We Are Not Safe Trusting Startups but Do We Have Other Options?

Svetlana Gladkova,

on November 13, 2008,

Are we immune to phishing scams? Yesterday we had a peculiar situation around Twitterank, a new Twitter tool that requires you to enter your Twitter login and password and calculates some number that probably means something but it is hard to figure out exactly what it means. It is well known that social media crowd tends to enjoy all types of rankings, ratings, and top lists so there was no surprise in watching how eager people were to check their performance on Twitter with the new application.

But then Oliver Marks on ZDNet suggested that Twitterank could probably be nothing but a huge scam intended to steal passwords from as many Twitter users as possible and teach Twitter team they need to enhance security to avoid scams with login credentials in the future.

This story obviously makes one thing clear about safety and security level that we enjoy when checking the countless new startups that we try out daily. There are various services that work like addons to some larger services and require us to grant them access to our other accounts. The most popular operations are related to importing contacts from social networks like Facebook, LinkedIn, and Twitter.

In this respect SocialMinder came to my mind as another example of pretty dubious activity of a startup that we grant access to our Gmail accounts (and I know that there are people who use Gmail to manage our financial accounts like PayPal or Moneybookers). In fact, SocialMinder sounds like quite an interesting tool intended to manage your email and social networking contacts better. But the guys obviously have problems with attracting new users in some legitimate ways as they chose to spam people from our contact lists to get them join the service seemingly recommended by friends. I have not signed up myself since I quickly realized it was some sort of a scam and decided to do a quick search on it before doing anything myself but from what I’ve read on blogs of its victims the application offers all new users to send invitations to 15 of their contacts to be able to try out the fully functional version of the application. And this was exactly what many people did - reportedly spamming all the contacts from the address book as well.

There was another very similar example - Yaari - that also sent invitations to all the contacts after users eagerly granted it access to their web mail accounts. This one was a simple social network looking for some viral growth with the help of its users - without telling them they were spamming all their friends as well. And of course the only thing it actually received was users’ revolt.

I have just realized that over the last two years of writing about web applications here on Profy I have provided my login credentials to Twitter, Gmail, Yahoo Mail, LinkedIn, Facebook, etc. to tons of applications that I only heard of for the first time in my life 5 minutes before granting this information.

As it often happens, someone in the blogosphere discovers an application (usually after getting a pitch from a developer) and recommends it to everyone because it is cool/interesting/unique/unusual. And everyone else rushes to check the application out - eagerly granting our emails, logins, passwords (that many of us often use on multiple websites) when asked without even thinking twice.

But have you ever thought about it from this point of view: how often do we see new applications launched by people we have known for some time at least and grown to trust? My suspicion is that you will agree that most often we see web startups launched by total strangers - yet we are very willing to share our information with them without at least trying to understand how trustworthy these people and their products are.

But the problem is that in the majority of cases we actually have no other options but do what the application developer asks us to do - or not use the service at all. At the same time the application developer usually offers us the only thing he can do based on the limitations of the services he needs to communicate with - and he would be happy to offer us some safer way to do that if only he could. I myself tend to believe that people in general are good but I also agree with Allen Stern that we should try to be reasonable dealing with such requests to provide sensitive information. But unfortunately for now I don’t see any safety measures that a startup could offer to prove they can be trusted yet I hope that there will be something invented in the near future after a few more discussions like this one.

