Hey, Michael. I did not claim that all the edits were mine. It took me a while to find the area where the hacks had happened. Indeed, you are correct that changes were made that I did not make. We are now de-white-listing the app. Unfortunate, but not unexpected. Platforms are targets for hackers. That is life. The question is whether they can rapidly evolve to thwart the threats.

Kinda scary but kinda awesome at the same time… I’m so torn!

Plax-o sux-o.

btw John, no harm intended – you were the only other person whom I knew had the app installed, and I was only testing the new platform to see if this was possible.

Just sent you a message via Plaxo with details on how the hack works.

NOT FACEBOOK!
FaceBook backed by MS is the real thing baby!

http://fakesteveballmer.blogspot.com

Congrats to the Plaxo guys for getting the OpenSocial hack out so fast. Things like this are bound to happen when you are…

//insert something meaning *ahead of early adopters here*.

As Joseph said, getting something out early is worth the risk.

Cheers,
Todd

// TODO: no error checking – we’re bold…

THAT is truly f-ing classic!

Todd – I agree 100%

This is a serious issue that I’ll be elaborating on more on my existing blog and one that is about to launch next week ;)

In discussions with one executive today, I was talking about the implications of the new OpenSocial platform and who has access to the data being passed between applications.

The OpenSocial platform has some serious security vulnerabilities (as displayed in this article). Javascript is inherently a more risky language to be exposing and this is why Facebook has been so hesitant to completely open up to JavaScript. You can bet that when Google launches an API in 1 month there will be serious issues.

That is not to say that OpenSocial will not become the standard but there are serious hurdles ahead. I’m excited to see how this pans out.

The Facebook and OpenSocial platforms are not inherently insecure, they just require some competency on the part of developers when it comes to securing their applications. The problem is that most developers these days are not competent in that area. People would be scared if they knew how many security breaches there have been at the major Web 2.0 sites that have not been made public.

The sad thing about this is that Hacker is getting all the publicity he craves.

We should avoid the temptation to turn him into a hero – he committed an immoral act and should be sued.

One successful suit would make them think twice. :-(

The sad thing about this is that Hacker is getting all the publicity he craves.

We should avoid the temptation to turn him into a hero – he committed an immoral act and should be sued.

One successful suit would make them think twice. :-(

theharmonyguy,

Very cool! Your approach was not to destroy…. John McCrea and the Plaxo team should be sending you a job offer immediately….BUT, Google will beat them to the punch by Sunday night. Please update us who contacts you with job offers.

Miss Universe, you sound like Miss South Carolina

@6: I agree too – better to catch these things now rather than later.

@10: True, but from my limited experience, the Facebook Platform is designed more securely. FB’s design prevents several problems that come from poor coding practices – not all, but some big ones. OpenSocial doesn’t appear to have those same safeguards.

@11: You may not believe me, but I’m not craving publicity – I didn’t know what Michael would post before it appeared, and I honestly just expected a one-sentence credit. I’m not trying to be a hero, and while admittedly this probably wasn’t the best way to break the story, I don’t think it’s lawsuit-worthy. Like I told John, I was just proving a point, not trying to do anything immoral.

@12: lol, thanks for the kind words, but I highly doubt I’ll get any offers. Like I said, I’m an amateur.

“We should avoid the temptation to turn him into a hero – he committed an immoral act and should be sued.”

Apparently you have zero experience in IT security.

Heh, thanks for the good laugh.

wow thats incridble and fast–you know i know a great site this will help you and your familys with knowledge-share the knowledge and prosper

http://www.elementsof123.wordpress.com

#11 – what he did was free consulting for RockYou.

Ok, I think everyone needs to push their chairs away from their desks and try something new and invigorating like… hmmm, let’s see… how about we just start with WALKING?

What a riot.

Sam

hacker person – good job! nice ugc. software is always flawed on release even when sending man to moon. code needs hours of transactions to cure. see hobbs meter.

La prima applicazione per Open Social è stata aggirata in 45 minuti…

Come riporta il noto sito TechCrunch, un Hacker sotto lo pseudonimo “theharmonyguy” ha compromesso “RockYou” (la prima applicazione che sfrutta la piattaforma Open Social di Google) in soli 45 minuti riuscendo ad inserire delle emotic…

Miss Universe,

if we would start hunting people who just trying to point at something thats not right we would live in a world of lies.

btw.. better be happy that he is assumeably one of the good guys among that special branch of engineers. What would have happen if malicious (st00p1d) people had found the bug first (or later).

