February 16, 2010

Potential RL-identity exploit with Avatars United

For those of you using their RL-email for their SL-avatar, using the default settings of Avatars United might pose a risk of unintentional exposing the address!

Snickers Snook posted an insightful article about "Spam via Avatars United", where she explained that since joining AU she receives significantly more spam on her supposedly undisclosed email address. She dug a bit into the settings and found that the default is that even non-installed AU-widgets can access certain data and send emails.

While Snickers primarily saw the spam problem, my friend Zonja Capalini pointed out that while being spammed is a nuisance, the bigger threat lies in the unsolicited disclosure of a potential RL email address and thus disclosure of the RL identity.

So if this concerns you, do two things:
  1. Read Snickers article and adjust your Avatars United settings
  2. Go and finally get a GMail/Yahoo/Hotmail/whatever address for your avatar


Zonja Capalini said...

Reposted at http://zonjacapalini.wordpress.com/2010/02/16/potential-rl-identity-exploit-with-avatars-united/

MSo Lambert said...

I posted a whiny (lol, moment of weakness) comment on Snickers' original post about this. Since I'm not sure it'll get approved, I'd like to post a part of it here in hopes of dispelling this email privacy issue myth.

There is NO way for an application on Avatars United to get access to your email address, *regardless* of your privacy settings (or any settings) or whether you have the application installed or not.

If you spend 5 minutes going through the API documentation, you will notice that the AU OpenSocial container exposes very little information to applications or other OpenSocial clients.

For example, your emails, age, address, location, gender, interests, network presence, timezone, and a number of other information is NOT ACCESSIBLE through API, regardless of any privacy setting. And please note, all these fields are part of the standard OpenSocial specification and are normally accessible (depending on privacy settings) on most other OpenSocial containers. Ever wondered how much information you're exposing by using Google Friend Connect (also based on OpenSocial)?

Even if your settings allow other AU applications to send you email, your email address is never exposed to the application. In fact, the AU server is doing all the sending *on behalf* of the application.

This means that all application emails will come from "noreply@avatarsunited.com" and are easily identifiable. Additionally, every email includes this line:

"This message was sent from the [APP NAME] application".

Which means you can easily identify the sending application and adjust your settings accordingly.

I have tested this myself and I don't really believe any of you are getting more spam after signing up with AU :)

Zonja Capalini said...

Many thanks for the clarification. Anyway, I think having a RL address for your avie is a bad thing -- if this makes some people reflect about it, it will not have been for nothing. And AU urgently needs to improve their messages so that they are understandable by the general public -- not to speak of computer literate people :-)

Peter Stindberg said...

Thanks for the comment, MSo. It definitely makes sense the way you explain it.

Of course one could construct scenarios where a clever approach to social engineering gets used to tempt a recipient of the "harnessed" mails you describe into acting imprudent. Phising comes to mind here. But those will certainly not get tried on a mass basis, but rather targeted at an individual member.

One point however remains: a whole range of user-friendlyness and explanation is missing in Avatars United. Adding a whole bunch of privacy and security settings in rather obscure places without explaining them in easy to understand words is not exactly helpful. There is a lot of room for improvement. Maybe they should take your comment as part of the documentation :-)

MSo Lambert said...

Just to clarify, I completely agree with the call to use a separate email address for your avatar (especially if you're an immersive user), since (like Peter pointed out) phishing and social engineering are a serious threat - everywhere on the web, not just on AU or social networks.

As for the missing documentation and explanations on AU - yep, totally agree :)