Startups: Private Beta Invite Authenication Problems

SMS Text

While it is incredibly beneficial to use an invite-based system while your startup is in beta, the system is highly susceptible to spammers. Here are a few things to look out for.
Spammers can create one account using false credentials, and from there create a large chain of accounts that may be used for spamming purposes.
Once you manage to get an invite for a site and create an account (we used Pownce as the basis for this article), you are usually given 5 more invites to share with your friends. When you send these invites you are shown an invite code so that if there is a problem with the email you can sign up through an invite code url. Because this url exists, anyone can send emails to false addresses and then use the invite code to create sets of new accounts. Each new account in turn recieves 5 more invites and before you know it you have a whole spammer army on your hands.
Pownce isn’t the only application susceptible to this scheme. Gmail had the same vulnerability and so does VeohTV. When Gmail was still in private beta, the person sending the invite had the ability to send invites to his or her self, or send an invite to a false address and the invite code would show up in the sent items or the message would be returned in a bounce back e-mail allowing the user to create multiple unverified accounts.
The fix to the problem is very simple and it seems that the problem is a result of simple oversight more than anything else. Pownce doesn’t have to show the sender the invite code, and Gmail didn’t have to place the invite in the sent items or allow a bounced message to display the invite code to the sender. While these steps do add convenience for the user, they can create headaches for your service. If spammers are able to create massive numbers of accounts this can be a big problem for a site that is still in beta, and will unnecessarily use resources combating a self-created and easily rectifiable problem.
Instead of this the service should allow the person inviting to revoke and reissue an invite if it doesn’t work.

Get the latest news from Search Engine Journal!
We value your privacy! See our policy here.
  • Paul Drago

    Or create a depreciation value to the beta invite system until users provide value and hit certain thresholds.
    For example– I create Super Service X and each of my original seed beta users get 10 invites– they pass out these invites and each of the next level get 9 invites, then 8, 7, 6…you get the idea.
    Of course, once the user has done a certain number of actions ie, visited pages, logged active time on the site, comments, ect– there are 100s of metrics someone could use here and it just depends on their industry. Frankly, the work would make it entirely not worth it for someone looking to create a spam network.

  • That is a great idea Paul! They could use an algorithm that makes sure each user is participating, and earning invites.

  • Paul Drago

    exactly! And you create a beta invite that has the potential to become scarce and hopefully increase the “value” and the desire to participate with the community.

  • This is similar to the problem MyBlogLog had early on where the userID was in the avatar filename. You could spook all sorts of things on MyBlogLog before they closed the hole.
    Good post Chris!

  • Thanks Steve, yeah Mybloglog has had all sorts of issues with authentication. It still bothers me anyone can claim a domain with no type of authentication on the site.