First OpenSocial Application Hacked Within 45 Minutes
Michael Arrington
106 comments »
It didn’t take long for someone to hack the first OpenSocial application. In fact, it took just 45 minutes.
A developer who goes by the alias “theharmonyguy” and describes himself as “just an amateur” claims to have compromised the RockYou OpenSocial application on Plaxo called emote (see the Plaxo blog for details on the application). Specifically, he claims to have added a number of emoticons to Plaxo VP Marketing John McCrea’s profile within 45 minutes of it launching.
In an email, McCrea said he added all of the emoticons himself and his account doesn’t appear to be hacked. But when I asked theharmonyguy to hack my Plaxo account he did, within minutes, adding four quick emoticon messages such as “michael arrington is getting my bling on” and “michael arrington is w00t” (see image to left, none of those were added by me). theharmoneyguy then added one more to McCrea’s account, which will be difficult for him to deny:
theharmonyguy also pointed out specific problems with RockYou’s code, including some fairly humorous comments:
Some interesting code in there. For one, the app still doesn’t seem to be live for most of us (John McCrea from Plaxo has used it somehow) - it currently loads a “Please wait” iframe that never changes. But check out these code comments:
// TODO: no error checking - we’re bold…
// TODO: figure out why this is necessary???Also, the code constantly branches between Plaxo and “default,” which appears to be Orkut. In fact, there are some hardcoded names that I bet showed up in some OpenSocial screenshots somewhere:
if (getContainerType() == “orkut”)
{
friendIds[iNumFriends] = “11285577331363942034″;
friendNames[iNumFriends] = “Raymond Chan”;
iNumFriends = iNumFriends + 1;friendIds[iNumFriends] = “15479081059638046412″;
friendNames[iNumFriends] = “Jia Shen”;
iNumFriends = iNumFriends + 1;
}
theharmonyguy says he’s successfully hacked Facebook applications too, including the Superpoke app, but that it is more difficult:
Facebook apps are not quite this easy. The main issue I’ve found with Facebook apps is being able to access people’s app-related history; for instance, until recently, I could access the SuperPoke action feed for any user. (I could also SuperPoke any user; not sure if they’ve fixed that one. Finally, I can access all the SuperPoke actions - they haven’t fixed that one, but it’s more just for fun.) There are other apps where, last I checked, that was still an issue ( e.g. viewing anyone’s Graffiti posts).
But the way Facebook setup their platform, it’s tons harder to actually imitate a user and change profile info like this. I’m sure this kind of issue could be easily solved by some verification code on RockYou’s part, but it’s not inherent in the platform - unlike Facebook. I could do a lot more like this on FB if Facebook hadn’t set things up the way they did.
Oh, Facebook apps can also be prone to injection - I can insert any FBML I want onto the canvas pages of one popular app. But once again, I can’t really do anything, because to interface with the app requires me to have code related to that app, which isn’t generally available. Not sure if Google’s iframe implementation will be the same way.
Of course, the ability to change emoticons isn’t a particularly malicious hack; but the ease in which this was done suggests that Google has some work to do in getting its new platform stable. If they don’t, more damaging stuff may be on the way.
Update: Joseph Smarr, Plaxo’s Chief Platform Architect, says he has taken the application down for now:
Hi, just caught this thread now. Michael-thanks for the info. It does look like something isn’t quite working right. While I suspect it’s benign, e.g. some of the rockyou code not distinguishing between the “owner” and the “viewer” of the gadget (this stuff is not always easy to keep straight), I want to err on the side of caution, so I’m going to de-white-list the gadget for now.
As is, we’re maintaining a strict white-list so we don’t have any random would-be hackers messing around, and the platform itself is still a work in progress. Hopefully the benefit of seeing some real working OpenSocial code in production is worth bearing with a few kinks that need to get ironed out.
Hey, Michael. I did not claim that all the edits were mine. It took me a while to find the area where the hacks had happened. Indeed, you are correct that changes were made that I did not make. We are now de-white-listing the app. Unfortunate, but not unexpected. Platforms are targets for hackers. That is life. The question is whether they can rapidly evolve to thwart the threats.
