Use your < > keys to browse more stories

Hong Kong’s Zorpia: Is This a Real Social Network or Just a Spammer? [UPDATE]

zorpiaI first came across Zorpia a couple months ago, when I got an email saying that a friend — we’ll call him Mike — had “left me a private message” on the service. That seemed unlikely, but I wrote it off as random spam and forgot about it, until last week when I got a similar email, ostensibly with a private message from my wife. My mother got the same email. I checked with my wife, who admitted she’d clicked a link in an email from Zorpia, but denied ever having set up an account, let alone sent any private messages. Something seemed very odd. I vowed to dig deeper.

Zorpia, it turns out, is a startup founded and run by Jeffrey Ng and based in Hong Kong. Launched all the way back in the early days of MySpace, Zorpia began as a social network that would facilitate unlimited photo sharing. Over time, Ng says, it has evolved into a service that’s more focused on helping people make new friends (he likens it to a digital bar or a town hall). It has also built up a very substantial base of registered users, growing from just 1.5 million users in 2005 to around 28 million users today, although just one million are monthly active users. Most of those users are in Asia, Ng tells me, and the service is especially popular in India, with over ten million registered users.

When I asked about user acquisition, Ng told me the site used a variety of techniques, mostly based around people inviting their friends. I explained about the emails I had gotten from my friend and my wife and asked Ng to explain why I was getting messages from people suggesting they had left me private messages on Zorpia when they clearly hadn’t. He told me he’d look into it, and but was never able to satisfactorily explain how that had happened.

To get to the bottom of things, it was clear that I needed to sign up for a Zorpia account myself. And so I did. As with all test accounts that I create for work, though, I used none of my real information, opened the account via a browser I don’t normally use, and registered using a unique email address created specifically for that test account.

Things looked bad pretty much immediately. On the account activation page, I noticed that three hyperlinks users might expect would lead to help pages or a “resend email” prompt actually redirect users to sketchy free-survey sites that seem an awful lot like scams.

zorpia-activation-page

(Ng confirmed that the links are there intentionally as advertising, but said that Zorpia has no control over what the links lead to as it varies based on the user’s geographical location UPDATE: Ng says that he was referring to the site’s banner ads, and that there should not be text-linked ads on the authentication page. “We simply do not understand how those links could appear on the screenshot you provided unless there was tampering,” he says. However, as evidenced by the screenshot above, they did appear when I activated my account.)

Once I logged in to my new account, I found another surprise: Zorpia was worried about my password security. A banner across the top of the screen blared that my password was “more than six months old.” Given that the password is one I’d never used before and had created only moments before, I was not expecting this. (Ng told me the message appeared to be a bug; however, as of this writing it has not been fixed UPDATE: Ng says the bug is now fixed.). But I ignored it because as you can see in the screenshots below, I had two new messages.

zorpia-says-password-old copy

When I opened my messages, one of them was the boilerplate welcome greeting you’d expect from the Zorpia team. The other was an absolute shock. There sitting in my inbox just a minute after I first opened this account, was a message from my real life friend “Mike”:

what-how-does-it-know-that

That’s when I started getting goosebumps. That’s also when I double-checked with “Mike” to be sure he hadn’t somehow sent me a message — he hadn’t — but frankly, even if he had wanted to, it should have been impossible. I didn’t use my real name, my real email, my usual browser, or any real information about myself when setting up either the Zorpia account or the email account it is attached it. I also hadn’t told “Mike” I was planning to set up a test account of my own, and we live thousands of miles apart. It would have been nearly impossible for him to find my account even if he had wanted to in a sea of more than 28 million registered accounts. And of course, when that message was sent, he wasn’t using Zorpia anyway. He says he has never used Zorpia.

Zorpia CEO Jeffrey Ng told me that this was “very odd,” and that he’d have his tech team look into it. While I waited, I was thinking about Occam’s razor. How likely was it that some convoluted bug could randomly link two people who actually know each other from among the site’s nearly 30 million members? How likely was it that “Mike” could have found my account in the first place even if it was really him sending the message? The simplest explanation seemed to be that somehow (possibly through my IP address, which I foolishly forgot to obscure), Zorpia had linked my test account to my real identity, and then confirmed that I knew “Mike” through the access it apparently has to his email contacts list.

When Ng got back to me, he confirmed that that was indeed what had happened. Although I was using a separate browser to do everything related to Zorpia, I did load the “confirm account” page with my default browser once by accident because it is what opened when I clicked the account activation link. Previously, I had used the same browser only to unsubscribe from Zorpia emails — I have no Zorpia account — but nevertheless Zorpia apparently used the cookies from that interaction to connect my real identity (and thus my friendship with “Mike”) to my new test account.

