Secondly isn’t Yelp breaching the license agreement for the API’s
they are using by asking other users to break their contracts and
give away their passwords?
Or they’re just screen-scraping. There weren’t even APIs for this thing a year ago.
Even if there is a better way of providing address book information I’d hesitate to do so. How do I know they aren’t building a spam list?
The online manager game www.hattrick.org was faced with this issue some time ago. The game has many supporting 3rd party applications which depend on access to game details.
To deal with this, the game introduced the “security code” feature. This is basically a second password, designed for this purpose, granting more restricted access. Although this isn’t a magical catch all solution, I do think it might represent a possible approach for dealing with it.
It’s even better when there’s no pretense that they’re just going to connect you with already yelping friends, but actually go and spam everyone in your list.
http://jivlain.wordpress.com/2007/04/30/hello-mr-website-would-you-like-my-password/
If I ever come across a screen like that, I exit out. I don’t trust any site with that kind of information!
It infuriates me that I requested a lost password through 1and1.co.uk this week and they sent my old password to me, in plain text. I knew that I’d used it elsewhere, so I immediately went and changed a bulk load of passwords. If I - an amateur PHP developer - can include salting in my scripts, why can’t the big guns?
I only give my password and bank account info to Nigerian royalty who ask for it.
“EPIC FAIL”? That’s an understatement. It sets off every single security alarm bell I have. Just asked my mom whether she’d put her password in there and even she, being as computer-illiterate as mothers always seem to be, said she’d never even consider it. I guess I trained her well 
Seriously, stuff like this is becoming the norm and not the exception. When signing my mother up for a PayPal account, the process asked me to give it the USERNAME AND PASSWORD to her online banking account.
W.T.F.
I’m going to trust a site with more holes than swiss cheese to log into her bank account to verify she has a bank account? Worse still, I’m going to TRUST that PayPal is going to get rid of that login information when they are done?
Giving your username and password out, BTW, is strictly verboten by her bank, my bank, your bank, and every other bank. I am not a lawyer, but I’m sure there’s some kind of protection that I forfeit by giving out this information to PayPal.
I’ve got brass ones, but mine aren’t THAT heavy.
~Sticky
I couldn’t agree more with this post. Unfortunately, I think this has become so pervasive it’s close to being acceptable. Facebook does it. Meebo does it. And all 3rd party IM tools do it (albeit most of those run from your desktop but still…)
I am with you 100% Jeff. But unfortunately we lost this battle. Sites are already using this practice like crazy. If fact, I would say you have to if you want to compete. Technical people may understand the horror of the situation, but the masses apparently do not.
Brinkster.com asks you for your username and password anytime you work with tech support to make any significant changes to your hosting plan (such as adding a new domain name). It’s really, really annoying, but that’s how they roll.
Making the address book public, at least temperarily would be a terrific way to go, but there seems to be a battle these days by each company to keep your data. I wouldn’t hold your breath on this changing until some kind of class action lawsuit or something of that ilk comes through that forces companies to share YOUR information.
We’re thankfully moving away with this sort of thing with various open social network platforms which mean you can use a common social network API to get people hooked up with their friends quickly rather than their email contact book. Think OpenID, but with contacts.
There still not quite there yet though, and it’s worrying the damage may already start to have been done with respects to teaching users its okay to hand out your password though.
I agree that this is a poor way of retrieving friend lists. A nice way to get around this is to keep a dummy e-mail with only your contacts in it. Then give the password for that account. However, that may be too much effort for a one time import.
I simply have one email account for communicating with friends/family and a different one where all the “sensitive” information gets delivered. Although it makes me queasy to do this, I think I have done it once (on LinkedIn). Past that point, I guess I have refrained from giving away my (insecure) password even though I don’t have much to lose.
From the viewpoint of Yelp or LinkedIn or orkut, all they are trying to do is save you some time - which in and of itself is a noble cause. Is there a way for a platform like, say, OpenID to enable this functionality without compromising the security of your email account?
But all those email service icons make it look soooo real!
phhifff.
I think these sites should at least give me the option to supply an address book file that contains all of my contacts. That’s all they really want anyway, right? I know this would probably be more than a lot of people would want or possibly be able to do, but for users like ourselves, I think this option would be a nice compromise.
Yelp asks for your Gmail password explicitly (and lets you skip the step), but nearly all online logins just ask for an email address (as a user ID) and a password. How many people do you think use a different password for those logins than that of their email?
I’m sure most readers of this blog use a different password when creating online logins, but my guess is the average user doesn’t. Compared to this, the Yelp problem seems like a drop in the bucket.
Uh, no friggin’ way.
Even if a site is well-meaning, sensitive databases are stolen somewhat regularly.
We should be teaching small children: “Never share your email address and password with anyone” along with “Never talk to strangers”
I don’t know what to make of facebook. Early on I could type in email addresses and find friends that way. Since it was .edu addresses at that point. At the end of each academic year I backed up my address books and stored them on CDs. Later on when I wanted to see if someone was one facebook I would rifle through the ldifs and find their school address. Kept me in contact with a lot of old friends.
Now they’ve taken the basic email search away and replaced it with “give me access to your email accounts”. 1) I feel really uncomfortable about this. 2) I think it’s ridiculous they reduced the functionality in the first place.