Kinda scary but kinda awesome at the same time… I’m so torn!
Plax-o sux-o.
btw John, no harm intended - you were the only other person whom I knew had the app installed, and I was only testing the new platform to see if this was possible.
Just sent you a message via Plaxo with details on how the hack works.
NOT FACEBOOK!
FaceBook backed by MS is the real thing baby!
http://fakesteveballmer.blogspot.com
Congrats to the Plaxo guys for getting the OpenSocial hack out so fast. Things like this are bound to happen when you are…
//insert something meaning *ahead of early adopters here*.
As Joseph said, getting something out early is worth the risk.
Cheers,
Todd
// TODO: no error checking - we’re bold…
THAT is truly f-ing classic!
Todd - I agree 100%
This is a serious issue that I’ll be elaborating on more on my existing blog and one that is about to launch next week
In discussions with one executive today, I was talking about the implications of the new OpenSocial platform and who has access to the data being passed between applications.
The OpenSocial platform has some serious security vulnerabilities (as displayed in this article). Javascript is inherently a more risky language to be exposing and this is why Facebook has been so hesitant to completely open up to JavaScript. You can bet that when Google launches an API in 1 month there will be serious issues.
That is not to say that OpenSocial will not become the standard but there are serious hurdles ahead. I’m excited to see how this pans out.
The Facebook and OpenSocial platforms are not inherently insecure, they just require some competency on the part of developers when it comes to securing their applications. The problem is that most developers these days are not competent in that area. People would be scared if they knew how many security breaches there have been at the major Web 2.0 sites that have not been made public.
The sad thing about this is that Hacker is getting all the publicity he craves.
We should avoid the temptation to turn him into a hero - he committed an immoral act and should be sued.
One successful suit would make them think twice.
theharmonyguy,
Very cool! Your approach was not to destroy…. John McCrea and the Plaxo team should be sending you a job offer immediately….BUT, Google will beat them to the punch by Sunday night. Please update us who contacts you with job offers.
Miss Universe, you sound like Miss South Carolina
@6: I agree too - better to catch these things now rather than later.
@10: True, but from my limited experience, the Facebook Platform is designed more securely. FB’s design prevents several problems that come from poor coding practices - not all, but some big ones. OpenSocial doesn’t appear to have those same safeguards.
@11: You may not believe me, but I’m not craving publicity - I didn’t know what Michael would post before it appeared, and I honestly just expected a one-sentence credit. I’m not trying to be a hero, and while admittedly this probably wasn’t the best way to break the story, I don’t think it’s lawsuit-worthy. Like I told John, I was just proving a point, not trying to do anything immoral.
@12: lol, thanks for the kind words, but I highly doubt I’ll get any offers. Like I said, I’m an amateur.
“We should avoid the temptation to turn him into a hero - he committed an immoral act and should be sued.”
Apparently you have zero experience in IT security.
Heh, thanks for the good laugh.
wow thats incridble and fast–you know i know a great site this will help you and your familys with knowledge-share the knowledge and prosper
http://www.elementsof123.wordpress.com
#11 - what he did was free consulting for RockYou.
Ok, I think everyone needs to push their chairs away from their desks and try something new and invigorating like… hmmm, let’s see… how about we just start with WALKING?
What a riot.
Sam
hacker person - good job! nice ugc. software is always flawed on release even when sending man to moon. code needs hours of transactions to cure. see hobbs meter.
Miss Universe,
if we would start hunting people who just trying to point at something thats not right we would live in a world of lies.
btw.. better be happy that he is assumeably one of the good guys among that special branch of engineers. What would have happen if malicious (st00p1d) people had found the bug first (or later).
Thanks to him websites do get better, not worse.
However.. McCreas denial was a bad move, marketing-wise. “Admit and react” is way cooler and shows that you care and know your stuff.
jm2c
But that’s why they call it social media. People ascribe emotions to you. It’s supposed to work that way. No?