Ng told me that when a friend joins, the system automatically sends them a private message from their friends already on Zorpia welcoming them. So, even though my new email couldn’t possibly have been listed in “Mike’s” contacts, his account automatically sent me a private message without his knowledge simply because I happened to once use a browser that once previously had been associated with unsubscribing from the spam emails Zorpia was sending me on his behalf.

After he explained this, even Ng admitted that this was a bit beyond the pale:

We do realize this comes off as creepy and poses a potential security threat to the user. Therefore we have disabled Zorpia from using cookie to store friend relationships already.

But he still wasn’t able to explain how Mike’s contacts — and my wife’s — got into Zorpia in the first place. Both deny having intentionally provided them to the service, and while Ng stops short of calling either of them a liar, he doesn’t seem to be able to explain how it could have happened otherwise:

From your friends’ experience, it seems like they simply do not recall they have added any friends on Zorpia. We will review our process and address this issue.

UPDATE: Ng says: “Zorpia is not a spam social network that auto-enrolls accounts,” and maintains that my wife and friend proactively invited their friends to join the service, pointing to server logs that apparently reflect this. Both my wife and “Mike” continue to deny having intentionally invited anyone.

My friends are not the only ones having a similar experience though. Although PandoDaily covered the startup last year and didn’t mention the problems it seems to have with emailing people who aren’t signed up for it, there are complaints about this dating back to 2009 at least. Each of the words in the previous sentence links to a different person complaining about being auto-enrolled in Zorpia or having their contacts list spammed by the service, and I found all of these quite easily and quickly via Google (where there are plenty more to be found if you want to go hunting). It seems like an awful lot of people have the same apparent amnesia Ng is suggesting my friends have when it comes to handing their contact list over to Zorpia.

UPDATE: Zorpia responds: “With 28 million registered users on Zorpia, we do not think a few hundred complaints online is statistically significant to merit an overall conclusion that Zorpia is a spam social network which auto-enroll accounts. Even if we assume there were 500 complaints, that represents a complaint to user ratio of only 0.0018%.”

Ultimately, though, the only way to be sure was to do another, more complicated test. After deleting all the cookies in both my browsers, I connected to my VPN (to obscure my IP) and opened up two new gmail and Facebook accounts, called ‘Zorpia Test1′ and ‘Zorpia Test2′. I made sure that the two were friends, and had a history of emailing back and forth. Then, I signed Zorpia Test1 up for a Zorpia account. I authenticated this account using both the Zorpia Test1 Facebook and Zorpia Test1 gmail accounts, but I never invited any friends (Ng had told me that all non-user friends needed to be invited manually by the user). I loaded the Zorpia “Add Friends” section once to be sure that the social network saw my connection with the ‘Zorpia Test2′ account, but I unchecked the name and backed out of the “add friends” dialog. I did not invite the Zorpia Test2 account as a friend or sign it up for a Zorpia account. Then, I waited.

And sure enough, within a couple days, the Zorpia Test2 account was getting messages from Zorpia. In fact, the Zorpia Test2 account somehow acquired its own Zorpia account! In the email below, you can see the welcome message I received about an account I never signed up for, using a username that defied the naming conventions I had set up for this test.

UPDATE: Zorpia says its server logs prove that I did accidentally sign up Zorpia Test2 for an account, and since I didn’t record video of my testing process, I cannot prove that I didn’t.

For me, the question of whether Zorpia is a real social network has been more or less put to bed. For a ten-year-old social network, there are simply way too many “bugs” here, and almost all of these “bugs” seem to result in non-users getting messages aimed at tricking them into joining the network. If years of online complaints haven’t changed the company’s ways, it’s unlikely this article will be any different.

So, unfortunately, I’ve got to say this: if you’re getting messages from Zorpia, your best bet is to click “mark as spam” and move on with your life. Zorpia, from what I can tell, is less a social network and more a mirage, an illusion designed to cajole and trick you into visiting so it can earn a few cents more from its ubiquitous advertisements. Abandon all hope, ye who enter here. This is social networking hell.



Facebook Conversation

comments

Tags:

Did you enjoy this article? Consider becoming a TiA Premium subscriber. At $9.99/month, TiA Premium brings you exclusive access to our weekly newsletter, a one-page roundup of each week’s must-read Asia tech news from all over the web. TiA Premium also brings you exclusive deals and discounts that make your subscription pay for itself. Click here to find out more.