« Previous post
Next post »

November 5, 2007

OpenSocial Hacked Again

Michael Arrington

47 comments »

The same person who hacked the RockYou OpenSocial application on Plaxo just 45 minutes after it was publicly released is at it again.

This time, he claims to have easily accessed the iLike application on Ning. Specifically, he says he can add and remove songs on users’ playlists. And more damaging, he can also access a user’s friends list in the client-side code. Give him a Ning username and he can give you details on their friends: relationship to user, last date of update, photo, profile creation date and part of their email address.

He’s pulled up Ning co-founder Marc Andreessen’s friend list to prove his point, and shared part of it with me. I won’t be publishing it here, but it shows that he got access to the application.

Total time to hack iLike on Ning: 20 minutes.

As with the RockYou/Plaxo hack, no real damage has been done, but it shows that in the rush to get applications out the door quickly, attention to security may have fallen by the side of the road.

TheHarmonyGuy now has a blog up where he is writing about his hacks of OpenSocial applications. See it here. He notes that RockYou’s application remains unpatched.

More on OpenSocial here.

  • Sphere It

This entry was posted on Monday, November 5th, 2007 at 11:46 pm and is filed under Company & Product Profiles. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Trackbacks/Pings (Trackback URL)

  1. Social Hacking

    November 5th, 2007 at 11:52 pm

  2. Joost To Have Chat Via Meebo  »TechAddress

    November 6th, 2007 at 12:30 am

  3. Marc’s Voice » Blog Archive » And the blogging just keeps on going

    November 6th, 2007 at 1:25 am

  4. On demande »

    November 6th, 2007 at 2:05 am

  5. Ajax in 24 Stunden ||| Handelskraft |||

    November 6th, 2007 at 7:22 am

  6. Tips Dr.com

    November 6th, 2007 at 8:36 am

  7. Welcome to the Open Social

    November 8th, 2007 at 11:47 am

  8. Jonathan Parent - Consultant Analyste Web » Blog Archive » OpenSocial et Android, les deux côtés de la médaille.

    November 9th, 2007 at 7:41 am

  9. Social media futures: Persistant profiles

    March 21st, 2008 at 5:23 am

  10. Memo to OpenSocial: It’s about distribution, stupid! | 20bits

    April 3rd, 2008 at 5:12 pm

Comments

RSS feed for comments on this post.

  1. Mr. Stanley Russell Dudek

    November 6th, 2007 at 12:04 am

    Nice work, TheHarmonyGuy.

  2. * MISS UNIVERSE

    November 6th, 2007 at 12:05 am

    WHAT is the point of doing this??? :-?

    It is so incomprehensible how people can find any incentive to harm and
    publicly embarrass complete strangers who have done NOTHING to them.

    It is not as if someone is hacking privately, then sending a private warning to a developer to help the firm being hacked. This is just trying to make a name and achieve publicity.

    Can we really judge these companies? Can we say we would not be making the same mistakes if we were in their shoes?

  3. theharmonyguy

    November 6th, 2007 at 12:13 am

    http://en.wikipedia.org/wiki/White_hat

    fyi, I have sent notification to the developers with more details. I’m not simply judging the companies - I’m trying to raise awareness about security issues with OpenSocial applications. I was suspicious about aspects of OpenSocial’s security and privacy prior to its release, and now I’m finding some of my fears warranted. I think developers need to be aware of these issues if OpenSocial is going to become widespread.

    I plan on releasing the details of each hack once the applications are patched so that other developers can learn from them.

  4. bhoga

    November 6th, 2007 at 12:13 am

    Hmm……. well done harmony !!
    why have u named urself such….
    u shud have named urself the masterhacker or something like that…….

  5. Michael Arrington

    November 6th, 2007 at 12:16 am

    Miss Universe - Yeah, you got it wrong again. He was very careful to notify Ning and iLike before he contacted me. He also did not want me to publish specific information about Marc, and he also asked for a change to the post to make it the hole less obvious, which I did.

  6. Andrew

    November 6th, 2007 at 12:18 am

    @2 Would you rather someone catch the mistake early on and let the developers fix it…or would you rather login one day to find that there is only one song on your play list that tells the world your like orally pleasuring dogs?

  7. Mr. Stanley Russell Dudek

    November 6th, 2007 at 12:18 am

    @2.
    I don’t think this is done maliciously; who has he harmed and/or embarrassed?

  8. .LA Fan

    November 6th, 2007 at 12:23 am

    Well, it’s hard to feel sorry for Google when you consider that they are operating a site at HTTP://WWW.GOOGLE.LA/ under the “Country of Laos” banner while this url has been licensed by LA Names Corporation (HTTP://WWW.WWW.LA/) for more than four years for the “City of Los Angeles”. Doesn’t this go against their Mission Statement???