“There are other apps where, last I checked, that was still an issue ( e.g. viewing anyone’s Graffiti posts).”
I just checked again, and this problem may have been fixed - it certainly has been with Graffiti. After noticing the issue in several apps, I contacted Facebook about it, so they may have updated things in the last few weeks (haven’t stayed current on all the dev updates). fyi.
OpenSocial: Let’s party in Web 2.0 like it’s 1984.
@ theharmonyguy : Glad to see it’s released in such a way so that they can fix it ASAP.
@theharmonyguy - good job on discovering the weakness of Opensocial, it was just a matter of time, but at least you did it in a morale manner.
Please contact me or provide me ways to contact you.
Thanks,
http://www.octabox.com
Like to see some details. This looks more like it’s RockYou’s amatuer code that is at fault. Not the platform.
What do you expect from a company that brags about completing an app in a weekend?
Given that OpenSocial was just launched it was just a matter of time, and the fact that it uses JS ad HTML just makes it easier to inject external code. The good thing about this is that the open nature of the API allows for rapidly identifying and fixing security holes. Kudos to theharmonyguy for being the first to succeed. I am sure the job offers are pouring your way now.
Great so for the next few months all we are going to be seeing is Opensocial Vs Facebook crap for everyother writeup on TC.
Surely someone outhere must have the contact to start a blog to return to what TC originally was ? if you have one let me know . Ill subscribe
TC is starting to suck
#20 - I spoke with McCrea tonight after this post. He actually didn’t know it was hacked at the time he said it wasn’t. But he immediately added Joseph to the email string anyway (see update in post). Overall, they handled this quickly and professionally, and it wasn’t even their code.
Interesting post and comments….!
Is OpenSocial too easy to use…?
Is there problem at Platoform Side or at API Side ?
Cheers,
Raxit
Hey MA-TC and THG
Show us something like this on orkut.
Thats the only thing us novices use
Tech For Novices
HAHA
Maybe I’m completely off the mark here, but doesn’t the Open Social platform execute the widget’s JavaScript within the container’s site (e.g. RockYou’s JS from within plaxo.com).
How are security issues going to be controlled? That opens up the container site to all kinds of XSS attacks. It seems to me that the container site will need to introduce a white list and personally performs an audit of all widget code. If that’s the case then the platform isn’t very open at all.
Josh: I believe OpenSocial apps execute within an iframe in a different domain from the parent page. The iframe acts like a sandbox without direct access to the calling page.
Having said that, there are still a range of XSS attacks that can be performed when you can make arbitrary javascript calls, even within a sandbox. Maybe OpenSocial parses any js embedded in the apps, to stop these attacks.
Hackers shld be employed for better security products.
http://tekno-world.blogspot.com
Good lesson to those who want to be ahead in this social game.
I think an answer that’s “I didnt see it at first” coming frm a Google exec is quite preposterous. If someone said there’s a burgar in the house, i dont just check if my dog knew about it.
um, is it not illegal for you to ask someone to compromise a system?
@39. Isn’t that what white hat hackers are for?
#11- You mean “immoral” like linking to copyrighted videos, sneaking cameras into events where they are not allowed, and hosting your “site” on Tripod?
omfg hax
@* MISS UNIVERSE
“We should avoid the temptation to turn him into a hero - he committed an immoral act and should be sued.”
Thanks for the laugh. You clearly don’t have much of a handle on reality.
Hats off to plaxo for being a early user of OpenSocial …that was fast….
bugs and hacks are a part of software development life…
http://www.meetingflex.com
Social Network + Video - Crap
I agree with Rajeev on comment #36, they can expose any issue on security and can learn a lot .
Nat
http://www.workersinc.com
Every start has some road bumps. But at least these were addressed right away. It’s not unexpected.
Rex
Yep, I thought we’d see some problems with XSS and security but not this soon.
Just wait until there is a serious personal data spill or the first trojan OpenSocial application.
But ultimately most of these problems will be resolved. But the short term will be interesting.
