Hello, Mr Website. Would you like my password?

Over the last few days I’ve been “tagged” a few times from “tagged.com”.

I hid the names to protect the guilty, though I’m not actually sure why I would want to do such a thing.

Anyway, a Google search revealed some people posting unbelievable things about it. One person even suggested that it required users to give it their email account’s password – and that they do it!

This had to be verified. I set up a Yahoo mail account, and signed up for Tagged. Turns out it didn’t ask you to give your email password. It requires you to give your email account’s password. It actually checks, as you’re doing this, that it is the right password.

Wow.

People really are idiots.

After this, you get to click through – I kid you not – 10, count ‘em, 10, offers, at after which you get to do whatever, I guess.

Meanwhile, having gained access to your email account, it logs and sends emails to spams everyone in your address book. Presumably it will then sell every address it finds to spammers.

The really shocking thing is, some of the people “tagging” me with this work in IT. They seem reasonably intelligent people, even. Yet they’re still giving the password for their primary (yes, their primary) email account to some site they just found on the internet, presumably because it spammed them!

Social engineering will never be solved. How can it be, if even so-called-professionals will surrender their passwords that easily?

About these ads

57 Responses to “Hello, Mr Website. Would you like my password?”

  1. zewrestler Says:

    that’s amazing. and i thought people were idiots for giving up their credentials for a slice of pizza.

  2. anonymous Says:

    How do you know they’re giving passwords to their PRIMARY e-mail account? After all, in your test, you set up a bogus Yahoo email account to test the process.

    Wouldn’t “reasonably intelligent” people do the same?

  3. jivlain Says:

    Because I know what their primary email account is, and then went and asked them about it ;)

  4. Jem Says:

    Ooh, so that’s what those bloody irritating things are. I’ve been getting several from tagged, and other sites similar in nature, and figured that the users had simply entered my email address in one of those “recommend a friend” boxes.

    I can’t believe anyone would freely give up their email password. Might as well hand out your credit card details and pins to anyone who asks nicely.

  5. Anonymous Says:

    It doesn’t end there. Putting in my real email and incorrect password, you CAN skip – it then reveals who has already got that person in their address book. So without logging in, you can see who someone’s friends are with just their email address.

    I’m not so sure your password is safe, because your address book aint. Not even a little bit.

    Tagged – Security? We’ve heard of it.

  6. Anonymous Says:

    It doesn’t end there. Putting in my real email and incorrect password, you CAN skip – it then reveals who has already got that person in their address book. So without logging in, you can see who someone’s friends are with just their email address.

    I’m not so sure your password is safe, because your address book aint. Not even a little bit.

    Tagged – Security? We’ve heard of it.

  7. Daniel Molina Says:

    Not strange, there are many sites using these kind of resources to obtain emails to spam them.

    These sites are not “social networks” like others and do not offer a minimal chance to interact with your friends.

    Other sites offers you some services such as “looking up who has blocked your Me$$enger, Yahoo IM, and other accounts”, and yet users known that these sites are using their accounts as “email database source”, their are creating accounts on theses sites.

    Really, there are idiot users…

    On my local machine I have “tagged” these sites emails as “spam” thanks to SpamAssassin and BogoFilter.

    xD

  8. Pascal Says:

    Someone I worked with told me that he used to work for a company that called people asking them there credit card information… so they could check if someone else stole it… and he said people would give them all the info!! Guess we where all instructed to follow authority and that everyone is there to help us while growing up that some how people forgot to think for them self (if you wondering that’s why fraud as usually really high punishment since you are undermining the trust of the people/system). And that reminds me of the website hi5.com it asked for your email password, it’s a facebook/myspace type thing.

  9. Tony Says:

    Facebook itself asks for your email/password, to import your contacts. So does LinkedIn, so do many other major websites. And while one might trust Facebook to not mess around with your contacts (too much), on the verge of IPO… in a way all of those big websites are conditioning typical users that it’s ok to hand out access to their mail account.

    This is where smaller websites with shady practices come in.

