The same person who hacked the RockYou OpenSocial application on Plaxo just 45 minutes after it was publicly released is at it again.
This time, he claims to have easily accessed the iLike application on Ning. Specifically, he says he can add and remove songs on users’ playlists. And more damaging, he can also access a user’s friends list in the client-side code. Give him a Ning username and he can give you details on their friends: relationship to user, last date of update, photo, profile creation date and part of their email address.
He’s pulled up Ning co-founder Marc Andreessen’s friend list to prove his point, and shared part of it with me. I won’t be publishing it here, but it shows that he got access to the application.
Total time to hack iLike on Ning: 20 minutes.
As with the RockYou/Plaxo hack, no real damage has been done, but it shows that in the rush to get applications out the door quickly, attention to security may have fallen by the side of the road.
TheHarmonyGuy now has a blog up where he is writing about his hacks of OpenSocial applications. See it here. He notes that RockYou’s application remains unpatched.
Nice work, TheHarmonyGuy.
WHAT is the point of doing this???
It is so incomprehensible how people can find any incentive to harm and
publicly embarrass complete strangers who have done NOTHING to them.
It is not as if someone is hacking privately, then sending a private warning to a developer to help the firm being hacked. This is just trying to make a name and achieve publicity.
Can we really judge these companies? Can we say we would not be making the same mistakes if we were in their shoes?
http://en.wikip.../wiki/White_hat
fyi, I have sent notification to the developers with more details. I’m not simply judging the companies – I’m trying to raise awareness about security issues with OpenSocial applications. I was suspicious about aspects of OpenSocial’s security and privacy prior to its release, and now I’m finding some of my fears warranted. I think developers need to be aware of these issues if OpenSocial is going to become widespread.
I plan on releasing the details of each hack once the applications are patched so that other developers can learn from them.
Hmm……. well done harmony !!
why have u named urself such….
u shud have named urself the masterhacker or something like that…….
Miss Universe – Yeah, you got it wrong again. He was very careful to notify Ning and iLike before he contacted me. He also did not want me to publish specific information about Marc, and he also asked for a change to the post to make it the hole less obvious, which I did.
@2 Would you rather someone catch the mistake early on and let the developers fix it…or would you rather login one day to find that there is only one song on your play list that tells the world your like orally pleasuring dogs?
@2.
I don’t think this is done maliciously; who has he harmed and/or embarrassed?
Well, it’s hard to feel sorry for Google when you consider that they are operating a site at HTTP://WWW.GOOGLE.LA/ under the “Country of Laos” banner while this url has been licensed by LA Names Corporation (HTTP://WWW.WWW.LA/) for more than four years for the “City of Los Angeles”. Doesn’t this go against their Mission Statement???
“OpenSocial Hacked Again” is misleading – if a Facebook Application were hacked, would you say “Facebook Hacked”. No, it’s an OpenSocial Application, developed by someone other than Google which is implied with this title.
@8: A fair point. Except that in this case (unlike RockYou), the hack for accessing friend data may be related to Ning’s implementation of OpenSocial, not iLike’s coding. I’m not positive on this point, but it certainly appears that way.
@theharmonyguy
Well at least Plaxo should be thrilled. It took you 45 minutes to hack there app where it only took you 20 minutes and a cup of coffee to hack Ning.
Didn’t I tell you’d be receiving job offers. You should set up a way to charge everyone of these companies $100 to spend one hour of your time to see if you can hack the offering. How about you and I go into business together, eh.
@2 – The harmon guy did that not to embarass people but obviously because there’s some agenda here.
i would say the agenda is:
1) help the social community and developer patching their applications.
2) Prove/Show that sometimes people tend to rush their development or their integration for the sake of some PR only to find out they made their userbase totally vulnerable.
3) Maybe to get some recognition, but this is completely understandable.
Kudos to TheHarmonGuy, for being decent, for sharing this info with the containers and developers and for sharing this with other user via TC, really make me think we made the right choice when waiting a little bit longer before thinking about integrating open Social.
http://www.octabox.com
Isn’t OpenSocial all about sharing data
? Why would people be so egoistic and want to keep their friends-list, emails and credit-card info to themselves?
@we need people like the theharmonyguy this is the only way to evolve and created better platforms for the future…………. hey!!! most company’s pay for the type of Jon he is find problems….. the only other comment will be for the theharmonyguy to find some solutions to the problems he is finding, if he can do that a GOOD JOB offer will show up………………..
great topic
I am also able to call up a list of Marc Andreessen’s friends. Here is how to do it:
1. Go to http://www.facebook.com
2. Enter ‘Marc Andreessen’ in the search box
3. Click View Friends
Alright, it sounds like Mike’s in the loop, and I’m willing to take to take his word that Ning have confirmed the problem… Just thought I’d point out a slight problem with the ‘proof’, though!