My full take on OpenSocial here:
http://web2.socialcomputingmag....._opens.htm
How ’social’ are the networks in OpenSocial?
http://ryanmerket.com/blog/200.....pensocial/
Omg it is hack time so let the hackaton begin! Dont even try to hack my app dude! lol Nice job there theharmoney
@ theharmonyguy: Just throwing out a random, shameless and impulsive comment/question: Let me know if you’ve got any interest in talking about combining your technical skills with my FB, OpenSocial and standalone social ideas. Cheers, chrisco PS: I’m an American based in Sweden (they love hackers over here!)
Good job “the ahtmonyguy”!
im always proud of hackers
facebook search is down
One of the main drawbacks of being “Open” is that anyone can hack in and some of the many benefits of being “Open” is that anyone can fix it and it usually gets fixed quite quickly.
Imagine a world where the fix required a thirty page change order.
It was a Rockyou application and Rockyou have written some pretty poor facebook applications in the past - one of their apps spams a user’s feed all the time, and claims you did an action to somebody when you did no such thing. So I’d imagine hacking a Rockyou application isn’t exactly a tough challenge, but at least facebook lets you cut yourself off from a rogue app - I’d like to know if opensocial lets you do the same.
that was fast work :0
Hey theharmonyguy,
I am quite impressed with your skills and your genuine nature in not seeking publicity, but pointing out the code flaws. We are a company that is based in Redwood Shores and are experimenting out various Web 2.0 startup ideas (though some are heading towards Web 3.0). We are looking for a great web developer to join us in this effort and I would love to talk to you regarding this opportunity, if you are interested. I am the founder and CEO of http://www.cruxle.com, the video search startup company that is still in stealth mode and the founder and CEO of another startup company called http://www.labs20.com, where we experiment several startup ideas. We are looking for developers for both companies and I would like to talk to you regarding these opportunities. Please contact me at balaji@labs20.com, if you are interested.
I look forward to hearing from you.
Thanks
Balaji
That’s 3 job offers the guy has gotten so far, in this _thread_ alone.
I gotta start breaking and entering more often! =D
Just to clarify some issues people have been discussing…
I did hack a RockYou application, and there were issues with their coding that allowed me to do so. It’s not like I hacked Plaxo or somehow hacked OpenSocial itself.
But as the post points out, I doubt my hack would have worked on a Facebook application because of features in the FB Platform’s design. Examples include the “secret” key for verifying application code and the session parameters that provide a user context for every application request. Those safeguards are absent from OpenSocial. In other words, the design of OpenSocial (from my perspective) makes it much easier to take advantage of code flaws. So while this particular hack dealt with RockYou’s code, I think it also highlights some issues with OpenSocial that may need to be addressed.
I’ve wondered since the first OpenSocial announcement how they’d deal with malicious HTML/JavaScript. I had to learn about things like injection attacks when I worked on a forum script - you simply can’t allow full HTML/JavaScript. That’s one of the reasons (there are a few others) for extensions like FBML and FBJS - they restrict what kind of code is executed on Facebook. I hope the discussion of OpenSocial will be a little more realistic now - not to say that OpenSocial’s bad, I just think it’s been hyped too much.
Furthermore, I wanted to get people talking about the security implications of OpenSocial’s design. Simon Willison has already mentioned another one: the widgets run in iframes, so there’s a potential for malicious frame-busting. Also, this afternoon I figured out that, using another injection technique, I could insert arbitrary HTML into Emote pages, including an iframe. Once again, this is also possible with some Facebook apps, but without the safeguards of the FB Platform, I think there’s more potential for abuse.
Finally, this all will hopefully raise people’s awareness of security/privacy issues with social apps/widgets in general. Since they deal with personal data and have a viral component to them (anyone remember “samy is my hero”?), they have to be very secure. I’m actually surprised there haven’t been any malicious Facebook applications so far (though I’m sure they’d be dealt with swiftly). I think people are getting a little too free in letting applications have their personal data - developers need to be very careful.