Thanks to him websites do get better, not worse.

However.. McCreas denial was a bad move, marketing-wise. “Admit and react” is way cooler and shows that you care and know your stuff.

jm2c

But that’s why they call it social media. People ascribe emotions to you. It’s supposed to work that way. No?

“There are other apps where, last I checked, that was still an issue ( e.g. viewing anyone’s Graffiti posts).”

I just checked again, and this problem may have been fixed – it certainly has been with Graffiti. After noticing the issue in several apps, I contacted Facebook about it, so they may have updated things in the last few weeks (haven’t stayed current on all the dev updates). fyi.

OpenSocial: Let’s party in Web 2.0 like it’s 1984.

@ theharmonyguy : Glad to see it’s released in such a way so that they can fix it ASAP.

@theharmonyguy – good job on discovering the weakness of Opensocial, it was just a matter of time, but at least you did it in a morale manner.

Please contact me or provide me ways to contact you.
Thanks,

http://www.octabox.com

Like to see some details. This looks more like it’s RockYou’s amatuer code that is at fault. Not the platform.

What do you expect from a company that brags about completing an app in a weekend?

Given that OpenSocial was just launched it was just a matter of time, and the fact that it uses JS ad HTML just makes it easier to inject external code. The good thing about this is that the open nature of the API allows for rapidly identifying and fixing security holes. Kudos to theharmonyguy for being the first to succeed. I am sure the job offers are pouring your way now.

Great so for the next few months all we are going to be seeing is Opensocial Vs Facebook crap for everyother writeup on TC.

Surely someone outhere must have the contact to start a blog to return to what TC originally was ? if you have one let me know . Ill subscribe

TC is starting to suck

#20 – I spoke with McCrea tonight after this post. He actually didn’t know it was hacked at the time he said it wasn’t. But he immediately added Joseph to the email string anyway (see update in post). Overall, they handled this quickly and professionally, and it wasn’t even their code.

Interesting post and comments….!

Is OpenSocial too easy to use…?
Is there problem at Platoform Side or at API Side ?

Cheers,
Raxit

Hey MA-TC and THG

Show us something like this on orkut.

Thats the only thing us novices use

Tech For Novices

HAHA

[...] got working on Google’s Opensocial API. Within 45 minutes of releasing “emote”, Plaxo’s OpenSocial application got hacked… A developer who goes by the alias “theharmonyguy” and describes himself as “just an [...]

[...] TechCrunch: It didn’t take long for someone to hack the first OpenSocial application. In fact, it took [...]

Maybe I’m completely off the mark here, but doesn’t the Open Social platform execute the widget’s JavaScript within the container’s site (e.g. RockYou’s JS from within plaxo.com).

How are security issues going to be controlled? That opens up the container site to all kinds of XSS attacks. It seems to me that the container site will need to introduce a white list and personally performs an audit of all widget code. If that’s the case then the platform isn’t very open at all.

:-) oh oh oh!

Josh: I believe OpenSocial apps execute within an iframe in a different domain from the parent page. The iframe acts like a sandbox without direct access to the calling page.

Having said that, there are still a range of XSS attacks that can be performed when you can make arbitrary javascript calls, even within a sandbox. Maybe OpenSocial parses any js embedded in the apps, to stop these attacks.

Hackers shld be employed for better security products.

http://tekno-world.blogspot.com

Good lesson to those who want to be ahead in this social game.

I think an answer that’s “I didnt see it at first” coming frm a Google exec is quite preposterous. If someone said there’s a burgar in the house, i dont just check if my dog knew about it.

um, is it not illegal for you to ask someone to compromise a system?

@39. Isn’t that what white hat hackers are for?

#11- You mean “immoral” like linking to copyrighted videos, sneaking cameras into events where they are not allowed, and hosting your “site” on Tripod?

omfg hax

@* MISS UNIVERSE

“We should avoid the temptation to turn him into a hero – he committed an immoral act and should be sued.”

Thanks for the laugh. You clearly don’t have much of a handle on reality.

