OpenSocial Hacked Again

The same person who hacked the RockYou OpenSocial application on Plaxo just 45 minutes after it was publicly released is at it again.

This time, he claims to have easily accessed the iLike application on Ning. Specifically, he says he can add and remove songs on users’ playlists. And more damaging, he can also access a user’s friends list in the client-side code. Give him a Ning username and he can give you details on their friends: relationship to user, last date of update, photo, profile creation date and part of their email address.

He’s pulled up Ning co-founder Marc Andreessen’s friend list to prove his point, and shared part of it with me. I won’t be publishing it here, but it shows that he got access to the application.

Total time to hack iLike on Ning: 20 minutes.

As with the RockYou/Plaxo hack, no real damage has been done, but it shows that in the rush to get applications out the door quickly, attention to security may have fallen by the side of the road.

TheHarmonyGuy now has a blog up where he is writing about his hacks of OpenSocial applications. See it here. He notes that RockYou’s application remains unpatched.

More on OpenSocial here.