I’m more cautious with most people about these things (I’m a software developer), and I haven’t gotten any virus or malware on any of my last 3 laptops – my laptop is my livelihood, so I’m loathe to ever take a risk with anything dodgy on it, and I extend that conservative approach to websites asking for my passwords.

I can definitely see how a lot of people would fall for the social-engineered ‘exploit’ that you fell for. My mother once gave her password to an “AOL Technician” in chat so he could “fix” her email account, which she’ll never do again, lol. Eventually, either people need to start treating their passwords as they would a credit-card, or more integrated authentication, and varied authorization systems will have to be seamlessly created.

I like the “OpenID” framework, where if I want some 3rd-party website to publish information or access content on my blogger-hosted blog, I just give the URL, and then I go to my site, where I’m told the name of the requesting app, and what it wants. I can then say “yea or nay”, and never give out my gmail password.

You got lucky, really, that it was a quasi-legit site. You might have been as easily duped into handing your password to those who would (as you said), taken over your account completely. Ouch!

Kirk

Follows standard acceptable practices? No.

Ethical? Certainly not.

But it does point out the huge potential for abuse .

We have been conditioned by dozens of perfectly legitimate and ethical websites that we can trust that they will not abuse the trust we give them.

But this conditioning we have developed can easily be exploited by sites that are unethical or even illegal.

If all Yaari does is spam my friends–that’s an annoyance.

But what if somebody with ill intent used the same technique to gather 250,000 passwords and methodically started to scan the emails accounts for passwords to bank accounts, domain registrars, SVN repositories, social networks?

What if, overnight, 500,000 Gmail, Hotmail and Yahoo Mail passwords were reset and the rightful owners were locked out? How would the rightful owners be able to reclaim their accounts and the data in them?

How big of a catastrophe could that potentially be?

When i got your invite i thought maybe for some specific reason you had invited me there or something…. glad my laziness prevailed and i didnt check it out..

BTW from their terms and conditions ( http://www.yaari.com/?controller=termsofservice&action=index ) :-

Yaari has established a Privacy Policy to explain to Members how their information is collected and used, which Member can read by clicking http://www.yaari.com/policy.php.

… policy.php is a 404 … in short they havent made one yet or have it removed….

Continuing on in section D :-
By registering for the Yaari website, and by giving Yaari member’s email address and password, a member agrees to the Terms of Service and consents to allow Yaari to automatically send an email from the member to member’s contacts, encouraging member’s contacts to register for the Yaari website. Invitation emails will be sent on member’s behalf, with the ‘from’ address set as member’s email address. Yaari will never store member’s email password.

..so what they did was legal, with your consent.. in the same time sneaky and evil

I personally think it’s time for Google, Yahoo! and other e-mail providers to detect and block these sorts of sites (including Facebook and friends) and maybe provide a real API to access contacts, etc.