Hong Kong's Zorpia: Is This a Real Social Network or Just a Spammer?

zorpiaI first came across Zorpia a couple months ago, when I got an email saying that a friend -- we'll call him Mike -- had "left me a private message" on the service. That seemed unlikely, but I wrote it off as random spam and forgot about it, until last week when I got a similar email, ostensibly with a private message from my wife. My mother got the same email. I checked with my wife, who admitted she'd clicked a link in an email from Zorpia, but denied ever having set up an account, let alone sent any private messages. Something seemed very odd. I vowed to dig deeper. Zorpia, it turns out, is a startup founded and run by Jeffrey Ng and based in Hong Kong. Launched all the way back in the early days of MySpace, Zorpia began as a social network that would facilitate unlimited photo sharing. Over time, Ng says, it has evolved into a service that's more focused on helping people make new friends (he likens it to a digital bar or a town hall). It has also built up a very substantial base of registered users, growing from just 1.5 million users in 2005 to around 28 million users today, although just one million are monthly active users. Most of those users are in Asia, Ng tells me, and the service is especially popular in India, with over ten million registered users. When I asked about user acquisition, Ng told me the site used a variety of techniques, mostly based around people inviting their friends. I explained about the emails I had gotten from my friend and my wife and asked Ng to explain why I was getting messages from people suggesting they had left me private messages on Zorpia when they clearly hadn't. He told me he'd look into it, and but was never able to satisfactorily explain how that had happened. To get to the bottom of things, it was clear that I needed to sign up for a Zorpia account myself. And so I did. As with all test accounts that I create for work, though, I used none of my real information, opened the account via a browser I don't normally use, and registered using a unique email address created specifically for that test account. Things looked bad pretty much immediately. On the account activation page, I noticed that three hyperlinks users might expect would lead to help pages or a "resend email" prompt actually redirect users to sketchy free-survey sites that seem an awful lot like scams. zorpia-activation-page (Ng confirmed that the links are there intentionally as advertising, but said that Zorpia has no control over what the links lead to as it varies based on the user's geographical location). Once I logged in to my new account, I found another surprise: Zorpia was worried about my password security. A banner across the top of the screen blared that my password was "more than six months old." Given that the password is one I'd never used before and had created only moments before, I was not expecting this. (Ng told me the message appeared to be a bug; however, as of this writing it has not been fixed). But I ignored it because as you can see in the screenshots below, I had two new messages. zorpia-says-password-old copy When I opened my messages, one of them was the boilerplate welcome greeting you'd expect from the Zorpia team. The other was an absolute shock. There sitting in my inbox just a minute after I first opened this account, was a message from my real life friend "Mike": what-how-does-it-know-that That's when I started getting goosebumps. That's also when I double-checked with "Mike" to be sure he hadn't somehow sent me a message -- he hadn't -- but frankly, even if he had wanted to, it should have been impossible. I didn't use my real name, my real email, my usual browser, or any real information about myself when setting up either the Zorpia account or the email account it is attached it. I also hadn't told "Mike" I was planning to set up a test account of my own, and we live thousands of miles apart. It would have been nearly impossible for him to find my account even if he had wanted to in a sea of more than 28 million registered accounts. And of course, when that message was sent, he wasn't using Zorpia anyway. He says he has never used Zorpia. Zorpia CEO Jeffrey Ng told me that this was "very odd," and that he'd have his tech team look into it. While I waited, I was thinking about Occam's razor. How likely was it that some convoluted bug could randomly link two people who actually know each other from among the site's nearly 30 million members? How likely was it that "Mike" could have found my account in the first place even if it was really him sending the message? The simplest explanation seemed to be that somehow (possibly through my IP address, which I foolishly forgot to obscure), Zorpia had linked my test account to my real identity, and then confirmed that I knew "Mike" through the access it apparently has to his email contacts list. When Ng got back to me, he confirmed that that was indeed what had happened. Although I was using a separate browser to do everything related to Zorpia, I did load the "confirm account" page with my default browser once by accident because it is what opened when I clicked the account activation link. Previously, I had used the same browser only to unsubscribe from Zorpia emails -- I have no Zorpia account -- but nevertheless Zorpia apparently used the cookies from that interaction to connect my real identity (and thus my friendship with "Mike") to my new test account. Ng told me that when a friend joins, the system automatically sends them a private message from their friends already on Zorpia welcoming them. So, even though my new email couldn't possibly have been listed in "Mike's" contacts, his account automatically sent me a private message without his knowledge simply because I happened to once use a browser that once previously had been associated with unsubscribing from the spam emails Zorpia was sending me on his behalf. After he explained this, even Ng admitted that this was a bit beyond the pale:

