Archive for November, 2007

Compare People on Facebook (Fixed)

Wednesday, November 14th, 2007

Vulnerability:

The Compare People application on Facebook sends user profile information, such as age, gender, city, ZIP code, favorite music, favorite movies, favorite TV shows, favorite books, “about me,” activities, interests, and political view to Google AdSense when displaying advertisements within the application.

Progress: Facebook has been notified.  Compare People has commented; see below for updates.
More Detail: Today […]

Posted in Facebook | 5 Comments »

Some Clarification

Tuesday, November 6th, 2007

I wanted to take a moment to clarify some issues I’ve seen several people raise…
First, when I say I’m an amateur, I’m not simply being modest.  I do have a good bit of programming experience (though more in network administration), but these recent adventures have involved some skills that are less developed.  I appreciate the […]

Posted in General | 3 Comments »

iLike on Ning (Fixed)

Tuesday, November 6th, 2007

Date: November 5, 2007
Initial hack: 20 minutes
Vulnerabilities:

Able to access listing of friends for any user and limited personal information about these friends
Able to add and remove playlist tracks for any user

Coverage: TechCrunch
Progress:  Ning and iLike have both been notified.  Ning has replied and stated they are working to fix the issues ASAP.
Update: First “vulnerability” not […]

Posted in OpenSocial | 8 Comments »

RockYou’s Emote on Plaxo

Tuesday, November 6th, 2007

Date: Friday, November 2, 2007
Initial hack: 45 minutes
Vulnerabilities:

Able to change current Emote status for any user
Able to access Emote history and current status for any user
Able to insert HTML, including JavaScript, into Emote pages

Coverage: TechCrunch
Progress: Plaxo has removed Emote from their whitelist.  As of Nov. 6, Emote remains unpatched.

Posted in OpenSocial | 7 Comments »

Checking the security and privacy of social networking applications, white hat style…