The damage caused by ViddyHo, as with WeGame, appears limited to embarrassment. Hoan Ton-That, the site's San Francisco-based creator, told me in April that he didn't mean to auto-invite people's entire address books, though the fact that he has a new site with similar ambitions is not heartening. But there's nothing preventing the next ViddyHo from doing more damage, logging passwords and contacts for more sinister purposes.
Like any good scam, social spam exploits our trust—the belief that our friends wouldn't invite us to join a site with bad intentions. Versions of this trick have been around since the height of AOL Instant Messenger's dominance, when I would occasionally get IMs from friends with purported links to articles about Osama Bin Laden's capture. (I clicked on that one.) But the rise of social networking has made these scams even more convincing. I have a feeling most of the victims of the WeGame e-mails were more absent-minded than gullible. We decide we're going to register for some new site and then go into autopilot, typing in whatever we're asked for in the fields. After all, we've done it a thousand times before without incident. (One victim at Wesleyan claims to have been on the phone while absently clicking through the motions and ended up infecting her best friend's mother.)
It's easy to imagine how social spam could wreak real havoc. Imagine a site—vouched for in a friend's e-mail message, naturally—that asks users to provide their e-mail address as a login, then prompts them to set up a password. It would then be elementary for the wicked Web site to check whether this e-mail/password combo opens the user's Webmail account. Considering how often people use the same password for all of their Web transactions, I bet that simple scheme would work a lot of the time. Once the Webmail has been cracked, the wicked Web site could send invitations to everyone in the contact list—and plunder the inbox for valuable goodies like bank account information or Social Security numbers.
If WeGame and its ilk continue to proliferate, it may fall to the Webmail clients to place extra protections on how outside sites can mine contacts. "We don't approve of third-party sites handling their users' information in this way," a Google spokesperson told me, adding that "in some cases we may take more proactive measures to identify and block the spam."
WeGame doesn't actually send mail from users' Gmail accounts—it just sends all your contacts e-mail with your name in the subject line. On account of that, the best Google could have done immediately would have been to block e-mail that came from WeGame. In the meantime, a quick, finger-wagging PSA: The rise of social spam is yet another reason to practice safe surfing. Think twice whenever a site asks for your Webmail password. And for the millionth time, don't use the same password for everything.