Psychologist John Grohol of Psych Central posts this warning on his site:
I’m off to attend the annual meeting of the American Psychological Association (APA) in San Diego today, but before I go, I do have two APA-related news items to post. The first is about the APA’s social networking application it deployed for this year’s convention, called InPsych. It’s a great idea with one fatal flaw that makes it not only something I suggest you avoid, but something I recommend the APA disable access to immediately.
The idea behind the social networking app is a good one — help people plan their convention schedule and meet up with other psychologists or psychology students while in San Diego. It’s a big convention with over 10,000 attendees every year, so it’s nice to have some way of keeping the information organized and at your fingertips.
Sadly, however, the APA outsourced this application to a third party. And in doing so, they apparently either didn’t review how the application handles security and logins, or reviewed the application and thought that exposing members’ personal information to anyone who’s interested in it is okay. That’s right — anyone can login to your account and view all of the personal information the APA has on file for you (your mailing address, phone number and email address). If you’ve already filled out the demographic form or talks you’d like to attend, they can view that information too.
All of which is readily available by using the 4- or 5-digit code (or any 4 or 5 digits) to login. That’s right — that’s the same 4- or 5-digit code that is helpfully displayed on the front of everybody’s convention badge.
Tomorrow, I’ll discuss how the APA is using an undisclosed technology to track your attendance at the convention.
Read more on PsychCentral.