, 2007 at 1:37 am
that’s amazing. and i thought people were idiots for giving up their credentials for a slice of pizza.
May 9, 2007 at 11:58 pm
How do you know they’re giving passwords to their PRIMARY e-mail account? After all, in your test, you set up a bogus Yahoo email account to test the process.
Wouldn’t “reasonably intelligent” people do the same?
May 10, 2007 at 9:12 am
Because I know what their primary email account is, and then went and asked them about it
June 5, 2008 at 1:19 pm
Ooh, so that’s what those bloody irritating things are. I’ve been getting several from tagged, and other sites similar in nature, and figured that the users had simply entered my email address in one of those “recommend a friend” boxes.
I can’t believe anyone would freely give up their email password. Might as well hand out your credit card details and pins to anyone who asks nicely.
June 5, 2008 at 2:33 pm
It doesn’t end there. Putting in my real email and incorrect password, you CAN skip - it then reveals who has already got that person in their address book. So without logging in, you can see who someone’s friends are with just their email address.
I’m not so sure your password is safe, because your address book aint. Not even a little bit.
Tagged - Security? We’ve heard of it.
June 5, 2008 at 2:34 pm
It doesn’t end there. Putting in my real email and incorrect password, you CAN skip - it then reveals who has already got that person in their address book. So without logging in, you can see who someone’s friends are with just their email address.
I’m not so sure your password is safe, because your address book aint. Not even a little bit.
Tagged - Security? We’ve heard of it.
June 5, 2008 at 3:19 pm
Not strange, there are many sites using these kind of resources to obtain emails to spam them.
These sites are not “social networks” like others and do not offer a minimal chance to interact with your friends.
Other sites offers you some services such as “looking up who has blocked your Me$$enger, Yahoo IM, and other accounts”, and yet users known that these sites are using their accounts as “email database source”, their are creating accounts on theses sites.
Really, there are idiot users…
On my local machine I have “tagged” these sites emails as “spam” thanks to SpamAssassin and BogoFilter.
xD
June 5, 2008 at 3:37 pm
Someone I worked with told me that he used to work for a company that called people asking them there credit card information… so they could check if someone else stole it… and he said people would give them all the info!! Guess we where all instructed to follow authority and that everyone is there to help us while growing up that some how people forgot to think for them self (if you wondering that’s why fraud as usually really high punishment since you are undermining the trust of the people/system). And that reminds me of the website hi5.com it asked for your email password, it’s a facebook/myspace type thing.
June 5, 2008 at 4:37 pm
Facebook itself asks for your email/password, to import your contacts. So does LinkedIn, so do many other major websites. And while one might trust Facebook to not mess around with your contacts (too much), on the verge of IPO… in a way all of those big websites are conditioning typical users that it’s ok to hand out access to their mail account.
This is where smaller websites with shady practices come in.
June 5, 2008 at 5:22 pm
I _almost_ fell for this type of thing, and it might have even been on Tagged. What happened, in my case, was that I joined, using my email address as my user name (as they requested), and selecting a password for my account. The next page appeared at first glance to be a login screen. The user name field was already filled in with my email/user name, and the password field was empty. I tired to log in, but failed. I then realized that it wasn’t a login screen, it was an email harvesting screen. I closed the site and never went there.
MANY people use the same password for multiple accounts (also a bad idea). If I had used the same password for Tagged as I do for my email account, it would have spam bombed everyone just because I wasn’t paying attention, not because I’d consciously give my email password out to some random site.
June 5, 2008 at 5:36 pm
And I wouldn’t trust those either… some disgruntled employee decides to bring a USB stick to the job
Or some hacker etc
June 5, 2008 at 5:38 pm
This is fairly common though isn’t it? I’ve tried to sign up with a few central contact type sites and stopped when I’ve realized what they’re doing. It makes sense really (from their point of view) - they want to import your addresses to social networking/cloud link with all other contacts they have you and they also want more business. I think the ones I’ve tried want access to your address book (online ones like hotmail etc, which means they need your password and your offline outlook one). Don’t LinkedIn or some other similar contact site do basically the same thing?
June 5, 2008 at 6:03 pm
I fail to see how this is any different from providing Blogger with your gmail account password when you use a Google identity to comment on Blogger posts. In fact, when you do that with Blogger, it logs you in and /leaves you logged in/ so if you post a comment from a public terminal and walk away, the next person to visit gmail has full access to your account, which I consider a bigger security risk than the issue at hand here.
June 5, 2008 at 6:49 pm
Ever heard of IMAP and LDAP setting up your own mail server for $5 / month?
Avoids the headache of having all your personal information online in some mega corporations database.
June 5, 2008 at 7:03 pm
The password being requested by tagged.com at account creation time is NOT your e-mail password, but just any password you’d like to define to be used the next time you log into your tagged. com account. The requested tagged.com password can be any combination of characters you want.
June 5, 2008 at 10:00 pm
CousinFucker : LDAP and IMAP on your own mail server doesn’t equal security. Nearly everyone working at those hosting companies has full access to all your data. I trust the kids working as their tech support about as far as I can throw them. I trust the data protection and privacy policies those companies have a little more but not much more. I trust their process to make sure people are complying with them even less. Use GMail if you want your email secure, Google has well developed controls over who has access to your GMail, your average hosting company much less so.
June 6, 2008 at 6:48 am
[...] Sacado de Hello, Mr Website. Would you like my password? [...]
June 6, 2008 at 6:59 pm
LinkedIn did this the right way, as far as I was concerned:
1. I exported an address file from my email program in LDIF format (which is ASCII, hence editable if I wanted to filter the data).
2. I uploaded the address file to LinkedIn
3. LinkedIn looked up the email addresses in their network and *asked me* which users I wanted to invite into my network.
This process is a bit more hassle than just giving away your email password, but it’s a lot more secure, and less likely to annoy people with pseudo-spam.
June 16, 2008 at 5:49 pm
[...] Okay, I want to be social. I want to play with the latest, coolest sites. But why on earth do all these Web2.0 developers have no clue about security and the fundamental rule, don’t share your password with anyone. There is an awesome post on this subject pertaining to Yelp here. And an even older post here. [...]
September 27, 2008 at 4:47 pm
Достаточно интересная и познавательная тема