Jump to content

Wishlist / Wishpot - is this a clever scam?


You are about to reply to a thread that has been inactive for 4095 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

Today, I googled my name and discovered I belong to something called Wishpot.com.

I don't remember signing up for Wishpot, but it had my correct email address.

The Wishpot.com site suggested I could sign in with my Facebook account. When I tried to do this, Wishpot requested that I allow it access to my Facebook information. I accepted, thinking it would give me access to my Wishpot account via Facebook.

Things seemed to be okay, but I was still required to log in to Wishpot. I decided to use the 'forgot password' option. I then got an email message from Second Life saying that it had received a request to reset password. The address seemed odd:

Warning, you probably should not click on this link:

https://wishlist.secondlife.com/secure/resetpassword.aspx

When I manually tested part of the address (https://wishlist.secondlife.com) to see if it was part of Second Life, I got a warning that the site cirtificate was invalid and that there was a risk of going to the site. I closed the window without proceeding.

I searched the SL database and discovered LL had something called Wishlist as part of Xstreet. This led me to believe that Wishpot was indeed a subset of Second Life (perhaps Wishpot was Wishlist renamed). I presumed I was automatically signed up to Wishlist/Wishpot by Linden Lab as part of my Marketplace account.

I went back to the Wishpot.com and tried to sign in with my gmail password (didn't work), my Facebook password (didn't work) and my Second Life password (didn't work).

Now my alarm bells are ringing like crazy. Something is very wrong with Wishpot.

I instantly changed all my passwords in case it was a fishing scam.

Wishpot shows up on my Facebook account, but when I try to access Wishpot via Facebook, I get a message that the account (with my correct email address) already exists. It asks me to sign in. But sign in with what password? My SL password? my Facebook password? My gmail password? Since I have just changed all three, I try the 'forgot password' option again - and again I get an email from Second Life asking if I want to reset my password. The same strange link is offered. I again refuse to click on it.

Now, I am completely baffled. Something is very wrong here. I admit I am a tech-idiot, but I wonder if this is not an elaborate fishing scam to get people's Second Life passwords.

Does anyone know anything about this?

Link to comment
Share on other sites

I dunno about clever, but it has scam written all over it...

and I'd alert LL that wishlist is impersonating a subdomain on their network, since the certificate for that site is actually registered to registry.rightstart.com which appears to be a baby registry site (so they are being scammed too and either someone with access to their network is misusing it, or their site certificate has been cloned)

Link to comment
Share on other sites

I'd suggest a PM to a moderator asking them to inform someone higher up in the web management chain (they can get the subdomains dns yanked).

I wouldn't suggest jira, and I don't know that there is a ticket type that would be useful... and I doubt that live help would be much use.

you might also email security@lindenlab.com

Link to comment
Share on other sites

Hi, Wishpot really is an outsourced service that LL used to offer, it is not a spoof site. There is even still a link to it on the old Xstreet site. It was not kept active on the new marketplace, but LL was slow to remove it. wishlist.secondlife.com now has a banner "NOTICE: This wishlist system will no longer be supported after June 30, 2011" so they are in the process of phasing it out.

Link to comment
Share on other sites

Then does wishPOT.com belong to Linden Lab? Clicking the 'forgot password' link of wishPOT.com results in an email with a link to WishLIST.secondlife.com. The wishPOT site appears to be active (it linked itself to my Facebook account). Is wishPOT the reincarnation of wishLIST? Is it a new LL project? Have I stumbled on an incomplete beta, which is why the passwords don't work?

Something smells bad about all this.

Link to comment
Share on other sites


Deltango Vale wrote:

Then does wishPOT.com belong to Linden Lab? Clicking the 'forgot password' link of wishPOT.com results in an email with a link to WishLIST.secondlife.com. The wishPOT site appears to be active (it linked itself to my Facebook account). Is wishPOT the reincarnation of wishLIST? Is it a new LL project? Have I stumbled on an incomplete beta, which is why the passwords don't work?

Something smells bad about all this.

wishlist.secondlife.com is a Linden Lab branded front end for wishpot.com. wishlist.secondlife.com was always really whitelabel.wishpot.com. It is an old LL outsourced offering at the end of its life. On wishlist.secondlife.com, the login link in the banner still brings me to Second Life's own OpenID server.

If you went there through a wishpot.com URL, you would be prompted to use Wishpot's own login system and it would be a separate account.

We can compare it to the way community.secondlife.com and secondlife.lithium.com are the same web site for an outsourced service, but our logins send us back to the first URL for SL use.

Link to comment
Share on other sites

odd, I hadn't realized that the old market was outsourcing it's wishlist function (usually that sort of thing is specific and simple enough to be integrated)... still it's always unnerving when companies leave old dns redirects laying around to sites with completely different certificates... someone should probably update that.

Link to comment
Share on other sites


Griffin Ceawlin wrote:

That'll teach you to Google yourself...

With the budget crisis in the states, we should just fire the CIA, NSA, and FBI, and tell a couple of guys in Jersey to start googling everyone.

 We could'a had Bin Ladin years ago if they'd just found his netflix account... ;)

 

Link to comment
Share on other sites

Thanks for mentioning thus, we received the report and it was corrected last week. Now, if you reset your password the link will point to Wishpot.com with a valid certificate.

 

Wishpot never had a second life certificate because the authentication was always via secondlife's servers, openid. Now that we're offering the ability to set a Wishpot password, we do need a secure channel, which is why we updated the links. Hopefully that makes sense!

 

Tom

Link to comment
Share on other sites

You are about to reply to a thread that has been inactive for 4095 days.

Please take a moment to consider if this thread is worth bumping.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...