Hot topics

Comment

OpenSocial Hacked Again

Michael Arrington

View Staff Page

J. Michael Arrington (born March 13, 1970 in Huntington Beach, California) is a serial entrepreneur and the founder of TechCrunch, a blog covering startups and technology news. Arrington attended Claremont McKenna College (BA Economics, 1992) and Stanford Law School (JD, 1995) and practiced as a corporate and securities lawyer at two law firms: O’Melveny & Myers and Wilson Sonsini Goodrich... → Learn More

Monday, November 5th, 2007
Comments

The same person who hacked the RockYou OpenSocial application on Plaxo just 45 minutes after it was publicly released is at it again.

This time, he claims to have easily accessed the iLike application on Ning. Specifically, he says he can add and remove songs on users’ playlists. And more damaging, he can also access a user’s friends list in the client-side code. Give him a Ning username and he can give you details on their friends: relationship to user, last date of update, photo, profile creation date and part of their email address.

He’s pulled up Ning co-founder Marc Andreessen’s friend list to prove his point, and shared part of it with me. I won’t be publishing it here, but it shows that he got access to the application.

Total time to hack iLike on Ning: 20 minutes.

As with the RockYou/Plaxo hack, no real damage has been done, but it shows that in the rush to get applications out the door quickly, attention to security may have fallen by the side of the road.

TheHarmonyGuy now has a blog up where he is writing about his hacks of OpenSocial applications. See it here. He notes that RockYou’s application remains unpatched.

More on OpenSocial here.

Tags: , ,
blog comments powered by Disqus