I got an invitation to yet another online service that I hadn't heard of today: Spock. Their about page says:
Spock is the online leader in personal search, helping users find and discover people. With over one hundred million people already indexed and millions added every day, Spock is building the broadest and deepest people specific search engine.
Putting aside the amusing claim of a beta service that most people have never heard of being "the online leader", their sign-up flow is kind of spooky. I just attempted to go through it and gave up at step #2.
In step #1 I was asked to enter my first and last name, gender, and click a couple of checkboxes (yes, I'm over 13 and, yes, I've read your terms of service (actually I haven't... who ever does?)). Easy enough.
Then came step #2 which looks exactly like this:
That's right. They want me to provide my username and password for the on-line services that may contain some of my most sensitive information, including: Gmail, Plaxo, Yahoo, Hotmail, and AOL.
I can't think of a very polite way to say "no fucking way", so I won't even try. There wasn't a button for that.
You see, while they make several promises on that page, there's no way to verify them and no notion of what my recourse would be if they're broken. That's a pretty high price to pay to test out a service that I may never need.
I guess I should see this as a request for address book access in the Yahoo! Mail API. But all those services would probably need address book and/or contacts APIs before Spock would stop trying to convince users to give away their passwords (likely in violation of the TOS for each one).
Posted by jzawodn at August 12, 2007 06:43 PM
I got it too. I clicked skip this step, and created my account. Nothing to see there yet. *shrug*
All the facebook kidz are growing up to be the biggest phishing targets ever, with facebook educating them that it is now somehow ok to give away your login and password.
I can't remember the name of the site, but I know I've seen something like this somewhere else recently. I took the same action you did. :)
P.S. Hope to see you at SES San Jose! My contact info is on my blog.
I agree with Gregor J. Rothfuss. On Facebook you can check to see which of your friends are already on facebook by letting facebook log in to your web mail and cross-check your contact list against their database of registered emails.
Some people obviously won't want to give away their contact list but a lot of others like the convenience and since OpenID and such services haven't caught on in the general public yet it would be nice to have an API available that Facebook et al. could use to farm the contact list (only!) without giving your real login password.
I saved a bookmark back on April 13th, but felt the same as you, guess it wasn't just the day of the month...
The credential collection page on Spock is not even SSL'd, making a bad situation even worse.
These are the types of problems BBAuth, WebAuth, etc. are supposed to help you solve. You'd like to have an interaction token for a web service, the user grants you permission for certain privileges, and you do your thing. It's a security issue for every e-mail service on the list, but as far as I know none of the big sites are enforcing or cutting off access.
> "I can't think of a very polite way to say "no fucking way", so I won't even try. There wasn't a button for that."
I'm sending you a bill for a new keyboard* - that was so funny i just discharged a large amount of coffee into my current one. I think some came through my nose in the process...
I eagerly await the next generation of web 2.0 apps complete with "No fucking way" buttons in their signup process. Maybe OK could become "Fuck Yeah!" too?
* I'd like a new bluetooth apple one please ;-)
I ran into the same thing during beta and blogged it here:
http://mdprtechtest.blogspot.com/2007/06/spock-beta-gave-me-pause.html
I signed up for the Spock beta awhile ago and got my invitation on June 14. I'm just getting around to trying it now. I went to try it out tonight and started the process. The second screen gave me pause, that's it above. I'm not sure if I'm Ok giving them my password to LinkedIn to try it out. Am I being paranoid?
Got an invite today. Thanks for saving me the time. This is _exactly_ what BBAuth and AuthSub is for. It's my opinion that API providers should provide both browser based and programmatic methods for token/session auth to keep things flexible, but I guess a good start would be a little more education about password security. They look like ******* for a reason.
PHP folks looking for an example of the right way to do this should look at the Zend Framework's GData modules. You can do things like Google Calendar mashups where the user logs in on Google's side, and _then_ let's the mashup access your data without knowing your l:p.
"my most sensitive information, including: Gmail"
What really is the issue here, and it's a scary one, it's not just Gmail your giving access to, it's probably your whole google account. Google Checkout would be my main concern...
There's at least one other place where Spock asks for login credentials, and this one's even more poorly messaged - the claim-your-profile page. I've posted about it at http://scottru.wordpress.com/2007/08/13/spocks-scary-signup/.
hi jeremy -
surprised you hadn't already heard of Spock, but in any case i'll pass along your note to the folks over there (i've been an advisor for them since last summer).
they have already made several changes to the address book invitation process based on customer feedback, resulting in both the switch to opt-in and the "skip this step" option.
don't know if you missed the "skip this step" or felt it wasn't prominent enough, however if you have any more specific feedback lemme know & i'll pass it on.
while the "no fucking way" button would definitely be novel, i have a feeling they probably won't implement that one.
BBauth, Facebook login, and other external 3rd-party logins are good suggestions tho.
- dave mcclure
Dave:
Thanks for the comments. I may have heard of Spock but they probably didn't stick in my memory. The net effect is the same, I guess.
Honestly, those eye tracking "heat map" studies you see go a long way toward explaining why I didn't even SEE the "skip this step" link until someone pointed it out to me. It's way down at the bottom--right where my brain expects to see legal, privacy, and "about us" type links.
Usually when given an either/or choice, I like to see both options presented on equal footing: both as buttons or both as links. Otherwise it's simply too easy to miss one or confuse their purpose.
yeah, i understand... it is a little easy to overlook.
i'll let them know, perhaps see if they can modify it slightly in future rev so it's more noticeable.
also other comments on BBAuth / SSL seem like good ideas too.
- dave
Change your password temporarily; use Spock (or facebook, or any other app that snarfs your address book); then change your password back to your original one.
Secure? No. But it is better than simply hoping the site (or some hackers) didn't cache your password.
As it happens, I did read the Terms of Service - which led to me bailing out even before I got to the page you baulked at.
I'm getting really tired of Web 2.0 communities that lay claim to the content contributed by their users. Their ToS includes a piece of legal boilerplate that is popping up far too often:
"You hereby grant Spock (and each of its registered users, as limited by the "Personal Use Only" section, above) the royalty-free, unlimited, perpetual, non-exclusive, irrevocable right and license to make, use, copy, distribute, display, publish, perform, modify, or translate any such Postings for any purpose and in any medium worldwide (including but not limited to incorporating the Postings into Spock databases or any other Spock property, product, or service) and to sublicense the foregoing rights, and this sublicense right, to others."
I'm sorry, but no. I have no qualms about contributing pretty much anything I write to the commons. That's one reason why my six-year old blog carries a Creative Commons (by-nc-sa) license. But why the hell would I want to give these guys the right to do whatever they want with my stuff, potentially including making money out of it...?
Bah.