Online networking site Quechup.com is infuriating would-be members by e-mailing their contacts without permission, turning the unwary into unintentional spammers.
“I inadvertently invited everyone in my Gmail contact [list] to join a lousy social network called Quechup,” reads one apologetic message from a typically chagrined ex-Quechup member. “Please ignore that and please accept my apologies.”
The problem is in Quechups “check for friends” form, which prompts users to see whether any of their friends are already using the site. After the user enters a password, however, the service then sends a message to all the contacts in the users Web-based e-mail accounts—such as Gmail, Hotmail or Yahoo—without first asking permission.
Other social networking sites such as Twitter and Facebook feature the ability to import contacts from online services, but Quechups decision to use those imported contacts for self-promotion has people steaming, particularly since the promotional e-mail looks as if it were sent by the Quechup user.
“Instead of saying, Hey, these folks are part of our network, do you want to invite them? they just went and mass-mailed all my contacts—over 400 people, some of whom havent heard from me in eons,” said one ex-Quechup user whos an editor at eWEEK, headquartered in New York.
“Ive been online now for about 15 years, and still, Ive been had like a newbie,” said another blogger. “I am frustrated, furious, whatever, but I can only expect anger, ridicule and a total loss of respect from colleagues, correspondents and friends.”
It makes people feel duped, but are Quechups actions illegal?
No, according to Chief Security Analyst Mark Sunner, for MessageLabs, based in Gloucester, England. Quechup may not be asking for permission to e-mail your contacts loudly, but it is in fact stating what it intends to do, he said.
“In terms of what theyre doing, its incredibly antisocial, and we take a dim view of this sort of activity. But unfortunately theyre covering themselves … buried in the small print,” he told eWEEK. “When people subscribe, theyre giving permission, probably without realizing it, for these messages to be sent.”
Quechups spoofing of e-mail origins, however, might just well cross that fine blue line, at least in the European Union. MessageLabs Senior Analyst Paul Wood noted that the practice is addressed in article 13 of a European Commission directive on privacy and electronic communication.
Not that it matters for any practical purpose, given that the directive verges on unenforceable. “The use of false sender information in the SMTP headers is prohibited, but impossible to enforce in practice for ISPs, for example,” Wood said. The SMTP protocol, in fact, doesnt enforce any controls over the insertion of anything in the “from” field of an e-mail. Besides, Wood said, the directive also ignores the issue of opt-in vs. opt-out, leaving it up to each country to determine.
Quechup isnt alone in disguising the origin of its marketing mail, at any rate. Flixster, a service that allows users to share movie ratings with friends, also commandeers address books and sends out invitations to join that purportedly come from a given member. Flixster is even trickier with its viral marketing, at one point presenting users with a message saying that after they sign in to their e-mail accounts, theyll be given the ability to select which contacts to invite.
“Even though they make you feel as if you have complete control over the process by telling you On the next page you will be able to select whom to invite, they already have your contacts by that point,” according to an article by the Institute for Spam and Internet Public Policy, a company that markets an e-mail senders accreditation service, based in Sunnyvale, Calif.
Regardless of whether the actions of companies like Quechup and Flixster are legal, the fracas is a stark reminder of security laxness. First, it shows that many are not reading user agreements before signing up for services that require personal information. Second, people are freely giving away personal information that can be used for phishing or identity fraud.
“It started with greeting-card scams,” Sunner said. “Its not localized to this [Quechup episode]. Its a whole issue with user license agreements and what people can be potentially, unwittingly signing up for. Very rarely do people read that stuff nowadays. Its kind of a loophole organizations like this are exploiting. People … just click and accept, and they dont really take stock of whats going on.”
Click here to read about A-Space, a social network for spies.
The issues created by social networking have extended beyond questions of lost productivity in the corporate world: Perhaps a bigger problem now is the amount of information people give away at the sites and willingly keep up to date.
“Its potentially a goldmine for the bad guys,” Sunner said. “It allows attacks to be much more targeted.”
Indeed, its easy to grab personal information from Facebook and combine it with professional information from LinkedIn, for example, for “spear-phishing” attacks: i.e., targeted phishing attempts that reference people by full name and sometimes drop other bits of relevant information, such as addresses, titles or even colleagues names.
“It begs the question, Where are they getting all this?” Sunner said.
“Companies should be aware of keying in data about people into these sites [like Facebook],” Sunner said. “Including sites like LinkedIn. Combine the two, and you can build up a pretty accurate profile of what a persons personal data is, and their employment history. [You can use that to] hijack an identity or make a very targeted attack. We have made interceptions of targeted attacks which seem to be using data in this way, including full name and job title.”
Editors Note: This story was updated to include Paul Woods input on the legality of spoofing in Europe.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.