  9. Martin Porcheron

    November 6th, 2007 at 12:24 am

    “OpenSocial Hacked Again” is misleading - if a Facebook Application were hacked, would you say “Facebook Hacked”. No, it’s an OpenSocial Application, developed by someone other than Google which is implied with this title.

  10. theharmonyguy

    November 6th, 2007 at 12:28 am

    @8: A fair point. Except that in this case (unlike RockYou), the hack for accessing friend data may be related to Ning’s implementation of OpenSocial, not iLike’s coding. I’m not positive on this point, but it certainly appears that way.

  11. Alex

    November 6th, 2007 at 12:29 am

    @theharmonyguy

    Well at least Plaxo should be thrilled. It took you 45 minutes to hack there app where it only took you 20 minutes and a cup of coffee to hack Ning.

    Didn’t I tell you’d be receiving job offers. You should set up a way to charge everyone of these companies $100 to spend one hour of your time to see if you can hack the offering. How about you and I go into business together, eh.

  12. Adam Benayoun

    November 6th, 2007 at 12:33 am

    @2 - The harmon guy did that not to embarass people but obviously because there’s some agenda here.

    i would say the agenda is:

    1) help the social community and developer patching their applications.
    2) Prove/Show that sometimes people tend to rush their development or their integration for the sake of some PR only to find out they made their userbase totally vulnerable.
    3) Maybe to get some recognition, but this is completely understandable.

    Kudos to TheHarmonGuy, for being decent, for sharing this info with the containers and developers and for sharing this with other user via TC, really make me think we made the right choice when waiting a little bit longer before thinking about integrating open Social.

    http://www.octabox.com

  13. Florian Cervenka

    November 6th, 2007 at 12:45 am

    Isn’t OpenSocial all about sharing data :P ? Why would people be so egoistic and want to keep their friends-list, emails and credit-card info to themselves?

  14. Dedos

    November 6th, 2007 at 1:03 am

    @we need people like the theharmonyguy this is the only way to evolve and created better platforms for the future…………. hey!!! most company’s pay for the type of Jon he is find problems….. the only other comment will be for the theharmonyguy to find some solutions to the problems he is finding, if he can do that a GOOD JOB offer will show up………………..

    great topic

  15. Dan Lester

    November 6th, 2007 at 1:54 am

    I am also able to call up a list of Marc Andreessen’s friends. Here is how to do it:

    1. Go to http://www.facebook.com
    2. Enter ‘Marc Andreessen’ in the search box
    3. Click View Friends

    Alright, it sounds like Mike’s in the loop, and I’m willing to take to take his word that Ning have confirmed the problem… Just thought I’d point out a slight problem with the ‘proof’, though!

  16. Damon Billian

    November 6th, 2007 at 1:55 am

    I think some organization needs to hire this guy to find holes in their security. He/she is obviously very good at what they do.

  17. agnieszka

    November 6th, 2007 at 2:29 am

    Of course companies prefer found security issues to be resolved in private, but making public such findings stimulates quicker action to resolve issues. [ I’m not referencing Ning specifcally, btw.]

    Whether the hacker has a private agenda or not is not really relevant here.

    Good post.

  18. theharmonyguy

    November 6th, 2007 at 2:45 am

    @15: And what about users who have chosen to keep their friends list private? Also, I don’t think you’ll see any portions of e-mail addresses in that list.

    @All: Confirmed that the friends list issue relates to Ning’s OpenSocial implementation, not iLike code. Details: http://theharmonyguy.com/2007/.....mentation/

  19. pedro

    November 6th, 2007 at 3:00 am

    I think what theharmonyguy is showing is that opensocial provides innumerous opportunities for abuse by unscrupulous developers.
    It’s great to live in a pink candy world where everyone is nice an information is used mostly to provide targeted ads, but imagine how this could be used in countries with repressive regimes, where governments don’t respect human rights? what could they do with access to their citizen’s reading preferences, for example? people get tortured and killed in many countries for reading the wrong sort of book.

  20. theharmonyguy

    November 6th, 2007 at 4:34 am

    The friends list issue may not be as serious as it sounds (or as I thought) - see update: http://theharmonyguy.com/2007/.....mentation/

  21. loaverman

    November 6th, 2007 at 6:39 am

    cool

  22. smurf

    November 6th, 2007 at 7:54 am

    lol, thats ridiculously funny!

  23. .LA Fan

    November 6th, 2007 at 9:14 am

    Correction:

    When I stated “url” in my prior post, I meant “Dot-LA Domain Extension”. Several companies/individuals have registered Dot-LA domains. Just insert “site:.la” into Google’s search box and you’ll see for yourself just how many websites are operating in this domain space for the City of Los Angeles and the LA area. Google’s attempt to operate a website at http://www.google.la/ under the “County of Laos” banner is nothing more than an attempt to confuse the users.

