Social Me is another Facebook application that was recently banned, then more recently reinstated. I’m not sure exactly why they were banned to start with, but they ought to know their application still has a gaping security hole. I hadn’t experimented with Social Me much before, but when I saw they were back online I [...]
If you’ve been keeping up with Facebook development news, you’ve no doubt heard about the Top Friends application getting banned. In the past I’d pointed out that you could access application data about other users, but that was before Slide created quasi-profile pages within the application. These exposed not only application data but actual profile [...]
Originally posted June 7
Today I logged into Scrabulous and was greeted with a rather unusual ad. Above my games list, a banner encouraged me, “Put one of Your FRIENDS on an Album cover!”
What was unusual is that the banner included the names and profile pictures of several Facebook friends.
Since the ad is appropriating the likenesses (and [...]
Uno de Waal noted yesterday that Microsoft’s new contact exchange system lets you export e-mail addresses from Facebook, a feature not available to other developers and not available in any other form to users.
Intrigued by this new setup, I checked the code to find out what exactly was happening. Microsoft’s site loads a Facebook iframe [...]
When I checked TechMeme this morning (yesterday evening was rather busy), I discovered a reminder that even a large site like Facebook is susceptible to the sort of query string problems I’ve discussed previously. Kudos to those who found the hole, and to Facebook for apparently fixing it quickly once it received wide attention.
A commenter [...]
You may have heard about the $100 hacking challenge issued by social media instructor Lee Aase. You may have also expected me to take a stab at it. You may have even thought I would win it.
You’d almost be right.
A friend sent me a link to the challenge the day Lee posted it, and by [...]
Discovered an interesting little trick today, though not one I would classify as a hack or big security risk, though it’s a slight privacy hole. After reading about an old method for accessing the friend list of a user logged into Facebook (Facebook has apparently fixed this one), I did some poking around. To my [...]
Second in a series. First post: Query Strings
In this post, I’ll both detail the iLike on Ning hack and raise a question about web development in general. This particular hack makes me wonder about some larger security issues.
In the early days of OpenSocial, I didn’t have many platforms to test on. After working with Plaxo, [...]
Rather than post about individual applications, I thought I would go ahead and do a combined post about an issue I keep encountering. In my post on query strings, I noted that applications with some sort of history page are susceptible to a privacy problem if other people could access the page. Not only does [...]
Date: February 4, 2008
Initial hack: 15-20 minutes
Vulnerabilities:
Able to access Top Friends information (e.g. the user’s top friends, who the user is a top friend of) for any user
Progress: Slide, Inc. has been notified.
Details: Can you tell I’m playing with Facebook apps tonight? This hack uses the same kind of technique as the iLike on Ning [...]