I think some organization needs to hire this guy to find holes in their security. He/she is obviously very good at what they do.
Of course companies prefer found security issues to be resolved in private, but making public such findings stimulates quicker action to resolve issues. [ I'm not referencing Ning specifcally, btw.]
Whether the hacker has a private agenda or not is not really relevant here.
Good post.
@15: And what about users who have chosen to keep their friends list private? Also, I don’t think you’ll see any portions of e-mail addresses in that list.
@All: Confirmed that the friends list issue relates to Ning’s OpenSocial implementation, not iLike code. Details: http://theharmo...implementation/
I think what theharmonyguy is showing is that opensocial provides innumerous opportunities for abuse by unscrupulous developers.
It’s great to live in a pink candy world where everyone is nice an information is used mostly to provide targeted ads, but imagine how this could be used in countries with repressive regimes, where governments don’t respect human rights? what could they do with access to their citizen’s reading preferences, for example? people get tortured and killed in many countries for reading the wrong sort of book.
The friends list issue may not be as serious as it sounds (or as I thought) – see update: http://theharmo...implementation/
cool
lol, thats ridiculously funny!
Correction:
When I stated “url” in my prior post, I meant “Dot-LA Domain Extension”. Several companies/individuals have registered Dot-LA domains. Just insert “site:.la” into Google’s search box and you’ll see for yourself just how many websites are operating in this domain space for the City of Los Angeles and the LA area. Google’s attempt to operate a website at http://www.google.la/ under the “County of Laos” banner is nothing more than an attempt to confuse the users.
Hey,
Why is this guy so bent on hacking …opensocial ..instead of using his knowledge to write some productive components for opensocial.
http://www.meetingflex.com
Social Networking + Video – Crap
Wasn’t it written in that prior piece that theHarmonyGuy had admitted to not being “that” good of a hacker? If that’s the case, then I think we should all definitely take our hats off to someone who is clearly publishing his findings for the good of moving OpenSocial forward, and not just wreaking havoc because he can. You can be assured for this one fellow, there are likely 100 more out there that have WAY more skills and can do WAY more damage (maybe not now, but as the apps become more complex and touch more data) than the eHarmonyGuy (
) I say keep it theHarmonyGuy (could you just not hack my container and apps when I get them going. I’m a little shy!)
I say keep it up (apologies for second post! Install an edit your own post function, MA!)
@24: http://www.meetingflex.com is a piece of garbage with zero redeeming qualities. Choose a different profession.
@19 what has this got to do with repressive governments ?? and for your kind information, rest of the world is not in such a bad shape as you think it is. so far so, that those guys don’t even care (rather know) about open social.
so you better keep your philanthropy out of this.
Hey All –
At Ning, we take security seriously. We are also committed to giving people the freedom to experiment and use new technologies, even in their early stages.
With respect to this specific issue, we’ve temporary taken down our support of Gadgets for the next few hours (~11am PST) while we patch this hole.
I’d also underscore that adding OpenSocial Gadgets to your social network on Ning is *entirely optional* and we are rapidly and proactively iterating and improving our OpenSocial support daily.
Once we have it fixed, I’ll come back over here and post an update.
Thanks!
Not to dismiss HarmonyGuy’s work or anything, I really believe it is important to scrutinize and test eventual flaws of this alpha stage apis before it matures to a good freezing stage… but the friend lists on Ning were always public information available to anyone through the existing REST APIs.
OK peeps, the simple fact is that right now anyone writing an OpenSocial gadget is doing so using at most 2/3 of an API because the rest is not finished yet. Part of what is not finished yet is the user authentication functions which will apparently be in the data API.
I think it is pretty cool that people are out there now showing the sorts of things that will be possible with the OpenSocial framework but anyone putting it onto a live site with live data should probably think twice until the whole API is available. Until then it is fairly straightforward to spoof your identity and pretend to be a gadget’s owner.
Hacking these prototype apps might be kinda fun but its hardly rocket science, I don’t think theharmonyguy would claim otherwise. Any developer who has spent an hour or more thinking through the API specs has long since realised that with the data API missing there really is no security at all. Once the data API is published then maybe we can all look at it and decide if its security model is adequate, until then I’m not sure what anyone is proving with these “hacks”.
Nic
As promised, a quick update here. We just reinstated support for Gadgets and only the feeds that should be there now are. Thanks!
Great bug testing I guess for them. They released it a little too early.
Nice work TheHarmonyGuy, but what is your motive?Fame?
Daqui a pouco a Google vai ser hackeada também!!
ahuhauhuhauhauha
E vai sobrar apenas eu e o Pink para dominar o mundo!
I can’t believe some of you are taking Miss Universe seriously. Obviously it’s just some wanker intentionally saying stupid things. No one would be really that stupid to think Harmony guy is a malicious hacker and also be a techcrunch reader.
These applications need to be hardened a bit before release.
good