Larry Seltzer yesterday wrote a blog in eWeek "Harvesting Teenagers" that is very disturbing. He documents how a new social networking site "Tagged" was documented by Symantec April 9th as requiring users to provide their online authentication credentials to the web mail account.
Here's what Symantec says:
This weekend I got an email from a friend, arriving from her Hotmail address. It was actually an auto-generated invitation link to a social networking service called ‘Tagged’. Tagged is employing some very sketchy tactics in expanding their user base. While the whole idea behind Web 2.0 is the combination of existing Web services/technologies to make them more useful, when a user signs up for Tagged, they’re practically forced to put in their Webmail credentials. Tagged then logs into your Webmail account as you, accesses your address book, and prompts you to email your contacts using your Webmail address as the reply-to.
It’s difficult to recall all of the mass-mailing worms we’ve seen that have used similar strategies for propagation. Melissa and Lovebug would be good examples.
Fortunately, Tagged isn’t actually sending the emails as the user whose login credentials they’ve borrowed, the email is just coming from Tagged’s server so it’s not difficult to blacklist. But Tagged’s signup process is sparse on the details about why they ask for the information they want, and what they’re going to do with it. Clearly they’ve snagged all the email addresses in your address book, which would be useful for sending future advertising-based spam, but they’ve also taken your Webmail login credentials and not really told you what they intend to do with it.
It’s interesting in that they’ve circumvented the need to mock-up your Webmail site, but still had the effect of a phishing attack. With the search capabilities of most modern Webmail services, and the amount of people doing online banking, it doesn’t take a lot of imagination to see where this kind of site could head. Though we’ve all heard it before, the best way to avoid these situations is to avoid giving your credentials to third-party sites. Just like you wouldn’t give your banking info to your mailman, you shouldn’t give your banker a copy of your mailbox key.
Larry in his blog then actually creates a dummy email account and logs on to Tagged. He reviews the Terms of Service. After which he quotes "Nothing in the TOS says that they will be harvesting addresses from your address book, nor what they are entitled to do with those addresses. Perhaps they consider these addresses as being provided for invitations to Tagged, but that's clearly not true."
Finally, Larry concludes "I have seen the future of teenage exploitation, and it's on social networking sites. Even the "legit" ones like MySpace creep me out some, and I'm sure Tagged isn't the only one that's scams and abuses its users. When users are willing to provide their e-mail login to a Web site, you know we have a long way to go to make the Internet safe."
I agree with him. The advent of Web 2 services where the site is a mashup of various services provides an easy preay for criminals wanting to obtain teenager identities, their authentication credentials and then use them for criminal purposes.