Spammed by TimeBridge

I recently received an email, allegedly from someone I knew:
I'd like to add you to my network on TimeBridge.

Get started by checking out my calendar:<CENSORED>

A short time later, I received an email which actually was from this person, telling me (as I suspected) that he did not, in fact, want to add me to his network on TimeBridge. Three things went badly wrong here.

First, if you have a Google Calendar, TimeBridge wants to connect to it. How? By asking for your email address and password, logging in as you, and downloading it. But the password which controls access to your Google Calendar is also the password which controls access to Gmail, Google AdWords and AdSense, Google Checkout, and Google Web History. Do you really want to give TimeBridge access to all of that?

Second, TimeBridge asks if you "want to share your calendar with your friends". Well, why not? Sharing is one of those automatically nice things we were all taught to do in kindergarten, right? What TimeBridge should have asked is "do you want us to spam everybody you know". Remember what I said about how your Google Calendar password also controls access to Gmail? At this point TimeBridge logs in to Gmail, pretending again to be you, and downloads your address book. Of course, there's a reason why TimeBridge asks such a misleading question -- how many people would answer affirmatively if they were asked if they wanted their friends to be spammed?

Third, TimeBridge sends out the email quoted above to everybody in the address book it downloaded -- pretending to be you. TimeBridge's Terms of Service state that

3.2(f) You may not impersonate another person (via the use of an email address or otherwise) or otherwise misrepresent yourself or the source of any email.
but apparently this prohibition against impersonating other people doesn't extend to TimeBridge itself. Clearly the people who work at TimeBridge have learned the same lesson as many authors of malware: People are far more likely to pay attention to you if you pretend to be someone they know and trust.

Lessons to be learned here? Don't do business with spamming and impersonating outfits like TimeBridge. And for the love of security, the next time someone asks you to tell them your password to some other website or service, Just Say No.

Posted at 2008-11-22 09:00 | Permanent link | Comments
blog comments powered by Disqus

Recent posts

Monthly Archives

Yearly Archives