Hats off to plaxo for being a early user of OpenSocial …that was fast….

bugs and hacks are a part of software development life…

http://www.meetingflex.com
Social Network + Video – Crap

I agree with Rajeev on comment #36, they can expose any issue on security and can learn a lot .

Nat
http://www.workersinc.com

Hackeada la primera aplicación OpenSocial en 45 minutos…

Un desarrollador, de alias "theharmonyguy" y que se describe así mismo como "un simple amateur", afirma haber comprometido la aplicación OpenSocial RockYou en Plaxo llamada emote, en exactamente 45 minutos….

Every start has some road bumps. But at least these were addressed right away. It’s not unexpected.

Rex

The 6 essential things you need to know about Google’s OpenSocial…

I’ve spent the last few days keeping track of the seemingly endless stream of news and blog coverage about Google’s new OpenSocial model for social networking applications. OpenSocial has been described by some as Google’s industry “chess move” t…

Yep, I thought we’d see some problems with XSS and security but not this soon.

Just wait until there is a serious personal data spill or the first trojan OpenSocial application.

But ultimately most of these problems will be resolved. But the short term will be interesting.

My full take on OpenSocial here:

http://web2.socialcomputingmagazine.com/the_6_essential_things_you_need_to_know_about_googles_opens.htm

How ‘social’ are the networks in OpenSocial?

http://ryanmerket.com/blog/2007/11/03/how-social-are-the-networks-in-opensocial/

Omg it is hack time so let the hackaton begin! Dont even try to hack my app dude! lol Nice job there theharmoney

@ theharmonyguy: Just throwing out a random, shameless and impulsive comment/question: Let me know if you’ve got any interest in talking about combining your technical skills with my FB, OpenSocial and standalone social ideas. Cheers, chrisco PS: I’m an American based in Sweden (they love hackers over here!)

Good job “the ahtmonyguy”!

im always proud of hackers ;)

facebook search is down

One of the main drawbacks of being “Open” is that anyone can hack in and some of the many benefits of being “Open” is that anyone can fix it and it usually gets fixed quite quickly.

Imagine a world where the fix required a thirty page change order.

It was a Rockyou application and Rockyou have written some pretty poor facebook applications in the past – one of their apps spams a user’s feed all the time, and claims you did an action to somebody when you did no such thing. So I’d imagine hacking a Rockyou application isn’t exactly a tough challenge, but at least facebook lets you cut yourself off from a rogue app – I’d like to know if opensocial lets you do the same.

that was fast work :0

First OpenSocial app hacked within 45 minutes…

Now that’s a bad start. TechCrunch writes that it took only 45 minutes for the first OpenSocial application to get hacked….

Hey theharmonyguy,

I am quite impressed with your skills and your genuine nature in not seeking publicity, but pointing out the code flaws. We are a company that is based in Redwood Shores and are experimenting out various Web 2.0 startup ideas (though some are heading towards Web 3.0). We are looking for a great web developer to join us in this effort and I would love to talk to you regarding this opportunity, if you are interested. I am the founder and CEO of http://www.cruxle.com, the video search startup company that is still in stealth mode and the founder and CEO of another startup company called http://www.labs20.com, where we experiment several startup ideas. We are looking for developers for both companies and I would like to talk to you regarding these opportunities. Please contact me at balaji@labs20.com, if you are interested.

I look forward to hearing from you.

Thanks
Balaji

That’s 3 job offers the guy has gotten so far, in this _thread_ alone.

I gotta start breaking and entering more often! =D

Just to clarify some issues people have been discussing…

I did hack a RockYou application, and there were issues with their coding that allowed me to do so. It’s not like I hacked Plaxo or somehow hacked OpenSocial itself.

But as the post points out, I doubt my hack would have worked on a Facebook application because of features in the FB Platform’s design. Examples include the “secret” key for verifying application code and the session parameters that provide a user context for every application request. Those safeguards are absent from OpenSocial. In other words, the design of OpenSocial (from my perspective) makes it much easier to take advantage of code flaws. So while this particular hack dealt with RockYou’s code, I think it also highlights some issues with OpenSocial that may need to be addressed.

I’ve wondered since the first OpenSocial announcement how they’d deal with malicious HTML/JavaScript. I had to learn about things like injection attacks when I worked on a forum script – you simply can’t allow full HTML/JavaScript. That’s one of the reasons (there are a few others) for extensions like FBML and FBJS – they restrict what kind of code is executed on Facebook. I hope the discussion of OpenSocial will be a little more realistic now – not to say that OpenSocial’s bad, I just think it’s been hyped too much.

