Discovered an interesting little trick today, though not one I would classify as a hack or big security risk, though it’s a slight privacy hole. After reading about an old method for accessing the friend list of a user logged into Facebook (Facebook has apparently fixed this one), I did some poking around. To my […]
Second in a series. First post: Query Strings
In this post, I’ll both detail the iLike on Ning hack and raise a question about web development in general. This particular hack makes me wonder about some larger security issues.
In the early days of OpenSocial, I didn’t have many platforms to test on. After working with Plaxo, […]
Rather than post about individual applications, I thought I would go ahead and do a combined post about an issue I keep encountering. In my post on query strings, I noted that applications with some sort of history page are susceptible to a privacy problem if other people could access the page. Not only does […]
Date: February 4, 2008
Initial hack: 15-20 minutes
Vulnerabilities:
Able to access Top Friends information (e.g. the user’s top friends, who the user is a top friend of) for any user
Progress: Slide, Inc. has been notified.
Details: Can you tell I’m playing with Facebook apps tonight? This hack uses the same kind of technique as the iLike on Ning […]
Date: February 4, 2008
Vulnerabilities:
Able to add a bumper sticker to profile and make it appear to have been sent by any other application user
Progress: Bumper Sticker has been notified.
Details: Illustrating what I posted the other day, I discovered tonight that I could use a query string hack to add bumper stickers and make them appear […]
Perhaps people have wondered where I’ve been… I apologize for the long delay in posting again. I’m actually still involved in educational pursuits, and studying for finals quickly became a priority after my last post. I can’t promise how often I’ll often I’ll be on here, but I have continued to keep up with the […]