It didn’t take long for someone to hack the first OpenSocial application. In fact, it took just 45 minutes.
A developer who goes by the alias “theharmonyguy” and describes himself as “just an amateur” claims to have compromised the RockYou OpenSocial application on Plaxo called emote (see the Plaxo blog for details on the application). Specifically, he claims to have added a number of emoticons to Plaxo VP Marketing John McCrea’s profile within 45 minutes of it launching.
In an email, McCrea said he added all of the emoticons himself and his account doesn’t appear to be hacked. But when I asked theharmonyguy to hack my Plaxo account he did, within minutes, adding four quick emoticon messages such as “michael arrington is getting my bling on” and “michael arrington is w00t” (see image to left, none of those were added by me). theharmoneyguy then added one more to McCrea’s account, which will be difficult for him to deny:
theharmonyguy also pointed out specific problems with RockYou’s code, including some fairly humorous comments:
Some interesting code in there. For one, the app still doesn’t seem to be live for most of us (John McCrea from Plaxo has used it somehow) – it currently loads a “Please wait” iframe that never changes. But check out these code comments:
// TODO: no error checking – we’re bold…
// TODO: figure out why this is necessary???Also, the code constantly branches between Plaxo and “default,” which appears to be Orkut. In fact, there are some hardcoded names that I bet showed up in some OpenSocial screenshots somewhere:
if (getContainerType() == “orkut”)
{
friendIds[iNumFriends] = “11285577331363942034″;
friendNames[iNumFriends] = “Raymond Chan”;
iNumFriends = iNumFriends + 1;friendIds[iNumFriends] = “15479081059638046412″;
friendNames[iNumFriends] = “Jia Shen”;
iNumFriends = iNumFriends + 1;
}
theharmonyguy says he’s successfully hacked Facebook applications too, including the Superpoke app, but that it is more difficult:
Facebook apps are not quite this easy. The main issue I’ve found with Facebook apps is being able to access people’s app-related history; for instance, until recently, I could access the SuperPoke action feed for any user. (I could also SuperPoke any user; not sure if they’ve fixed that one. Finally, I can access all the SuperPoke actions – they haven’t fixed that one, but it’s more just for fun.) There are other apps where, last I checked, that was still an issue ( e.g. viewing anyone’s Graffiti posts).
But the way Facebook setup their platform, it’s tons harder to actually imitate a user and change profile info like this. I’m sure this kind of issue could be easily solved by some verification code on RockYou’s part, but it’s not inherent in the platform – unlike Facebook. I could do a lot more like this on FB if Facebook hadn’t set things up the way they did.
Oh, Facebook apps can also be prone to injection – I can insert any FBML I want onto the canvas pages of one popular app. But once again, I can’t really do anything, because to interface with the app requires me to have code related to that app, which isn’t generally available. Not sure if Google’s iframe implementation will be the same way.
Of course, the ability to change emoticons isn’t a particularly malicious hack; but the ease in which this was done suggests that Google has some work to do in getting its new platform stable. If they don’t, more damaging stuff may be on the way.
Update: Joseph Smarr, Plaxo’s Chief Platform Architect, says he has taken the application down for now:
Hi, just caught this thread now. Michael-thanks for the info. It does look like something isn’t quite working right. While I suspect it’s benign, e.g. some of the rockyou code not distinguishing between the “owner” and the “viewer” of the gadget (this stuff is not always easy to keep straight), I want to err on the side of caution, so I’m going to de-white-list the gadget for now.
As is, we’re maintaining a strict white-list so we don’t have any random would-be hackers messing around, and the platform itself is still a work in progress. Hopefully the benefit of seeing some real working OpenSocial code in production is worth bearing with a few kinks that need to get ironed out.
Hey, Michael. I did not claim that all the edits were mine. It took me a while to find the area where the hacks had happened. Indeed, you are correct that changes were made that I did not make. We are now de-white-listing the app. Unfortunate, but not unexpected. Platforms are targets for hackers. That is life. The question is whether they can rapidly evolve to thwart the threats.
Kinda scary but kinda awesome at the same time… I’m so torn!
Plax-o sux-o.
btw John, no harm intended – you were the only other person whom I knew had the app installed, and I was only testing the new platform to see if this was possible.
Just sent you a message via Plaxo with details on how the hack works.
NOT FACEBOOK!
FaceBook backed by MS is the real thing baby!
http://fakestev...er.blogspot.com
Congrats to the Plaxo guys for getting the OpenSocial hack out so fast. Things like this are bound to happen when you are…
//insert something meaning *ahead of early adopters here*.
As Joseph said, getting something out early is worth the risk.
Cheers,
Todd
// TODO: no error checking – we’re bold…
THAT is truly f-ing classic!
Todd – I agree 100%
This is a serious issue that I’ll be elaborating on more on my existing blog and one that is about to launch next week
In discussions with one executive today, I was talking about the implications of the new OpenSocial platform and who has access to the data being passed between applications.
The OpenSocial platform has some serious security vulnerabilities (as displayed in this article). Javascript is inherently a more risky language to be exposing and this is why Facebook has been so hesitant to completely open up to JavaScript. You can bet that when Google launches an API in 1 month there will be serious issues.
That is not to say that OpenSocial will not become the standard but there are serious hurdles ahead. I’m excited to see how this pans out.
The Facebook and OpenSocial platforms are not inherently insecure, they just require some competency on the part of developers when it comes to securing their applications. The problem is that most developers these days are not competent in that area. People would be scared if they knew how many security breaches there have been at the major Web 2.0 sites that have not been made public.
The sad thing about this is that Hacker is getting all the publicity he craves.
We should avoid the temptation to turn him into a hero – he committed an immoral act and should be sued.
One successful suit would make them think twice.
theharmonyguy,
Very cool! Your approach was not to destroy…. John McCrea and the Plaxo team should be sending you a job offer immediately….BUT, Google will beat them to the punch by Sunday night. Please update us who contacts you with job offers.
Miss Universe, you sound like Miss South Carolina
@6: I agree too – better to catch these things now rather than later.
@10: True, but from my limited experience, the Facebook Platform is designed more securely. FB’s design prevents several problems that come from poor coding practices – not all, but some big ones. OpenSocial doesn’t appear to have those same safeguards.
@11: You may not believe me, but I’m not craving publicity – I didn’t know what Michael would post before it appeared, and I honestly just expected a one-sentence credit. I’m not trying to be a hero, and while admittedly this probably wasn’t the best way to break the story, I don’t think it’s lawsuit-worthy. Like I told John, I was just proving a point, not trying to do anything immoral.
@12: lol, thanks for the kind words, but I highly doubt I’ll get any offers. Like I said, I’m an amateur.
“We should avoid the temptation to turn him into a hero – he committed an immoral act and should be sued.”
Apparently you have zero experience in IT security.
Heh, thanks for the good laugh.
wow thats incridble and fast–you know i know a great site this will help you and your familys with knowledge-share the knowledge and prosper
http://www.elem...3.wordpress.com
#11 – what he did was free consulting for RockYou.
Ok, I think everyone needs to push their chairs away from their desks and try something new and invigorating like… hmmm, let’s see… how about we just start with WALKING?
What a riot.
Sam
hacker person – good job! nice ugc. software is always flawed on release even when sending man to moon. code needs hours of transactions to cure. see hobbs meter.
Miss Universe,
if we would start hunting people who just trying to point at something thats not right we would live in a world of lies.
btw.. better be happy that he is assumeably one of the good guys among that special branch of engineers. What would have happen if malicious (st00p1d) people had found the bug first (or later).
Thanks to him websites do get better, not worse.
However.. McCreas denial was a bad move, marketing-wise. “Admit and react” is way cooler and shows that you care and know your stuff.
jm2c
But that’s why they call it social media. People ascribe emotions to you. It’s supposed to work that way. No?
“There are other apps where, last I checked, that was still an issue ( e.g. viewing anyone’s Graffiti posts).”
I just checked again, and this problem may have been fixed – it certainly has been with Graffiti. After noticing the issue in several apps, I contacted Facebook about it, so they may have updated things in the last few weeks (haven’t stayed current on all the dev updates). fyi.
OpenSocial: Let’s party in Web 2.0 like it’s 1984.
@ theharmonyguy : Glad to see it’s released in such a way so that they can fix it ASAP.
@theharmonyguy – good job on discovering the weakness of Opensocial, it was just a matter of time, but at least you did it in a morale manner.
Please contact me or provide me ways to contact you.
Thanks,
http://www.octabox.com
Like to see some details. This looks more like it’s RockYou’s amatuer code that is at fault. Not the platform.
What do you expect from a company that brags about completing an app in a weekend?
Given that OpenSocial was just launched it was just a matter of time, and the fact that it uses JS ad HTML just makes it easier to inject external code. The good thing about this is that the open nature of the API allows for rapidly identifying and fixing security holes. Kudos to theharmonyguy for being the first to succeed. I am sure the job offers are pouring your way now.
Great so for the next few months all we are going to be seeing is Opensocial Vs Facebook crap for everyother writeup on TC.
Surely someone outhere must have the contact to start a blog to return to what TC originally was ? if you have one let me know . Ill subscribe
TC is starting to suck
#20 – I spoke with McCrea tonight after this post. He actually didn’t know it was hacked at the time he said it wasn’t. But he immediately added Joseph to the email string anyway (see update in post). Overall, they handled this quickly and professionally, and it wasn’t even their code.
Interesting post and comments….!
Is OpenSocial too easy to use…?
Is there problem at Platoform Side or at API Side ?
Cheers,
Raxit
Hey MA-TC and THG
Show us something like this on orkut.
Thats the only thing us novices use
Tech For Novices
HAHA
Maybe I’m completely off the mark here, but doesn’t the Open Social platform execute the widget’s JavaScript within the container’s site (e.g. RockYou’s JS from within plaxo.com).
How are security issues going to be controlled? That opens up the container site to all kinds of XSS attacks. It seems to me that the container site will need to introduce a white list and personally performs an audit of all widget code. If that’s the case then the platform isn’t very open at all.
Josh: I believe OpenSocial apps execute within an iframe in a different domain from the parent page. The iframe acts like a sandbox without direct access to the calling page.
Having said that, there are still a range of XSS attacks that can be performed when you can make arbitrary javascript calls, even within a sandbox. Maybe OpenSocial parses any js embedded in the apps, to stop these attacks.
Hackers shld be employed for better security products.
http://tekno-wo...ld.blogspot.com
Good lesson to those who want to be ahead in this social game.
I think an answer that’s “I didnt see it at first” coming frm a Google exec is quite preposterous. If someone said there’s a burgar in the house, i dont just check if my dog knew about it.
um, is it not illegal for you to ask someone to compromise a system?
@39. Isn’t that what white hat hackers are for?
#11- You mean “immoral” like linking to copyrighted videos, sneaking cameras into events where they are not allowed, and hosting your “site” on Tripod?
omfg hax
@* MISS UNIVERSE
“We should avoid the temptation to turn him into a hero – he committed an immoral act and should be sued.”
Thanks for the laugh. You clearly don’t have much of a handle on reality.
Hats off to plaxo for being a early user of OpenSocial …that was fast….
bugs and hacks are a part of software development life…
http://www.meetingflex.com
Social Network + Video – Crap
I agree with Rajeev on comment #36, they can expose any issue on security and can learn a lot .
Nat
http://www.workersinc.com
Every start has some road bumps. But at least these were addressed right away. It’s not unexpected.
Rex
Yep, I thought we’d see some problems with XSS and security but not this soon.
Just wait until there is a serious personal data spill or the first trojan OpenSocial application.
But ultimately most of these problems will be resolved. But the short term will be interesting.
My full take on OpenSocial here:
http://web2.soc...ogles_opens.htm
How ’social’ are the networks in OpenSocial?
http://ryanmerk...-in-opensocial/
Omg it is hack time so let the hackaton begin! Dont even try to hack my app dude! lol Nice job there theharmoney
@ theharmonyguy: Just throwing out a random, shameless and impulsive comment/question: Let me know if you’ve got any interest in talking about combining your technical skills with my FB, OpenSocial and standalone social ideas. Cheers, chrisco PS: I’m an American based in Sweden (they love hackers over here!)