Furthermore, I wanted to get people talking about the security implications of OpenSocial’s design. Simon Willison has already mentioned another one: the widgets run in iframes, so there’s a potential for malicious frame-busting. Also, this afternoon I figured out that, using another injection technique, I could insert arbitrary HTML into Emote pages, including an iframe. Once again, this is also possible with some Facebook apps, but without the safeguards of the FB Platform, I think there’s more potential for abuse.

Finally, this all will hopefully raise people’s awareness of security/privacy issues with social apps/widgets in general. Since they deal with personal data and have a viral component to them (anyone remember “samy is my hero”?), they have to be very secure. I’m actually surprised there haven’t been any malicious Facebook applications so far (though I’m sure they’d be dealt with swiftly). I think people are getting a little too free in letting applications have their personal data – developers need to be very careful.

And as a sidenote… With all the recent hype about OpenSocial, I would have expected a much smoother launch. Things like the comments in RockYou’s code make me wonder if OpenSocial and the first batch of apps were really ready for primetime or if Google rushed things out the door to keep ahead of Facebook. Last night I couldn’t get a single application to work in Orkut, and I never saw Emote running on a Plaxo page. Plaxo pointed out that the API is at 0.5, and some hosts are reportedly months away from launching. OpenSocial may end up being as grand as some people have made it out to be, but it’s still got a ways to go in terms of actual use.

Hey, I know there is a ton of interest in seeing the OpenSocial stuff. On my blog I’ve got some coverage of the Open Social “Open Social” at Plaxo HQ last evening, including a link to a video that shows several OpenSocial apps running live in Plaxo Pulse. Here you go: http://therealmccrea.wordpress.com/2007/11/03/coverage-of-the-first-opensocial-open-social/

Interesting how the tides can change. One day Google is the talk of town w/their transformative Opensocial platform, the next day theyre looking not so savvy when an amateur hacker easily hacks the system.

Now the question arises does it make sense for users to maintain centrally located profile data ala Google Opensocial when it might be safer distributed among niche-specific social apps..

Having a “strict white list” is not a way to prevent hackers from getting access to your platform, as Smarr asserts. It’s a way for short-sighted corporate executives to retain the illusion of control.

@60 OpenSocial is not a social network or a central repository for profile data, it is only a set of method names (an API) that is open and supported by a bunch of social network providers. It is a list of rules that someone has to follow to perform (or allow others to) a basic common set of actions like “get a list of friends” usernames or “publish a string in the activity feed of that user”. The data is not centrally located, it is distributed among several providers and platforms, much like the internet itself.

Now that’s hilarious. Like a 0-Day hack!

Good. I guess Google didn’t do their homework on this one. It proves a point that just because it’s from Google it doesn’t mean it’s good or secure. If they can leave a security hole in something like this then they can do it with other products as well.

i want to start a socian news site.. any advice?.. is there a better application then facebook ?

@ 64. Rob Bazinet

Dude, you really don’t have a clue on what this is about. Let me lay it out for you in a nice analogy.

Someone puts razorblades in baby food, you blame the grocery store.

Oh.. and ehm.. sorry theharmonyguy for making you look like someone who puts razorblades into baby food :)

Anything that’s “open” is dangerous!
When you are “open” you are dependent upon the kindness of strangers.

http://fakesteveballmer.blogspot.com

nah, just a press move.

@66 hahahahaha man thats exactly how this looks like but it is kinda hype!

Love it or hate it, thanks to theharmoneyguys for reminding everyone that people are trying (and succeding) in hacking social apps.

Waiting now for some hackthisapp app. It would be nice from an app that strengthens the technical side of social computing. By making developers of small app to use security and a chance to explore security weak spots.

@microkid,

Why don’t you come back once you get some real experience and explain yourself better.

Are you trying to explain to me this is not a Google problem? Umm….get a clue dude.

@62, …so they say, but from a business perspective, their ambitions are much higher. why should ‘write once read anywhere’ only apply to applications. from a user perspective havig a central profile repository vs multiple profiles makes total sense. And from a biz perspective…well the possibilities are endless.