And as a sidenote… With all the recent hype about OpenSocial, I would have expected a much smoother launch. Things like the comments in RockYou’s code make me wonder if OpenSocial and the first batch of apps were really ready for primetime or if Google rushed things out the door to keep ahead of Facebook. Last night I couldn’t get a single application to work in Orkut, and I never saw Emote running on a Plaxo page. Plaxo pointed out that the API is at 0.5, and some hosts are reportedly months away from launching. OpenSocial may end up being as grand as some people have made it out to be, but it’s still got a ways to go in terms of actual use.
Hey, I know there is a ton of interest in seeing the OpenSocial stuff. On my blog I’ve got some coverage of the Open Social “Open Social” at Plaxo HQ last evening, including a link to a video that shows several OpenSocial apps running live in Plaxo Pulse. Here you go: http://therealmccrea.wordpress.....en-social/
Interesting how the tides can change. One day Google is the talk of town w/their transformative Opensocial platform, the next day theyre looking not so savvy when an amateur hacker easily hacks the system.
Now the question arises does it make sense for users to maintain centrally located profile data ala Google Opensocial when it might be safer distributed among niche-specific social apps..
Having a “strict white list” is not a way to prevent hackers from getting access to your platform, as Smarr asserts. It’s a way for short-sighted corporate executives to retain the illusion of control.
@60 OpenSocial is not a social network or a central repository for profile data, it is only a set of method names (an API) that is open and supported by a bunch of social network providers. It is a list of rules that someone has to follow to perform (or allow others to) a basic common set of actions like “get a list of friends” usernames or “publish a string in the activity feed of that user”. The data is not centrally located, it is distributed among several providers and platforms, much like the internet itself.
Now that’s hilarious. Like a 0-Day hack!
Good. I guess Google didn’t do their homework on this one. It proves a point that just because it’s from Google it doesn’t mean it’s good or secure. If they can leave a security hole in something like this then they can do it with other products as well.
i want to start a socian news site.. any advice?.. is there a better application then facebook ?
@ 64. Rob Bazinet
Dude, you really don’t have a clue on what this is about. Let me lay it out for you in a nice analogy.
Someone puts razorblades in baby food, you blame the grocery store.
Oh.. and ehm.. sorry theharmonyguy for making you look like someone who puts razorblades into baby food
Anything that’s “open” is dangerous!
When you are “open” you are dependent upon the kindness of strangers.
http://fakesteveballmer.blogspot.com
nah, just a press move.
@66 hahahahaha man thats exactly how this looks like but it is kinda hype!
Love it or hate it, thanks to theharmoneyguys for reminding everyone that people are trying (and succeding) in hacking social apps.
Waiting now for some hackthisapp app. It would be nice from an app that strengthens the technical side of social computing. By making developers of small app to use security and a chance to explore security weak spots.
@microkid,
Why don’t you come back once you get some real experience and explain yourself better.
Are you trying to explain to me this is not a Google problem? Umm….get a clue dude.
@62, …so they say, but from a business perspective, their ambitions are much higher. why should ‘write once read anywhere’ only apply to applications. from a user perspective havig a central profile repository vs multiple profiles makes total sense. And from a biz perspective…well the possibilities are endless.
..the only question is the issue of trust and reliability.
in today world hacker is more tech savvy then devloper
@73
Sorry nemrut, but from a user perspective having a central profile repository makes any sense. People don’t want their suicidegirls data in linkedIn or their real gender on world of warcraft, or their activity feed from facebook on deviant art, or the same avatar picture from flickr or mix.epicfu on slashdot.
The only ones interested in a central profile (or people search for that matter) are totalitarian governments and tech crunch readers.
So I’m a 29yo child and adolescent psychiatrist in fellowship with the organizational answer for your points fabricio using dynamic psychiatric principles applied to snp development. I just can’t get anyones attention. How do I go about entering discussions and getting someone’s ear that matters.
gun germ and steel the fates of human society
Whitelist != Open
#10: Not Surprising
OpenSocial *is* inherently insecure. It does not take any great hacker to see that. This guy is just getting the publicity for something dozens of developers have noticed over the weekend.
