Flickr unveiled a new feature recently that enables you to search through your address books in various email systems to find contacts that are also on Flickr. If you’ve used one of the many social networking sites, you’ll realise that this isn’t a new feature – most other social networking sites allow you to search your address books to find friends that are on the same service.
The difference is that Flickr have implemented the feature correctly.
Most other sites ask you to enter the username and password that you use to log in to the various email systems, then once you submit the form, the system logs into your email account, and downloads all of your contacts through a process called ‘screen-scraping’. What ‘screen-scraping’ does isn’t really important, the important bit is that you’ve just trusted another web site with your email’s username and password. Most sites will include a message saying that your username and password won’t be saved and will only be used to grab your contact details. But what if they are lying…
Your password for your email system is probably your most important password that you have. If someone has your email password, then they can access any personal information that you have stored in your inbox and there’s a good chance that they will be able to get ANY of your other online passwords that they like. For example, if you forget your password for an online service, you can usually go to that site, and click on the reset password button. This will either send your password to your email account, or send you an email with instructions on how to reset it. Imagine if I had your email account password, and I logged on to your account and secretly set up a forwarding address for emails to get sent to an anonymous email account I had set up. You wouldn’t know that your emails are being forwarded without delving into your email system’s options and checking the setting manually. Then I could go to any online site that I thought you might use, and reset your password so that I could log on as you.
Even worse, is that if you have an email account with Google, Microsoft or Yahoo!, then your email passwords are linked to all the other services that you use with them. So your Yahoo!Mail password is also used for Flickr, and IM; your Gmail password is also used for Google Docs, Calendar; and your Windows Live ID is used with almost all of Microsoft’s online services.
So back to Flickr’s new feature, and how it’s been done correctly. Flickr gives you the option to search through your Yahoo!, Google, or Microsoft/Live contacts, but the difference is that Flickr don’t ask you for your email account password. Instead they use the various API’s that are available, which means that if you want to search through your Google contacts, you’re redirected to Google’s site where they handle the authentication, and then send back the contact information to Flickr. The same applies to Yahoo! and Microsoft – at no point does Flickr ask you for your password, you only need to supply your password to the site where you would normally log in to anyway.
So the point of this post is to not just congratulate Flickr on implementing this feature correctly, but also highlight to you how dangerous it can be to give out your email account password too freely.