..the only question is the issue of trust and reliability.

in today world hacker is more tech savvy then devloper

@73
Sorry nemrut, but from a user perspective having a central profile repository makes any sense. People don’t want their suicidegirls data in linkedIn or their real gender on world of warcraft, or their activity feed from facebook on deviant art, or the same avatar picture from flickr or mix.epicfu on slashdot.

The only ones interested in a central profile (or people search for that matter) are totalitarian governments and tech crunch readers.

So I’m a 29yo child and adolescent psychiatrist in fellowship with the organizational answer for your points fabricio using dynamic psychiatric principles applied to snp development. I just can’t get anyones attention. How do I go about entering discussions and getting someone’s ear that matters.

Whitelist != Open

#10: Not Surprising

OpenSocial *is* inherently insecure. It does not take any great hacker to see that. This guy is just getting the publicity for something dozens of developers have noticed over the weekend.

The platform loads an iframe with the visitor id and owner id in the URL. As well as all the owner’s preferences. But there is NO WAY to verify those details. Therefore anything you can do to your own app, you can do to someone else’s install of it. All you need to do is change the visitor id to be the owner id of the page you’re looking at.

Also, because of the way it works, all JS is sent to the iframe for every view. If you’re a visitor to the profile, you get the same JS sent to you as if you’re the app owner going to the canvas view. And you get access to all the same preferences. This means you can do *anything*.

So yes, OpenSocial *is* inherently insecure (and yes, they already know about it .. there’s a fix coming, but no details on what it is and it isn’t going to be in the next few hours.)

I’ve taken down my app until this is all sorted out as it left my users vulnerable

Nice article for applications http://lapnol.Blogspot.Com

This is good for competition, more apps being made quicker and quicker gives users options.

To Joseph Smarr (Plaxo’s “Chief Platform Architect”):

Please, if your listening, be smart enough to be humble when hacked. Stating how you are doing things to keep “would-be hackers” out is a great way to encourage them to come after you. If you get caught with your pants down, don’t insult the people who did it. What you write is equivalent to saying “screw you amateurs, bet you can’t do it again because I’m so smart”.

Also, when you say “I want to err on the side of caution” it seems like a bunch of B.S. after your code gets violated and laughed at for not having error checking.

Finally, KISS…learn it especially when publicly responding. You said too much, especially “this stuff is not always easy to keep straight”. Really?? The difference between a “viewer” and “owner”? Wow, Chief Platform Architect…

@82 – Maybe you didn’t notice, it was not Plaxo’s code, it was a 3rd party app that used OpenSocial APIs on Plaxo. Now Perhaps we can blame Google for allowing this to happen in the API or Plaxo for jumping in with both feet on a new API but the code is all RockYou’s fault.

But isn`t it better a white hat hacker discover the security bugs, than a black hat one does ist? So they can fix the bugs and secure their systems.

RockYou’s Emote on Plaxo…

Date: Friday, November 2, 2007
Initial hack: 45 minutes
Vulnerabilities:

Able to change current Emote status for any user
Able to access Emote history and current status for any user
Able to insert HTML, including JavaScript, into Emote pages

Coverag…

[...] same person who hacked the RockYou OpenSocial application on Plaxo just 45 minutes after it was publicly released is at it [...]

[...] Looks like someone got working on Google’s Opensocial API. Within 45 minutes of releasing “emote”, Plaxo’s OpenSocial application got hacked… [...]

מערכת ה-OpenSocial הראשונה נפרצה תוך 45 דקות…

גוגל יצאה לפני ימים ספורים את מערכת OpenSocial, אשר תאפשר לבנות מערכות חברתיות בקלות תוך שימוש בסטנדרטים. אך תוך 45 דקות המערכת הראשונה שעשתה שי…

It’s not the growing pains we need to be worried about, those will happen. If in a few months ‘amateur hackers’ are still running wild, then I’ll start worrying…

@83 – Perhaps, but I believe Plaxo still had to implement the APIs on their servers so their data could be accessed. With this in mind, I imagine there would be ways to bolster security, server-side. Finally, I am not going to get into a technical discussion, but there are ways of securing your Javascript functions as well. Obfuscation at the least might have made Plaxo less likely to be the first cracked. In the end, this news will leave the minds of those who care, and those who care aren’t the end users at this point.