  10. Ian Says:

    I _almost_ fell for this type of thing, and it might have even been on Tagged. What happened, in my case, was that I joined, using my email address as my user name (as they requested), and selecting a password for my account. The next page appeared at first glance to be a login screen. The user name field was already filled in with my email/user name, and the password field was empty. I tired to log in, but failed. I then realized that it wasn’t a login screen, it was an email harvesting screen. I closed the site and never went there.

    MANY people use the same password for multiple accounts (also a bad idea). If I had used the same password for Tagged as I do for my email account, it would have spam bombed everyone just because I wasn’t paying attention, not because I’d consciously give my email password out to some random site.

  11. Pascal Says:

    And I wouldn’t trust those either… some disgruntled employee decides to bring a USB stick to the job ;) Or some hacker etc

  12. Bob Says:

    This is fairly common though isn’t it? I’ve tried to sign up with a few central contact type sites and stopped when I’ve realized what they’re doing. It makes sense really (from their point of view) – they want to import your addresses to social networking/cloud link with all other contacts they have you and they also want more business. I think the ones I’ve tried want access to your address book (online ones like hotmail etc, which means they need your password and your offline outlook one). Don’t LinkedIn or some other similar contact site do basically the same thing?

  13. Chaos Motor Says:

    I fail to see how this is any different from providing Blogger with your gmail account password when you use a Google identity to comment on Blogger posts. In fact, when you do that with Blogger, it logs you in and /leaves you logged in/ so if you post a comment from a public terminal and walk away, the next person to visit gmail has full access to your account, which I consider a bigger security risk than the issue at hand here.

  14. CousinFucker Says:

    Ever heard of IMAP and LDAP setting up your own mail server for $5 / month?

    Avoids the headache of having all your personal information online in some mega corporations database.

  15. Chris Says:

    The password being requested by tagged.com at account creation time is NOT your e-mail password, but just any password you’d like to define to be used the next time you log into your tagged. com account. The requested tagged.com password can be any combination of characters you want.

  16. Bob Says:

    CousinFucker : LDAP and IMAP on your own mail server doesn’t equal security. Nearly everyone working at those hosting companies has full access to all your data. I trust the kids working as their tech support about as far as I can throw them. I trust the data protection and privacy policies those companies have a little more but not much more. I trust their process to make sure people are complying with them even less. Use GMail if you want your email secure, Google has well developed controls over who has access to your GMail, your average hosting company much less so.

  17. Dando la chapa - » Los contactos de tus contactos son mis contactos Says:

    [...] Sacado de Hello, Mr Website. Would you like my password? [...]

  18. DaveW Says:

    LinkedIn did this the right way, as far as I was concerned:
    1. I exported an address file from my email program in LDIF format (which is ASCII, hence editable if I wanted to filter the data).
    2. I uploaded the address file to LinkedIn
    3. LinkedIn looked up the email addresses in their network and *asked me* which users I wanted to invite into my network.

    This process is a bit more hassle than just giving away your email password, but it’s a lot more secure, and less likely to annoy people with pseudo-spam.

  19. Here Are My Passwords! at Encoded | Gregory Tomlinson Says:

    [...] Okay, I want to be social. I want to play with the latest, coolest sites. But why on earth do all these Web2.0 developers have no clue about security and the fundamental rule, don’t share your password with anyone. There is an awesome post on this subject pertaining to Yelp here. And an even older post here.  [...]

  20. KegegypePek Says:

    На этом сайте можно заказать базу белых каталогов сайтов.

    Белая база каталогов

  21. darren andrew todd Says:

    need new password

  22. ambrose Says:

    what u want to use it for

  23. ambrose Says:

    is there any one here that want to trade?

  24. титаны возрождения Says:

    This is very interesting for me. Thx

  25. vivatomskru Says:

    Сделайте натуральный, полезный и эстетичный подарок своим родным, близким и коллегам.
    ПОДАРОЧНЫЕ НАБОРЫ
    Натуральное мыло ручной работы
    Соляное мыло (скраб)
    Крем-скраб (щербет)
    Душистые аромаплитки
    Массажные плитки
    Молочко сухое для ванны
    Шоколад сухой для ванны
    Бурлящие шарики
    Жемчужины для ванны
    Мыло с ароматами духов
    Натуральные морские губки
    http://viva.tomsk.ru – Позаботься о своём теле, чтобы душе хотелось в нём жить!