  24. www.meetingflex.com

    November 6th, 2007 at 9:50 am

    Hey,

    Why is this guy so bent on hacking …opensocial ..instead of using his knowledge to write some productive components for opensocial.

    http://www.meetingflex.com
    Social Networking + Video - Crap

  25. James D Kirk

    November 6th, 2007 at 10:37 am

    Wasn’t it written in that prior piece that theHarmonyGuy had admitted to not being “that” good of a hacker? If that’s the case, then I think we should all definitely take our hats off to someone who is clearly publishing his findings for the good of moving OpenSocial forward, and not just wreaking havoc because he can. You can be assured for this one fellow, there are likely 100 more out there that have WAY more skills and can do WAY more damage (maybe not now, but as the apps become more complex and touch more data) than the eHarmonyGuy ( ;) ) I say keep it theHarmonyGuy (could you just not hack my container and apps when I get them going. I’m a little shy!)

  26. James D Kirk

    November 6th, 2007 at 10:39 am

    I say keep it up (apologies for second post! Install an edit your own post function, MA!)

  27. Uhhh

    November 6th, 2007 at 10:50 am

    @24: http://www.meetingflex.com is a piece of garbage with zero redeeming qualities. Choose a different profession.

  28. brij

    November 6th, 2007 at 11:22 am

    @19 what has this got to do with repressive governments ?? and for your kind information, rest of the world is not in such a bad shape as you think it is. so far so, that those guys don’t even care (rather know) about open social.
    so you better keep your philanthropy out of this.

  29. Gina Bianchini

    November 6th, 2007 at 1:01 pm

    Hey All -

    At Ning, we take security seriously. We are also committed to giving people the freedom to experiment and use new technologies, even in their early stages.

    With respect to this specific issue, we’ve temporary taken down our support of Gadgets for the next few hours (~11am PST) while we patch this hole.

    I’d also underscore that adding OpenSocial Gadgets to your social network on Ning is *entirely optional* and we are rapidly and proactively iterating and improving our OpenSocial support daily.

    Once we have it fixed, I’ll come back over here and post an update.

    Thanks!

  30. Fabricio

    November 6th, 2007 at 2:22 pm

    Not to dismiss HarmonyGuy’s work or anything, I really believe it is important to scrutinize and test eventual flaws of this alpha stage apis before it matures to a good freezing stage… but the friend lists on Ning were always public information available to anyone through the existing REST APIs.

  31. Nic

    November 6th, 2007 at 2:28 pm

    OK peeps, the simple fact is that right now anyone writing an OpenSocial gadget is doing so using at most 2/3 of an API because the rest is not finished yet. Part of what is not finished yet is the user authentication functions which will apparently be in the data API.

    I think it is pretty cool that people are out there now showing the sorts of things that will be possible with the OpenSocial framework but anyone putting it onto a live site with live data should probably think twice until the whole API is available. Until then it is fairly straightforward to spoof your identity and pretend to be a gadget’s owner.

    Hacking these prototype apps might be kinda fun but its hardly rocket science, I don’t think theharmonyguy would claim otherwise. Any developer who has spent an hour or more thinking through the API specs has long since realised that with the data API missing there really is no security at all. Once the data API is published then maybe we can all look at it and decide if its security model is adequate, until then I’m not sure what anyone is proving with these “hacks”.

    Nic

  32. Gina Bianchini

    November 6th, 2007 at 9:46 pm

    As promised, a quick update here. We just reinstated support for Gadgets and only the feeds that should be there now are. Thanks!

  33. Darvititsing Lallengerizes

    November 6th, 2007 at 9:52 pm

    Great bug testing I guess for them. They released it a little too early.

  34. Clement

    November 6th, 2007 at 11:40 pm

    Nice work TheHarmonyGuy, but what is your motive?Fame?

  35. Cerebro

    November 7th, 2007 at 10:37 am

    Daqui a pouco a Google vai ser hackeada também!!
    ahuhauhuhauhauha
    E vai sobrar apenas eu e o Pink para dominar o mundo!

  36. Mr Universe

    November 7th, 2007 at 1:44 pm

    I can’t believe some of you are taking Miss Universe seriously. Obviously it’s just some wanker intentionally saying stupid things. No one would be really that stupid to think Harmony guy is a malicious hacker and also be a techcrunch reader.

  37. The Dude Dean

    November 19th, 2007 at 4:32 pm

    These applications need to be hardened a bit before release.

« Previous post
Next post »