@84 – Absolutely, but who knows if the white hat was the first…probably won’t be the last b/c in Joseph’s defense, security is an endless battle.

Anyway, I have to say congratulations to the Plaxo team for taking the bold move and getting out there first. It takes courage to deal with the possible downsides (you know people like me). Anyway, any press is good right?

@11: The fact that you can’t differentiate between malicious hacking and humorous investigative hacking shows that you’re a moron. Would it be better if no benign hacking happened? this guy clearly exposed a security hole which can now be fixed. Instead of their idiotic initial denials Plaxo can now fix their code, which obviously was shipped too early under the pressure of some business moron that Arrington adores.

Think of it similarly to investigative reporting. Would you rather a reporter expose a security hole at an airport or on principal have that information suppressed until a real ‘bad guy’ uses it. There are plenty of real malicious hackers who will use Open Social and any other platform (Hypebook) for a list of real criminal exploits, the simplest of which would be identity theft.

Why OpenSocial May Be Over-Hyped…

I’ve been purposely avoiding writing anything about Google’s new OpenSocial project. Why? Because it had the potential to go in a few different directions and be used different ways, and I wanted the hype to die down before seeing what it…

Why OpenSocial May Be Over-Hyped…

I’ve been purposely avoiding writing anything about Google’s new OpenSocial project. Why? Because it had the potential to go in a few different directions and be used different ways, and I wanted the hype to die down before seeing what it…

That was a smooth reply from the architect but it sounds more like they had white-listed real hackable code as opposed to “real working” code.

@60: Data isn’t stored central on Googles server. They still belong and are stored where they come from, where they are fetched up – like you music list from iLike on your MySpace profile. All in iLike data comes from the iLike servers.

@58: Many many many good points.

@73: I advise you to look at http://michaeljung.wordpress.com/2007/11/08/links-for-11-08-07/ >> Web 2.0 Expo Berlin Presentation – Open Platforms and the Social Graph (David Recordon’s Blog)

Hi its really cool, if you prepare like a tutorial and post it then it is very useful to developer.s

thanks

Cracked Nipple Cream…

Sometimes the nipple can become sore and cracked. In this condition breastfeeding can be extremely painful and a quick and fast remedy is needed….

[...] OpenSocial API is up and hacked by some guy already. I am currently reading the protocols. From what I understand, Google servers are the gate keepers [...]

[...] http://www.techcrunch.com/2007/11/02/first-opensocial-application-hacked-within-45-minutes/ [...]

[...] The “hack” involved is unbelievably simple, because the AJAX interface for Social Me is totally unsecured.  And it’s not even a POST request – I just enter a certain URL in my browser with a few query strings modified accordingly.  The server does nothing to validate who is making the request.  It reminds me of my original Emote hack. [...]

[...] Read an interesting article where the CEO of Facebook discusses their take on the future of the  social web ( a direct competitor to Google’s OpenSocial platform). OpenSocial has had some challenges out of the gate including it’s first application being quickly hacked in just 45 minutes. [...]

[...] First OpenSocial Application Hacked Within 45 Minutes [...]

[...] also worth noting that the first OpenSocial application was hacked within 45 [...]

[...] LinkedIn adds applications…becomes more like Facebook/MySpace. Let’s not forget OpenSocial was hacked in 45 minutes! [...]

good

bacon

your mum

I just created a site http://www.amigocentral.com for my client and I was wondering whether I would also face an equal threat. I hope the Gurus listed here on this page can shed some light.

[...] http://www.techcrunch.com/2007/11/02/first-opensocial-application-hacked-within-45-minutes/ [...]

[...] an OpenSocial framework online, I decided to check out its security for myself. That led to the first hack of an OpenSocial application, and my white-hat hacking hobby began. Admittedly, the “hack” came from poor coding [...]

[...] an OpenSocial framework online, I decided to check out its security for myself. That led to the first hack of an OpenSocial application, and my white-hat hacking hobby began. Admittedly, the “hack” came from poor coding [...]

[...] (Okay, I’ll admit my Bebo-bias comes from Bebo being one of the OpenSocial launch partners. Sorry, but I implemented open APIs long before Open Social launched and helped design a key lynch-pin of what makes OpenSocial work, and you shut me out? Damn straight I’m holding a grudge—maybe if you talked to me I could have pointed the mack-truck security hole in the launch.) [...]