  26. dalik-w Says:

    , . . .
    150 , 30 !

  27. Jama Sharron Says:

    Great post, many amusing points. I believe 6 of days ago, I have viewed a similar blog.

  28. eagegonup Says:

    Ничего люди не принимают с таким отвращением, как советы. (Д. Аддисон)

  29. vskachorg Says:

    На видеосайте v-skachke.org можно бесплатно ознакомиться с кино новинками, классическими фильмами, мультфильмами, посмотреть анонсы к видео фильмам и скачать понравившийся фильм по прямой ссылке на большой скорости. Вы найдете любимые жанры видео фильмов: сериалы, боевики, комедии, триллеры, драмы, ужасы и мультики – смотри и скачай новинки кино! скачать кино, скачать фильм, скачать кино новинки, скачать новинки фильмов, скачать новые фильмы, новинки видео, фильмы. Сайт: v-skachke.org

  30. Геннадий Says:

    Каталог корейских запчастей реализует запчасти по выгодным ценам. Организуем поставку запчастей в любой регион России и СНГ. Специальные условия продажи для автосервисов

  31. Дмитрий Says:

    Кузовной цех ниссан весь спектр технических услуг, связанных с ремонтом и обслуживанием автомобилей nissan tino в Москве

  32. K.Pilsudski Says:

    Each year tens thousands of people become millionaires by just studying and trading on the Forex market but just a fraction i.e. 2% out of the billions of all those who spend thousands of dollars on the Forex Market and get nothing in return. This elite group of Forex traders never reveal their secrets, and they never want to help somebody else… until now! We announce an independent web portal, dedicated to Forex market, where you can find any information about recent sweet facts, brokers and Expert Advisors. Absolutely FREE! You even can discuss all of them on our firum. Read and write your own reviews on our forum! Learn To Trade Forex – all of it you can find on forextradersreview.com

  33. diversantclu Says:

    Диверсант – это пейнтбольный клуб в Казани, предлагающий услуги корпоративного отдыха. Пейнтбол- это один из самых веселых и здоровых способов провести с пользой для здоровья свой досуг. К Вашим услугам наши пейнтбольные площадки. Эти площадки выгодно отличаются от всех остальных тем, что большинство укрытий и препятствий- это заброшенные дома, ангары и подземные бункеры оставшиеся после закрытия существовавших на этих местах предприятий. Пейнтбол замечателен ещё и тем, что он не требует специальной физической подготовки и не имеет ограничений по возрасту, в него могут играть как дети, так и взрослые. Приходите в наш клуб, приводите своих детей, родственников, друзей и вы получите множество незабываемых и приятных впечатлений!!! Адрес:Россия г. Казань, ул. Музыкальная д.7,

  34. дизайн Says:

    Очень удобный и красивый блог, щас наверное тоже сделаю типа того :-)

  35. ГлавПолимерСнаб Says:

    труба 80Поставки сантехники в Московской области и Москве, поставки полипропиленовх труб в Москве, труб PPRC, поставки отопительного оборудования. Снабжение строительных объектов качественными материалами и оборудованием для восстановления и ремонта инженерных сетей в Москве и Московской области.

  36. Вызов ветеринара на дом Says:

    советы ветеринараВетеринарный портал о ветеринарии. Здесь можно получить консультации по ветеринарии у компетентных ветеринаров. Ветеринар онлайн. Форум ветеринаров.

  37. termobrick Says:

    Термоблоки – Специалисты “ТЕРМОБЛОК” на протяжении долгих лет специализируется на изготовлении оборудования для производства газобетона.

  38. Владимир Says:

    Замечательный сайт. Хочу предложить свою информацию. Программа «Контроль веса и питания», предназначена для всех кто хочет похудеть и начать правильно питаться. Программа позволит контролировать количество калорий, которое Вы потребляете ежедневно. Анализировать изменение значений объема груди, талии и бедер. Строить графики для анализа. Подробнее на сайте nokaloriy.ru

  39. Про квартплату Says:

    жкх областиКак заставить управляющего ТСЖ выполнять свои обязанности?, как получить услуги управляющей компании в полном объеме? – на эти вопросы может ответить наш веб-сайт, после ознакомления с материалами которого, Вы возьмете ситуацию с управляющей компанией под контроль.

