iLike on Ning (Fixed)
Date: November 5, 2007
Initial hack: 20 minutes
Vulnerabilities:
Able to access listing of friends for any user and limited personal information about these friends- Able to add and remove playlist tracks for any user
Coverage: TechCrunch
Progress: Ning and iLike have both been notified. Ning has replied and stated they are working to fix the issues ASAP.
Update: First “vulnerability” not a vulnerability at all; I’m new to Ning so didn’t realize the data was already available via JSON. Ning has made some updates to fix the iLike issues; haven’t tested them yet.
Update 2: On November 14 I tested my hack again, and Ning seems to have plugged the hole. Good work.
November 6th, 2007 at 2:06 am
Do you plan to release your method? Or should we just take your word for it?
November 6th, 2007 at 2:09 am
I like how you are helping identify these issues with opensocial coders.
I also like that they are quick to respond. One of them already, anyway. Keep up the good work.
November 6th, 2007 at 2:10 am
Since this one involves some personal information, I’m hesitant to release details until it’s patched. But with the TechCrunch story, you can take Michael Arrington’s word for it also - I’ve demonstrated the hack to him.
November 6th, 2007 at 3:39 am
I would not take Arrington’s word for anything. He has proven in the past to be of the very worst kind. No kidding.
November 6th, 2007 at 4:24 am
is it due to the bugs in OpenSocial API specs or due to the bugs in iLike code?
November 6th, 2007 at 4:43 am
Chandra: Just posted an update on that very issue.
November 6th, 2007 at 5:14 am
@Ouebslave: so true!
November 6th, 2007 at 6:32 am
Michael Fomkin thinks this is interesting