The platform loads an iframe with the visitor id and owner id in the URL. As well as all the owner’s preferences. But there is NO WAY to verify those details. Therefore anything you can do to your own app, you can do to someone else’s install of it. All you need to do is change the visitor id to be the owner id of the page you’re looking at.
Also, because of the way it works, all JS is sent to the iframe for every view. If you’re a visitor to the profile, you get the same JS sent to you as if you’re the app owner going to the canvas view. And you get access to all the same preferences. This means you can do *anything*.
So yes, OpenSocial *is* inherently insecure (and yes, they already know about it .. there’s a fix coming, but no details on what it is and it isn’t going to be in the next few hours.)
I’ve taken down my app until this is all sorted out as it left my users vulnerable
Nice article for applications http://lapnol.Blogspot.Com
This is good for competition, more apps being made quicker and quicker gives users options.
To Joseph Smarr (Plaxo’s “Chief Platform Architect”):
Please, if your listening, be smart enough to be humble when hacked. Stating how you are doing things to keep “would-be hackers” out is a great way to encourage them to come after you. If you get caught with your pants down, don’t insult the people who did it. What you write is equivalent to saying “screw you amateurs, bet you can’t do it again because I’m so smart”.
Also, when you say “I want to err on the side of caution” it seems like a bunch of B.S. after your code gets violated and laughed at for not having error checking.
Finally, KISS…learn it especially when publicly responding. You said too much, especially “this stuff is not always easy to keep straight”. Really?? The difference between a “viewer” and “owner”? Wow, Chief Platform Architect…
@82 - Maybe you didn’t notice, it was not Plaxo’s code, it was a 3rd party app that used OpenSocial APIs on Plaxo. Now Perhaps we can blame Google for allowing this to happen in the API or Plaxo for jumping in with both feet on a new API but the code is all RockYou’s fault.
But isn`t it better a white hat hacker discover the security bugs, than a black hat one does ist? So they can fix the bugs and secure their systems.
It’s not the growing pains we need to be worried about, those will happen. If in a few months ‘amateur hackers’ are still running wild, then I’ll start worrying…
@83 - Perhaps, but I believe Plaxo still had to implement the APIs on their servers so their data could be accessed. With this in mind, I imagine there would be ways to bolster security, server-side. Finally, I am not going to get into a technical discussion, but there are ways of securing your Javascript functions as well. Obfuscation at the least might have made Plaxo less likely to be the first cracked. In the end, this news will leave the minds of those who care, and those who care aren’t the end users at this point.
@84 - Absolutely, but who knows if the white hat was the first…probably won’t be the last b/c in Joseph’s defense, security is an endless battle.
Anyway, I have to say congratulations to the Plaxo team for taking the bold move and getting out there first. It takes courage to deal with the possible downsides (you know people like me). Anyway, any press is good right?
@11: The fact that you can’t differentiate between malicious hacking and humorous investigative hacking shows that you’re a moron. Would it be better if no benign hacking happened? this guy clearly exposed a security hole which can now be fixed. Instead of their idiotic initial denials Plaxo can now fix their code, which obviously was shipped too early under the pressure of some business moron that Arrington adores.
Think of it similarly to investigative reporting. Would you rather a reporter expose a security hole at an airport or on principal have that information suppressed until a real ‘bad guy’ uses it. There are plenty of real malicious hackers who will use Open Social and any other platform (Hypebook) for a list of real criminal exploits, the simplest of which would be identity theft.
That was a smooth reply from the architect but it sounds more like they had white-listed real hackable code as opposed to “real working” code.
@60: Data isn’t stored central on Googles server. They still belong and are stored where they come from, where they are fetched up - like you music list from iLike on your MySpace profile. All in iLike data comes from the iLike servers.
@58: Many many many good points.
@73: I advise you to look at http://michaeljung.wordpress.c.....-11-08-0