Image credit

LinkedIn Plans Restrictions For Developer API

CloudContacts Will Finally Help You Use Your Business Contacts Efficiently

Gmail for Mobile Significantly Improved with Offline Support

Facebook Gets an Office Suite

19 Comments (Subscribe to rss)

Jason Kaneshiro - November 13, 2008 at 06:11 am PDT

The most obvious option is to just not sign up for a service right away. Wait a few weeks, months, or heck, even years. If the service was not worthy of your time, it will have died by then. Early adopter behavior isn’t always the smartest, and there’s a reason it’s not the norm.
Anton - November 13, 2008 at 06:11 am PDT

My decision is to provide primary e-mail (or any other important account) login/password only in the case that the site is old enough (few years would be enough), have fine reputation and using it is really necessary for me. If not, just don’t use this service.
Josh Chandler - November 13, 2008 at 06:11 am PDT

Early adopters do help a little to set the wheels into motion, the early adopters understand the importance of a product being successful and help to create a community buzz around a newly launched site!
Carsten Pötter - November 13, 2008 at 09:41 am PDT

Actually there is a rather secure way for websites asking for information from other sites, e.g. importing my Gmail contacts to another application. It’s a rather new protocol called OAuth (www.oauth.net). The user is in complete control, allowing a third party access to data without giving away his password.
Svetlana Gladkova - November 13, 2008 at 10:14 am PDT

Yes, I think the major reason for the talks about Twitterank trying to steal account was the fact that some developers seemed to be way too eager trying to persuade Twitter there’s a need in adopting the OAuth technology - and of course here I am not talking about the startups that have it in place.
Josh Chandler - November 13, 2008 at 01:02 pm PDT

Overall, this seems to be a little bit of internet paranoia. But it does make you think, just make sure you read that privacy policy to check what companies are doing with those logins. Twitterank leave a “reassuring” message about their use for your logins:

“I’m not out to steal ur twitterz. Frankly, I wish I didn’t have to ask for your account info, but Twitter doesn’t offer APIs using any other authentication mechanism (according to the docs). So blame them. Read more about what I’ll do with your account info/data in the FAQ.

I will not store your password. I will only use it once to calculate your Twitterank.”

What do you reckon?
Svetlana Gladkova - November 13, 2008 at 09:11 pm PDT

Jason, very true and I have to agree with you sometimes. And I guess this is exactly why the early adopters often serve as testers to make sure those who arrive later will not be affected by potential threats.
Svetlana Gladkova - November 13, 2008 at 09:11 pm PDT

Anton, it’s definitely a very reasonable approach but unfortunately I can hardly remember when I last visited a website that is a few years old (excluding Google and several online presences of some newspapers). So I myself still rely on recommendations from other users looking to make my decision on this or that particular site - or on building some trustful relations with the team behind a very new site in some cases.
Svetlana Gladkova - November 14, 2008 at 05:16 am PDT

Josh, absolutely true, being reasonable is the best thing a person can do to protect him/herself from potential scammers so reading FAQ must be a must for us while startups that need to offer things that can be viewed insecure by users should really bother to provide enough answers to the questions that may arise.
prescripti - May 22, 2009 at 02:48 pm PDT

amoxicillin during pregnancy
Diet Capsules - September 13, 2009 at 05:10 am PDT

its cool site, its cool work!!!
Kfc Online Menu - September 14, 2009 at 02:07 am PDT

good site, good work!!!
streetwear - September 15, 2009 at 01:08 pm PDT

Fantastic work!
Ativan - September 18, 2009 at 11:15 pm PDT

defenselink other stay coal mismatch surpassed canceling displaying texttext producer tool izksizkbzvj trusts vibrations
Valium no rx - September 27, 2009 at 10:32 am PDT

proximity shayana efficacy kodali bunch strangely tyranny financed mutation landmark ridiculed linhalavais
young erotic - September 28, 2009 at 04:32 pm PDT

I think its very nice!!!
Ativan no prescriptions - October 05, 2009 at 04:54 am PDT

restaurants sound doubly guidance teaches inflation rejected buzzmetrics reminiscent exporting cysearch forming
Valium Buy er - October 06, 2009 at 05:44 am PDT

publishers seventeen capita corpus baxer sufficiently andreessen assist gushrowski coffeehouses factnearly receive
halloween san francisco - October 16, 2009 at 10:36 am PDT

Hello its a very nice site!

Leave a comment (We support avatars from Gravatar, MyBlogLog, and FriendFeed)