Attn. Bonanza Users

laureenthemean · Oct 19, 2010

karmenzsofia said:
If it turns out they asked for IDs and passwords for anything other than member verification (as the website states), then I hate to say it...but that would mean they went beyond being stupid and making a bad move to being sneaky and even malicious because they would've been lying about their reason for asking for this info. And that blows on top of it all.

It's definitely not a simple verification. It basically makes your tPF activity public.

wbharding · Oct 19, 2010

@ArmCandyLuvr: Yes, you are apparently correct :biggrin:

MissMollie · Oct 19, 2010

wbharding said:
@AuntFlo: As pointed out by some others, tPf is not the first site that we let our users link their accounts to; generally speaking, we think that being able to connect accounts between the different sites you use is a useful idea for our mutual users. And we had hoped the traffic we hope to drive to tPf through the feature would make it a win-win. But again, we're fine taking the feature down, it certainly isn't a major aspect of the overall site, just a nicety we had hoped would make for a better experience.

@MissMollie: The tracking number showing up is an issue we only heard about recently; we will be looking into it today and it will likely be fixed by tomorrow.

@iluv: It's probably fairly clear at this point, but our primary rationale was user convenience. And the fact that we had already built out similar functionality to link with other sites meant that we already had the technology to temporarily store user info in a secure fashion. But we certainly don't want to step on toes for sites that aren't comfortable with such features, which is why we've taken it down.

Bill Harding
CEO
Bonanza

Mr. Harding - thank you for addressing my concern. Once this issue is fixed, I WILL become a member of your site. I am SICK of your main competitor, and I think this is a GREAT way to let them know that we all think they are atrocious. If they lose a ton of business, you'll benefit, and hopefully they'll eventually close down. Thank you!

Beach Bum · Oct 19, 2010

Dear Mr Bonanza(WB HARDING)

THIS site has brought YOU business....LOTS of it.and you had NO RIGHT to link your site to the PF WITHOUT ANY PERMISSION.seriously?how can you even justify what you did.shame on you..again.and guess what?you lost my business.

You run and own a BUSINESS....u know better.

pigalle74 · Oct 19, 2010

I don't know, don't they have import functions from ebay as well? I doubt ebay endorses Bonanza... The whole tpf option looks to be strictly optional and nobody has to link it. I certainly didn't think anything of it. I've given my ebay account/password to sniper sites and nothing has happened to my account so far.

Echoes · Oct 19, 2010

wbharding said:
For the record, we never save users' password or sensitive information on our system longer than absolutely necessary.

Bill Harding
CEO
Bonanza.com

For the record, it it NOT acceptable for you to EVER ask for anyone's password to any other site at any time for any reason under any circumstances.

RaeBelle · Oct 19, 2010

I really don't see how this is any different from Bonanza asking for your eBay username & password or your Facebook username & password. It's optional and I'm sure eBay and Facebook aren't endorsing Bonanza.

bagtasia · Oct 19, 2010

Thank you for the very important info.

Suzzeee · Oct 19, 2010

Thanks for catching it but I don't think it was a "trap" or anything malicious on the part of Bonanza - I think they were trying to make things easier for users and forgot about privacy for a minute.

It's also not really any different from using an app/game on FB where it asks you to "allow" that game to access your FB data -- it's pretty common in the industry -- the problem is in how the data is stored and used.

awayfromblue · Oct 19, 2010

amanda said:
The problem is that the feature seems to have been intended to update your Bonanza account with information from your tPF account on a renewing basis - so if people posted about personal things here, there's a significant chance it would have ended up associated with their Bonanza ID. And people post about VERY sensitive personal topics in some of our sections. That they discard the password after the initial link isn't the issue - their algorithm would have to continue to access your account in order for that feature to work as it has been explained and advertised.

Also, Facebook puts out developer kits to allow third party businesses to interact with their members and discloses that in its user agreements - tPF has never done anything like that, it's not accounted for in our user agreements, and permission was never given for Bonanza to mine data from our members.

Oh I completely agree that the permission thing is a sore point - they should have let tpf know what they had planned to do, that way it could have been added into user agreements and things.

But why would you think that tpf users would want to link a selling account with their personal account if they posted such sensitive information here? They wouldn't, and so they had the choice not to. It was an optional feature.

Bonanza made it clear it wanted to link it, if there was anything on tpf people didn't want associated with a selling account then they wouldn't link it. It was a nice feature for those who may want an online presence in multiple places to raise their selling profile. If only bonanza had asked for permission first. And as Vlad has pointed out, if tpf users change their mind and want to unlink the accounts they can, they change their tpf password without updating it on bonanza. Users had full control.

amanda · Oct 19, 2010

RaeBelle said:
I really don't see how this is any different from Bonanza asking for your eBay username & password or your Facebook username & password. It's optional and I'm sure eBay and Facebook aren't endorsing Bonanza.

I'm assuming that neither of those functions run the risk of broadcasting very sensitive information back onto your Bonanza account, as this feature apparently did. Many of our members post about things like illnesses, relationship issues, parenting, and finances on our board in order to seek help or advice when they're not comfortable doing so in their everyday life or with their full identity, and this feature would update Bonanza with your tPF posts. To me, that's a big privacy issue that many members might not be fully aware of when signing up for the feature, and it's our responsibility to ensure that our members know what they're getting in to when unauthorized third parties are asking to access their accounts here. It's not okay by any stretch of the imagination.

Echoes · Oct 19, 2010

qwerty234 said:
I don't understand - bonanza takes your passwords for ebay ...

You can lose your eBay account for disclosing your password there.

amanda · Oct 19, 2010

qwerty234 said:
Oh I completely agree that the permission thing is a sore point - they should have let tpf know what they had planned to do, that way it could have been added into user agreements and things.

But why would you think that tpf users would want to link a selling account with their personal account if they posted such sensitive information here? They wouldn't, and so they had the choice not to. It was an optional feature.

Bonanza made it clear it wanted to link it, if there was anything on tpf people didn't want associated with a selling account then they wouldn't link it. It was a nice feature for those who may want an online presence in multiple places to raise their selling profile. If only bonanza had asked for permission first. And as Vlad has pointed out, if tpf users change their mind and want to unlink the accounts they can, they change their tpf password without updating it on bonanza. Users had full control.

To me, there is a major functional difference between simply showing someone as a "verified" tPF member and broadcasting information gained from that link back to a third party site. Many members may not have realized exactly what the feature would entail or that their posts would show up on other sites, and as I said in an earlier reply, it's our job to make sure that our members realize that.

Also, Bonanza members might have felt pressured to link their accounts in order to be seen as more "legitimate" in the eyes of other buyers, and we would never want a third party to be able to leverage our user base here in order to compel people to share more than they would want to otherwise. That may not have been a predicted outcome from Bonanza's end of the bargain, but the linking would make it all too simple for that to take place.

awayfromblue · Oct 19, 2010

Echoes said:
You can lose your eBay account for disclosing your password there.

True, you can also lose your ebay account for using sniper programs though and I don't see big angry signs about that

Ebay don't want you to put your ebay password anywhere other than ebay, most sites are like that, but some are open and encourage sharing like facebook letting you log in to multiple places. Up to each user to be aware of what they are signing up for and what are the risks involved in sharing information in different places.

I'm just hoping that Vlad comes back to make a post about why it's bad to share passwords anywhere as at the moment all I see is an attack on bonanza and IMO I think that's a little wrong, it certainly wasn't a "trap".

Echoes · Oct 19, 2010

Suzzeee said:
It's also not really any different from using an app/game on FB where it asks you to "allow" that game to access your FB data -- it's pretty common in the industry -- the problem is in how the data is stored and used.

Cross site linking is a MAJOR security risk.

Attn. Bonanza Users

More options

laureenthemean

wbharding

Member

MissMollie

Member

Beach Bum

pigalle74

Member

Echoes

RaeBelle

The Commish

bagtasia

ONEATATIME

Suzzeee

awayfromblue

Mica

amanda

I Bleed Georgia Red

Echoes

amanda

I Bleed Georgia Red

awayfromblue

Mica

Echoes