Results 1 to 15 of 15
  1. #1
    Defender of Truth, Justice and the Affiliate Way
    Join Date
    January 18th, 2005
    Location
    The Swamp
    Posts
    7,503
    Exclamation Kowabunga Security/Privacy Issue? AM's Input Please.
    I was told the other day by someone that works a Kowabunga Program that my password into my affiliate account was viewable by them when they log into their Admin Section. This of course gives them access to my KB! account. And since they told me exactly what my password was for that account, I have to believe the information is correct. Can anyone who has access to Kowbunga Admin let us know if this a pretty much across the board thing with KB! software?

    I am extremely concerned, shocked and many other things about this. There is no reason that our passwords should be viewable by anyone! How many affs are using the same passwords to access many of their accounts? Yes, not the safest thing to do of course, but how many are doing that? Kowabunga already has a less than secure login method as it is. Our user names are present to our aff ID. So anyone wanting to gain access to an account is already half-way there by only pulling the aff ID out of a link from the aff's site. Now if the aff is using the same password on their multiple KB! accounts, anyone who has access to the Admin area one of the programs now has access to any of the programs the aff has joined. And do we really know with any given program who all has access to the Admin section?

    Kowabunga what do you have to say about this? Just how in the world did someone with Admin rights to a program I've joined under KB! tell me my password? Managers running on Kowabunga platforms, step up and let affs know what information you are able to see. How long has this been happening? What about Kolimbo? Who is able to view those passwords?

    I suppose I can go and reset all my passwords for all the Merchants running on Kowbunga. What I'm really leaning towards right now however is deactivating all my accounts that are on Kowabunga until this is appropriately addressed. I'd need to see some serious proof however that appropriate security is being run through that software as it should be before I'd ever join again. Masking of passwords to even Admins by software is just common and easy to do. No reason for that information to even be pulled for display to begin with.

  2. #2
    ABW Ambassador cditty's Avatar
    Join Date
    January 18th, 2005
    Location
    Memphis TN
    Posts
    1,434
    Not good if true. Not good at all.
    Recycled Talent - Architects of custom scripts and snippets, perfectly written to suit any need. We stay on top of the latest technology so you don't have to.
    Total Stupidity - Shining light on stupid things.

  3. #3
    Member
    Join Date
    January 18th, 2005
    Posts
    55
    I understand your concern and this is something we have already addressed in the latest version or MYAP. I'll get to that in a moment.

    Understand that unlike the networks, we have traditionally sold private software to merchants. Those merchants already had access to every piece of information about you -- name, address, social security number, etc, so they could pay commissions and file taxes. We originally hid the password, but after a constant problem with affiliates asking merchants for their passwords when the "lost password" function was sending the password to an old email address, we added that information to the merchant's administration area so they could respond to their own affiliate's requests. Again, the merchants "own" the software and the database of information in our situation (unlike a network, where the network owns that information), so they own your password as well, in a sense. In our original version of the software, the database was actually housed on their server and they had full access to it, and it was assumed the affiliate understood that any information they submitted to the merchant when signing up was owned by the merchant, including the password they chose. We house the database now, but that understanding is still implicit, as you are joining a private program that needs access to that information to pay you.

    Now that we have a network situation in Kolimbo, we've decide to modify things so that passwords will no longer be visible to the merchant, and the affiliate will instead be required to choose a password reminder question and answer. We made this change because most affiliates who join a network expect it to work this way, even though in our case we still sell private programs to merchants to manage as they wish. This is in effect in new versions of MYAP.

    In your case (or anyone who is concerned) I can easily edit all of your passwords if you like. Just email me at jeff at kowabunga.com.

  4. #4
    ABW Ambassador
    Join Date
    January 18th, 2005
    Location
    West Coast USA
    Posts
    3,043
    To be fair
    Is this just a KB issue?

  5. #5
    Defender of Truth, Justice and the Affiliate Way
    Join Date
    January 18th, 2005
    Location
    The Swamp
    Posts
    7,503
    Jeff,

    Thanks for your response. So how can affiliates know if it's a new version of MYAP the Merchant is using or not? Is there a way affiliates can tell whether or not their Merchants who are using KB/MYAP software have access to our passwords or not? The situation in which this happened for me the program was being hosted on your servers and since it is a new program I would think they have the newer version of your software?

  6. #6
    Member
    Join Date
    January 18th, 2005
    Posts
    55
    This change was made recently so not many merchants have the new version. Making this change retroactive to all accounts takes some time, but we are already in the process of doing that (it is complicated because each merchant has their own software, their own database, and can be using one of 8 versions with the possibility of custom work on each).

    The short answer to your question is there is not a way for affiliates to know which version their merchant has, but since there are hundreds of MYAP merchants using the old version, you should assume they have access to the password and act accordingly. If any of you want me to change any passwords for you let me know. Over the next couple of weeks we should be finishing up the vast majority of the existing MYAP accounts to make this change, so it should soon cease being an issue at all.

    And again, let me reiterate that we do not consider this a security/privacy bug. Just as in the case of CJ or LS where the network has access to your password, we were selling (and still do sell) software to merchants who own that information; as in any situation where a site requests personal information in an online form, they own that information and it is assumed that you trust them with it. We only decided to make this change because many new affiliates will not understand that Kolimbo is made up of private programs and is not a network in the traditional sense -- we are a trusted third party but do not "own" the relationship or put up barriers between merchant and affiliate. I know this can be confusing when many affiliates are used to these barriers being in place, and thus we were already making this change. Let me know if you have more questions or want me to make changes to any of your MYAP accounts.

  7. #7
    Analytics Dude Kevin's Avatar
    Join Date
    January 18th, 2005
    Location
    Rochester, NY
    Posts
    5,904
    I'm a big fan of KB, by the way, but I'm also concerned by some other behaviors, insomuch as I get emails sent to me that INCLUDE my password. I find that odd. But I also have pretty much resigned myself that any information, no matter how well guarded, is compromised pretty regularly.

    Still, I wish they'd quit emailing my P/W
    Kevin Webster
    twitter: levelanalytics

    Kayak Fishing
    Web Analytics and Affiliate Marketing

  8. #8
    Member
    Join Date
    January 18th, 2005
    Posts
    55
    If you're talking about emails from merchants, they have the power to include your password in certain emails to make sure you can log in easily. Also, if you forget your password, it is emailed to you (we couldn't think of another way to get it to you short of calling you, but that would be a bit weird, no? .

    If you're talking about emails from Kolimbo, we can set those emails to not include your password if you like (again, we do it for convenience sake and assume that only you have access to your email). Just contact ben at kowabunga.com and he can fix that.

    As with everything else we do at KB, I'm always open to suggestions if any of you have a better way to do something. As our merchants know, our platform is designed to allow for fairly quick changes for many things; we want to encourage affiliates to suggest changes to Kolimbo, as we built it for you to manage everything easier.

  9. #9
    Defender of Truth, Justice and the Affiliate Way
    Join Date
    January 18th, 2005
    Location
    The Swamp
    Posts
    7,503
    Jeff,

    It's not a question of being a Network or not. Nor that the Merchant owns the information or not. Nor a bug but rather an issue/concern.

    Let's say I'm partnered with 20 Merchants using KB/MYAP software. My user ID is automatically set by the software to be my aff ID. I'm able to set my own password of course. As an affiliate I'm partnered with just 20 Merchants using MYAP, but I'm also partnered with several different Networks and several other Merchants running independent programs under other software platforms. I have a total of 100 partnerships. Because of the number of partnerships, I tend to use the same password on many accounts.

    Now of course Merchant A I'm partnered with knows the information contained in my account with them. However since they know my password, all they need is my aff ID (contained in my links on my websites) for any of my other Merchants I partner with and they can now literally log into my account with any of those other Merchants. That is not information they own nor have a right to be able to access. Some of these Merchants may also be competitors of Merchant A that I am also promoting.

    For me this is a security/privacy issue/concern. There may very well be affiliates out there who did not realize that the Merchant could actually see and know their password. I've had more than one place that I'm registered with and have an account that if I needed that person to be able to access my account for some reason, I've had to provide them with my password. After which I've always go back and change that password.

    It may just be a somewhat creepy feeling to know that someone else was logged into one of my accounts for which I have a relationship (and yes they actually did go into my account showing me they could do so). The reality of that being they already knew all the information there and the only thing available I suppose would be they could change my profile information (a very unlikely event). It's totally different to know they could also being going into my accounts with other MYAP Merchants.

    But as you say, affiliates need to take whatever actions they feel is necessary to protect their account information. I'm glad to hear that KB is taking some actions to address this issue, but it would seem that at the moment it is possible for affiliate's information in various accounts to be compromised.

  10. #10
    Member
    Join Date
    January 18th, 2005
    Posts
    55
    When creating software certain things do need to be weighed, and in this case it was the ability for a merchant to actually see all of the information related to their own affiliates (and thus let them actually manage their own program) vs. what we considered to be a very small security concern (again, pre-Kolimbo).

    The security concern was not typical; usually that has to do with an unscrupulous party trying to access personal contact information (social security numbers or credit card information, usually). In this case the affiliate was already freely giving up their personal information -- including SSN -- and to someone they were already trusting implicitly to pay them based on conversions. In other words, we are assuming that you are already placing trust in this merchant, otherwise you would not give them your SSN and drive traffic to them and trust them to pay you when you drove sales. With this in mind, the ability for a merchant to access the affiliate password as well (and in every case, it was because the affiliates were requesting their password from the merchant after they lost it) seemed of little concern.

    There was certainly always a small risk that a merchant might decide to pick out a specific affiliate, attempt to determine the login URL and id number for a different program (if the affiliate had any other MYAP relationships), and try the same password to log in. In this case they would not be seeing anything they did not already have access to, except perhaps how much sales you had been driving to that merchant. While that is certainly private information, it seemed to be much less valuable than your SSN and contact information. In other words, if a merchant was really not trustworthy, they already had plenty of information to hurt you or infringe on your privacy regardless of whether or not they knew the password you used to join their program.

    All of this was based on the affiliate understanding that they were joining a private program and thus trusting their private information to that specific merchant.

    Once we created Kolimbo, we were forced to re-think many aspects of how we were handling merchants, affiliates, and the software. At this time this password issue was revisited because we realized there could be cases when an affiliate could join Kolimbo and not clearly understand that they were providing all of their private information to every merchant they joined. That is when we decided to change things.

    Do I wish we had considered it sooner, before launching Kolimbo? Perhaps, yes. Do I think it is a big security concern considering the information the merchant already has access to? No, otherwise we would never have allowed merchants to see passwords once the database was on our servers.

    I hope this explains our thinking on this issue. Again, if you are uncomfortable, I can change your passwords now before the MYAP modifications are complete, and I extend that offer to anyone who feels they need it.

  11. #11
    ABW Ambassador
    Join Date
    January 18th, 2005
    Posts
    4,423
    Jeff, the bigger question for me - as you ocontinue with Kolimbo, will you upgrade all merchants, or will that still be optional because there is a charge to them? For me to ever trust your network of programs, you need to bite the bullet and upgrade everyone to the same software for free and call that your product.

    I am not sure if you are doing that or not, but at least for me, as it stands, I tend not to use Kowabunga merchants because of the mis-mash the interface etc is because of the various versions.

