A Look at Ello(dot)co Security Settings and User Accounts

A Look at Ello(dot)co Security Settings and User Accounts

There’s a new social network in town called Ello.co, currently in Beta and invite only. I’ve been trying it out for a few days, and should you take the plunge there’s a few things you should be aware of.

1) Security / Privacy features.

These are currently on the to-do list. I’m not sure if they thought the current invite only community setup would mean less spammers and scammers overall, but for anybody used to the multiple security settings of Twitter, Linkedin and Facebook it might come as a bit of a shock. From the “Upcoming” section:

  • User blocking
  • Inappropriate content flagging
  • Private accounts
  • Private messaging
  • Online / offline user designation

I couldn’t really say what you’re supposed to do if you come across dubious content beyond send somebody an email and see what happens – unless I’ve missed it buried in the handful of icons available, there’s no report function at all (not even for a profile, never mind a single post).

On first use, I found it took me a little while to work out how to reply to another user’s post (don’t laugh), so when private messaging rolls out it will hopefully be very clearly signposted – or else we may see the Ello outbreak equivalent of “Twitter DM fail”.

2) “Verified” accounts.

I don’t think there’s any word yet as to how this will work, but I’m pretty sure the user registered as @Gmail called “Michael Bublé” and sporting a Twilight background isn’t the place to go for breaking Email service updates. On a similar note, we’ve seen “Official” Tumblrs (two so far!), a couple of Facebooks and Twitters….who knows what else might pop up in the next couple of weeks. Are any of these real, or people using the brand names for whatever purpose they see fit?

First up, a slightly sweary “Tumblr Official”:

Tumblr? Uh

Well, I reckon that probably isn’t the real Tumblr. How about this one?

Tumblr, is that you?

I…don’t know. As the site is still in beta and people aren’t really sure how to use it yet, the lack of posted updates prevents us from getting a feel for what’s real and what isn’t.

There’s two “official Twitter” accounts, from the looks of it:

Twitter, is that etc
Well, I'm confused

Parody accounts or the real deal? I checked the Official Twitter feed to see if there was any mention of Ello accounts, but there’s nothing mentioned so far.

I think things are a little clearer on the Linkedin front, given that they mention “local singles in your area”:

Probably not Linkedin

PayPal has been grabbed by somebody (the bottom account in the following screenshot), though there’s zero content on the account so at time of writing there’s no way to tell if what you’re looking at is the real deal or not.

Hmm.

As for Facebook profiles, we’ve seen two so far – an “@officialfacebook” which is reminiscent of the Twitter profile which mentions it in one of the above screenshots, and this one:

Facebook?

There are a number of posts made to the above account, but bizarrely a lot of it is screenshots of aspects from a regular Facebook page. Sponsored adverts, trending, standard messages you’d expect to see in a Facebook feed, all posted up as image files:

FB screenshots

That’s a little peculiar.

A quick search for various celebrities and other brands reveals that many have been snapped up, but only time will tell if they’re real, fake, spam factories, rogue link senders or the soon-to-be battleground for “That name / brand / something else entirely belongs to me, thanks.”

Ello are currently in the process of removing accounts which try to impersonate others, but without some form of visible “this is real” tag for regular users this may well be an uphill struggle. Many social networks rely on the wisdom of the crowds to report bad content, but if they can’t tell fakes from the real thing – and there’s no way to report fakers – then things might not go to well on this front.

Regardless of which social network you’re on, always try and verify the page you’re on is the page you want. In cases where verification isn’t (yet) possible, see if a legitimate account belonging to Brand X on social network 1 has endorsed a new account on social network 2.

Most importantly of all, don’t click links, install files or fill in personal information on sites you’re directed to by accounts you’re not familiar with. And if you are familiar with it but something seems off about the message sent your way, try and check if they’ve been compromised.

You don’t want your social network contacts saying “goodbye” instead of “ello”…

Christopher Boyd (P.S. you can find the official Malwarebytes Ello account here.)

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.