  40. pron33255 Says:

    Необходимо сказать о сочетании метода апроприации раскрылся в комедии Ябеда, здесь эпоха ускоряет можно спокойно выпускать пластинки раз в три года. Частное порн

  41. myainox Says:

    PrednisolonePyrantel PamoateOmnicef, ParlodelAmpicillinJelly ED Pack (Viagra Oral Jelly + Cialis Oral Jelly)TrikatuMisoprostol, TriamtereneRisperdalAstymin-M ForteMotiliumNevirapine

  42. grqclqvoa Says:

    InvegaClaritinFML, SunthiNoroxinYerba DietBactrobanAvodart, SeptilinPetsZaditorAnxiety/Sleep AidOpticare Ointment

  43. troacllea Says:

    GokshuraRockIt247Desyrel, Men’s HealthAntabuseSkin CareMalegra DXT (Sildenafil + Duloxetine)Pruflox, ZyrtecBlack CialisUroxatralVP-RX OilAtripla

  44. xiaxasoms Says:

    ZanaflexAtenololZometa, LukolKamagraPenis Growth OilCafergotAmikacin, LevaquinActoplus MetEtoposideEstradiol ValerateSulfasalazine

  45. flztizfl Says:

    購買onlinebuying衣原體zithromaxcures的抗生素,買antibioticscures chlamydiapurchase zithromaxazithromycin onlinezithromax網上訂購, chlamydiazithromax onlinebuy antibioticshttp azithromycintreatment : / / dnowgekho.com /產品/抗生素/希舒美/訂單 /

  46. Tielotoox Says:

    Здесь Вы можете расслабиться отдохнуть душой и телеом, все самые мыслимые и не мыслимые удовольствия наши элитные индивидуалки сделают все,
    Заходим сюда, звоним http://tinyurl.com/5rw8wxn

    Вас ждет масса незабываемых впечатлений и ощущений )))

  47. mobilniy0perАщ Says:

    Каждому Привет! Заходите на MobiWapi и качайте только новый софт для мобильников.

  48. valter2512 Says:

    Каждому Доброе утро! Заходите на музыкальный портал и качайте альбомы mp3!

  49. MaXwell Says:

    Привет! Большой выбор отпаривателей Monster !

  50. eartha Says:

    selena gomez hotties

  51. baduann Says:

    Ба Дуань Цзинь
    Внутренние механизмы воздействия цигун для тело и психику человека изложены в форме, понятной современному европейскому человеку. Детальное изображение и пошаговые инструкции практической части издания выполнены высококачественным DVD-диском, подготовленным лучшими китайскими специалистами Всекитайской Ассоциации Оздоровительного Цигун и представляющим собой прекрасный самоучитель, занятия сообразно которому помогут вам обрести здоровье и душевное равновесие. Это наиболее распрастраненный комплекс 8 кусков парчи.
    Советуем вам узнавать с онлайн видео под названием «Оздоровительный цигун Ба Дуань Цзин», которым по праву считают жемчужиной оздоровительного Цигун. В переводе с китайского Ба Дуань Цзин означает «восемь отрезов парчи». Комплекс Ба Дуань Цзин состоит из физических упражнений, сопровождающийся глубоким дыханием. Выполняя упражнения этого комплекса дозволительно очистить устройство через вредных веществ и урегулировать психологическое сословие человека.

  52. Sergey Says:

    Hong Lee and pets dogsPersonal Page of russiam Veterinary doctor Hong Lee and his pets dogs. Forum and photo gallery of our working American Pit-Bull Terieres and Cane Corso. Please, welcome to our homepage.

  53. buyneopointsz.yolasite.com Says:

    Hey! I know this is kinda off topic but I was wondering if you knew where I
    could find a captcha plugin for my comment form? I’m using the same blog platform as yours and I’m having difficulty finding one?
    Thanks a lot!

  54. Our Site Says:

    Very good article. I will be dealing with many of
    these issues as well..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Follow

Get every new post delivered to your Inbox.

%d bloggers like this: