Sometimes the nipple can become sore and cracked. In this condition breastfeeding can be extremely painful and a quick and fast remedy is needed….

@58: Many many many good points.

@73: I advise you to look at http://michaeljung.wordpress.c.....-11-08-07/ >> Web 2.0 Expo Berlin Presentation - Open Platforms and the Social Graph (David Recordon’s Blog)

I’ve been purposely avoiding writing anything about Google’s new OpenSocial project. Why? Because it had the potential to go in a few different directions and be used different ways, and I wanted the hype to die down before seeing what it…

Think of it similarly to investigative reporting. Would you rather a reporter expose a security hole at an airport or on principal have that information suppressed until a real ‘bad guy’ uses it. There are plenty of real malicious hackers who will use Open Social and any other platform (Hypebook) for a list of real criminal exploits, the simplest of which would be identity theft.

@84 - Absolutely, but who knows if the white hat was the first…probably won’t be the last b/c in Joseph’s defense, security is an endless battle.

Anyway, I have to say congratulations to the Plaxo team for taking the bold move and getting out there first. It takes courage to deal with the possible downsides (you know people like me). Anyway, any press is good right?

גוגל יצאה לפני ימים ספורים את מערכת OpenSocial, אשר תאפשר לבנות מערכות חברתיות בקלות תוך שימוש בסטנדרטים. אך תוך 45 דקות המערכת הראשונה שעשתה שי…

Date: Friday, November 2, 2007
Initial hack: 45 minutes
Vulnerabilities:

Able to change current Emote status for any user
Able to access Emote history and current status for any user
Able to insert HTML, including JavaScript, into Emote pages

Coverag…

Please, if your listening, be smart enough to be humble when hacked. Stating how you are doing things to keep “would-be hackers” out is a great way to encourage them to come after you. If you get caught with your pants down, don’t insult the people who did it. What you write is equivalent to saying “screw you amateurs, bet you can’t do it again because I’m so smart”.

Also, when you say “I want to err on the side of caution” it seems like a bunch of B.S. after your code gets violated and laughed at for not having error checking.

Finally, KISS…learn it especially when publicly responding. You said too much, especially “this stuff is not always easy to keep straight”. Really?? The difference between a “viewer” and “owner”? Wow, Chief Platform Architect…

OpenSocial *is* inherently insecure. It does not take any great hacker to see that. This guy is just getting the publicity for something dozens of developers have noticed over the weekend.

The platform loads an iframe with the visitor id and owner id in the URL. As well as all the owner’s preferences. But there is NO WAY to verify those details. Therefore anything you can do to your own app, you can do to someone else’s install of it. All you need to do is change the visitor id to be the owner id of the page you’re looking at.

Also, because of the way it works, all JS is sent to the iframe for every view. If you’re a visitor to the profile, you get the same JS sent to you as if you’re the app owner going to the canvas view. And you get access to all the same preferences. This means you can do *anything*.

So yes, OpenSocial *is* inherently insecure (and yes, they already know about it .. there’s a fix coming, but no details on what it is and it isn’t going to be in the next few hours.)

I’ve taken down my app until this is all sorted out as it left my users vulnerable