    Chet

  12. #12
    Defender of Truth, Justice and the Affiliate Way
    Join Date
    January 18th, 2005
    Location
    The Swamp
    Posts
    7,503
    In this case they would not be seeing anything they did not already have access to, except perhaps how much sales you had been driving to that merchant. While that is certainly private information, it seemed to be much less valuable than your SSN and contact information.
    Do I think it is a big security concern considering the information the merchant already has access to? No, otherwise we would never have allowed merchants to see passwords once the database was on our servers.
    EGADS! Well thanks for the honest answers. All I need to know. I'll be closing all my accounts which run through KB/MYAP software today (if that's possible). And I don't see myself ever joining a program that uses that software again.

    The responses I've seen here seem to reflect a mentality that KB put out a product knowing there could be security/privacy compromises but made the decision unilaterally on their end what is important to the end user and that KB does not take security and privacy as seriously as I expect when joining a program.

    Of course this whole issue could have been significantly reduced by allowing affiliates to define their own user name.

    Thanks for the offer to me providing you with all my passwords to change things. Ermmm...I'm really not in the habit of doing such. Especially since I can easily do that myself by logging into my accounts. And I've never joined Kolimbo and since you are just selling your software to Merchants, I've always assumed that KB! doesn't have any access to any of my accounts nor information contained in them. Why would I provide that? Or maybe I was wrong in that assumption also.

    BTW....what I bolded in your quote is the whole point. And that information is considered confidential and proprietary information unless *I* make the decision to volutarily reveal such to others.

    I'm also finding it interesting that no AM's managing programs running off of MYAP platforms have spoken up in this thread.

  13. #13
    Member
    Join Date
    January 18th, 2005
    Posts
    55
    chetf -- Some upgrades (like this one) are done for free, while others that have to do with pure functionality we do charge for. However the charge is often very small ($100 right now for any merchant to upgrade to our latest version).

    Kellie -- I'm sorry you feel that way, good luck with your business.

  14. #14
    Outsourced Program Manager
    Join Date
    January 18th, 2005
    Location
    Thailand/ Cambodia
    Posts
    805
    To let you all know I have been a affiliate manager with My App, ( but not currently) and still prefer their system over the networks.

    One thing is that if the merchant is using the Optin Pro add on, when the AM send out a newsletter they have the option to include your affiliate login and Password.
    So this is what they are doing if your seeing it in your newsletter.

    The thing to do is ask your AM if 1. they are using optin Pro ( which I loved) and 2 if they are, to not add the password in their newsletter.

    As Jeff said, My App does not control the info as they are not a network , like SAS, LS and CJ so each merchant owns the info. Check your affiliate agreementt to find what they do and don't allow or do.

    It goes to trust, and your desire to trust your AM or not. If not then....

    My $.05 worth.
    Richard
    Affiliate Marketing Manager AMWSO
    Digestinol, Luxe-Design


    Every child is an artist. The problem is how to remain an artist once we grow up. Pablo Picasso

  15. #15
    ABW Ambassador webmarm's Avatar
    Join Date
    January 18th, 2005
    Posts
    1,713
    KB also uses the OptinPro module to send out recruiting emails for merchants in the Kolimbo network. I was a bit alarmed to get a recruiting email to the email address that is my contact address for my Kolimbo network merchants. Had it been clearly from Kolimbo I wouldn't have blinked, but it appeared to come from the merchant (who I felt had no reason to have that contact email address). There was an opt-out link to OptinPro at the bottom. I had not opted in, so I didn't trust the opting out.

    When I contacted Kolimbo about it, they told me that it is a service they offer to merchants. I was removed from the list to be sent recruiting emails upon my request, though I did receive another 3 copies of the email before my removal set in. I did stress that had it been clear the email was from Kolimbo I would not have weirded out. After all, I get plenty of sp@m, errrr... recruiting email from CJ.

  16. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. Kowabunga - PrimaryAds any input?
    By FriendlyPlanetTravel in forum Other Affiliate Networks
    Replies: 7
    Last Post: March 28th, 2009, 12:08 AM
  2. About The Privacy Policy Issue
    By Mr. Sal in forum Midnight Cafe'
    Replies: 1
    Last Post: October 15th, 2005, 04:37 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •