Failbooking by Etisalat


Facebook logo Español: Logotipo de Facebook Fr...
(Photo credit: Wikipedia)

You may call me paranoid or over-cautious after reading this. I wanted to write about this long ago, as soon as I heard this advertisement and thought its totally insane. But I was busy. Thanks to the most gruelling bloodshed of recent times in one of the prestigious higher educational institutes of the country, I get the chance to pick one of the drafts left in my blog. Here it goes..




Recently, Etisalat, a mobile service provider advertised a scheme for users to chat in facebook via SMS and the two ways they are suggesting the users to register has fundamental flaws. As the method 1 they want users to enter their facebook username and password at their own site www.etisalat.lk. In the next method they suggest users to SMS their username and password to a number.

As it is being discussed over and over again by people like Jeff Atwood and Dare Obasanjo, as a third party, its wrong to ask the user to “Please Give Us Your Email Password“. You may be trying to help. But some may consider it offensive. You are asking for the keys of their online identity.

Next thing, is it ok to allow users get comfortable with entering their credentials in all sorts of random places, and make them more susceptible to phishing attacks?

Then, asking them to SMS the credentials as plain text! huh? In this era of WikiLeaks? How can the user be confident that these usernames are not going to rest in a databse as plain text, where an employee with malicious intents, can copy them with a mouse click and sell for a fortune?? You’re Probably Storing Passwords Incorrectly!!!

I don’t think engineers at Etisalat didn’t know about OAuth or Facebook Connect or simple way of coming to an agreement with Facebook to send a confirmation code to user’s phone without making them SMS passwords. Did they misused the illiteracy of majority of Sri Lankan internet users, teaching them bad habits and let their online identities be compromised? or simply is somebody being lazy?

For example, OAuth is a technology that has been built for enabling applications to access Twitter/Facebook on users’ behalf with their approval without asking them directly for the password. So the users will be more willing to use your service.

And one more thing. In your method all will work fine, until they change their Twitter/Facebook password. This is one of the major things OAuth solves – The users’ access is not tied to their current username/password combination, so they’re free to change it without having to update a couple dozen external apps.

So why choose the hard, insecure, inconvenient way? There may not be a perfect security solution. But it is always good not to hide these critical information and keep them informed. As professionals, let us not only teach people to use technology, but also to do it in the safer, efficient and right way.

19 thoughts on “Failbooking by Etisalat”

  1. It seems engineers at WaveNET International are the ones who didn’t know about OAuth or Facebook Connect. And with my past experience Etisalat never cares about the security aspect of these applications.

    1. Really Shivantha ?? Do u even use a etisalat sim ? :O
      Don’t misguide public please.
      By the way good post and well said Santa :D

  2. clients like fring, numbuzz uses the same method for giving access to different IM services like gtalk, facebook etc..
    they do store your credentials with them…

  3. @kumaran IM clients that you install on your mobile do not store the passwords in some other place. It store it in your mobile provided that you allow it. And also in most cases it is not your password that is stored. They store a hash of your password. And those clients directly send those passwords/hashes to the server when you connect through secure means. There is no middle man. Your account is safe unless your phone is stolen or hacked.

  4. @ Nimal; Fb itself ask for email password and username of other email services such as gg, y! etc sake of introducing new friends :P . So, how do you ensure they aren’t store it? though they claimed so? (Practical example Wikileaks; State diplomat’s two face!) Though I’m not representing Et, Fb,Wni, or Wl, mobile operators have their own issues though you guys think abt it eating dozens of pencils. Thats y fb also going in that way to get the details than go behind new mail protocol to share user details :-)

    Its not about using fb APIs but what matter your programing tactics to reach you to the goal withing the security measures you’ve taken. (don’t forget; top militant sites also had been hacked so waht abt simple http calls :P )

    What matter is whether you want such services with 128 encrypted or easy user experience. Don’t forget still its not loose your bank deposits by loosing your password in this way.

    In fact, to write under water its you decide to use a pencil or a several million worth tool :P

  5. You may not loose your bank account but you can loose lot more if you loose your FB account.

    For example I know of a girl who got her FB account got hijacked. The account was uploaded with lots of stuff that she would never want to have under her name. And the hijacker asked a ransom to give her back the password (which he has changed).

    Basically you should not provide your passwords to middle man at any situation. Specially e-mail passwords. Because if your e-mail account got hacked/hijacked, attacker can easily access all your other account.

    Ex :- If I manage to hijack your primary e-mail account all I got to do is to go to other sites that you have an account with and report that I (pretending to be you) have lost the password. They will happily send a new password to your mail box which is now hijacked by me. Secret question may provide some protection but even that can be found out if one search inside your mail archive.

    1. අඩේ බං උඹ ත්‍රස්තවාදී කොලු පැටියෙක්ද ? හයි ජැක් කොරන්ට තනන්නේ :(
      කතාව ඇත්ත කොල්ලො. ඒ උනාට ලෝක සාමේට හයි ජැක් කොරන එකෙන් කෙල වෙනවානොවැ.

  6. මං හිතන්නේ etisalat අය කට්ටිය දාලා අපේ account වලට log වෙලා,chat එක කරගෙන යනවා ඇති අපි online ඉන්නවා වගේ ;)

  7. අනේ ලංකාවෙ ඉන්න බුද්ධිමත් අය ඕවට රැවටෙයිද ?
    ඕව ගිහින් කරනවා කොන්ඩේ බැන්දපු අරාබි කාරයන්ට.
    සැයු :- etisalat අරාබි කොම්පැණියකි.

    සුභ නත්තලක්

  8. Epic fail! maybe this one came out as a result of their mobile app competition “AppZone” where students were encouraged to develop apps using their framework :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s