We do realize this comes off as creepy and poses a potential security threat to the user. Therefore we have disabled Zorpia from using cookie to store friend relationships already.
But he still wasn't able to explain how Mike's contacts -- and my wife's -- got into Zorpia in the first place. Both deny having intentionally provided them to the service, and while Ng stops short of calling either of them a liar, he doesn't seem to be able to explain how it could have happened otherwise:
From your friends' experience, it seems like they simply do not recall they have added any friends on Zorpia. We will review our process and address this issue.
My friends are not the only ones having a similar experience though. Although PandoDaily covered the startup last year and didn't mention the problems it seems to have with emailing people who aren't signed up for it, there are complaints about this dating back to 2009 at least. Each of the words in the previous sentence links to a different person complaining about being auto-enrolled in Zorpia or having their contacts list spammed by the service, and I found all of these quite easily and quickly via Google (where there are plenty more to be found if you want to go hunting). It seems like an awful lot of people have the same apparent amnesia Ng is suggesting my friends have when it comes to handing their contact list over to Zorpia. Ultimately, though, the only way to be sure was to do another, more complicated test. After deleting all the cookies in both my browsers, I connected to my VPN (to obscure my IP) and opened up two new gmail and Facebook accounts, called 'Zorpia Test1' and 'Zorpia Test2'. I made sure that the two were friends, and had a history of emailing back and forth. Then, I signed Zorpia Test1 up for a Zorpia account. I authenticated this account using both the Zorpia Test1 Facebook and Zorpia Test1 gmail accounts, but I never invited any friends (Ng had told me that all non-user friends needed to be invited manually by the user). I loaded the Zorpia "Add Friends" section once to be sure that the social network saw my connection with the 'Zorpia Test2' account, but I unchecked the name and backed out of the "add friends" dialog. I did not invite the Zorpia Test2 account as a friend or sign it up for a Zorpia account. Then, I waited. And sure enough, within a couple days, the Zorpia Test2 account was getting messages from Zorpia. In fact, the Zorpia Test2 account somehow acquired its own Zorpia account! In the email below, you can see the welcome message I received about an account I never signed up for, using a username that defied the naming conventions I had set up for this test. screen For me, the question of whether Zorpia is a real social network has been more or less put to bed. For a ten-year-old social network, there are simply way too many "bugs" here, and almost all of these "bugs" seem to result in non-users getting messages aimed at tricking them into joining the network. If years of online complaints haven't changed the company's ways, it's unlikely this article will be any different. So, unfortunately, I've got to say this: if you're getting messages from Zorpia, your best bet is to click "mark as spam" and move on with your life. Zorpia, from what I can tell, is less a social network and more a mirage, an illusion designed to cajole and trick you into visiting so it can earn a few cents more from its ubiquitous advertisements. Abandon all hope, ye who enter here. This is social networking hell.
The post Hong Kong's Zorpia: Is This a Real Social Network or Just a Spammer? appeared first on Tech in Asia.

Editor’s note:Yahoo Philippines encourages responsible comments that add dimension to the discussion. No bashing or hate speech, please. You can express your opinion without slamming others or making derogatory remarks.

  • Sy moves up, Villar enters Forbes list of billionaires
    Sy moves up, Villar enters Forbes list of billionaires

    Eleven Filipinos are included in Forbes’ 2015 list of richest people in the world. Filipino-Chinese tycoon Henry Sy Sr. continues to be the wealthiest man in the Philippines. The 90-year-old SM supermalls, banking and property tycoon ranked 73rd among the world’s richest with an increased net worth of $14.2 billion from $11.4 billion last year. Sy’s net worth was attributed to the continued growth of his SM Investments Corp. and his more recent venture, the City of Dreams Manila resort and …

  • Jolo apologizes to Bong in visit
    Jolo apologizes to Bong in visit

    Cavite Vice Gov. Jolo Revilla wept and embraced his father as he apologized for the “accidental” shooting incident in their Ayala Alabang residence, the family’s spokesman said yesterday. Lawyer Raymund Fortun came out of the private room at the Asian Hospital and Medical Center in Muntinlupa City to speak to reporters, who were barred from entering the hospital compound during the visit of Sen. Ramon “Bong” Revilla Jr. …

  • Australian drug smugglers being taken to Indonesian island for execution - media
    Australian drug smugglers being taken to Indonesian island for execution - media

    By Jane Wardell and Beawiharta SYDNEY/DENPASAR, Indonesia (Reuters) - Two convicted Australian drug smugglers were removed from a prison in Bali on Wednesday to be taken to an Indonesian island where they will be shot by firing squad, Australian media reported. The planned executions of Myuran Sukumaran, 33, and Andrew Chan, 31, have ratcheted up diplomatic tensions amid repeated pleas of mercy for the pair from Australia and thrown a spotlight on Indonesia's increasing use of the death …

  • Another source of SAF execution video identified
    Another source of SAF execution video identified

    The National Bureau of Investigation (NBI) is still tracing the source of the video showing one of the wounded police commandos being finished off by Muslim rebels during the encounter in Mamasapano, Maguindanao last Jan. 25. A source from the Department of Justice (DOJ) said they have identified two persons who first uploaded the video that went viral over social networking sites. The supposed source of the video was elusive and claimed that somebody just placed it on an external drive. The …

  • US billionaire says WWII Japanese ship found in Philippines
    US billionaire says WWII Japanese ship found in Philippines

    Microsoft co-founder Paul Allen said Wednesday he had found one of Japan's biggest and most famous battleships on a Philippine seabed, some 70 years after American forces sank it during World War II. Excited historians likened the discovery, if verified, to finding the Titanic, as they hailed the American billionaire for his high-tech mission that apparently succeeded after so many failed search attempts by others. Allen posted photos and video online of parts of what he said was the …

  • N. Korea fires missiles in anger at South-US military drills
    N. Korea fires missiles in anger at South-US military drills

    North Korea fired two short-range ballistic missiles into the sea and vowed "merciless" retaliation Monday as the US and South Korea kicked off joint military drills denounced by Pyongyang as recklessly confrontational. The annual exercises always trigger a surge in military tensions and warlike rhetoric on the divided peninsula, and analysts saw the North's missile tests as a prelude to a concerted campaign of sabre-rattling. "If there is a particularly sharp escalation, we could see the …

  • Pacquiao big hit so far in Vegas sports books vs Mayweather

    LAS VEGAS (AP) — Manny Pacquiao has always believed he can do what 47 other fighters before him have failed to do — beat Floyd Mayweather Jr. in the ring. …

  • World's oldest person wonders about secret to longevity too
    World's oldest person wonders about secret to longevity too

    TOKYO (AP) — The world's oldest person says 117 years doesn't seem like such a long time. …


Should Aquino be held accountable over the Mamasapano operations?

Poll Choice Options