Thursday, July 23, 2009

Follow services may be even worse than they appear

As you may have noticed from a previous post, I am not a fan of follow services, however it turns out that the services may be even worse than they claim to be.

The current approach of the services requires each user to enter their username and password, so that the service can use each user to post adverts (thinly disguised as praise, just use twitter search to find the identical copies a the posts). This raises some questions about the security of the sites, since nobody knows what the account will be used for.

As a test run, I have created a new account and registered it with the different follow services to check if this actually yields results and how much spam is posted (I will write a more elaborate summary of how it actually worked, until now it is not looking good).

One very odd thing happened during my tests, the account password was changed twice and the email address has received a series of password reset mails, so either an automation script is calling the wrong page or somebody is trying to compromise the account when the password is no longer working.

I will try to investigate which site is abusing the account and changing the password. At any rate, this means that the services cannot be trusted.

No comments: