Second in a series. First post: Query Strings
In this post, I’ll both detail the iLike on Ning hack and raise a question about web development in general. This particular hack makes me wonder about some larger security issues.
In the early days of OpenSocial, I didn’t have many platforms to test on. After working with Plaxo, [...]
Rather than post about individual applications, I thought I would go ahead and do a combined post about an issue I keep encountering. In my post on query strings, I noted that applications with some sort of history page are susceptible to a privacy problem if other people could access the page. Not only does [...]
Date: February 4, 2008
Initial hack: 15-20 minutes
Vulnerabilities:
Able to access Top Friends information (e.g. the user’s top friends, who the user is a top friend of) for any user
Progress: Slide, Inc. has been notified.
Details: Can you tell I’m playing with Facebook apps tonight? This hack uses the same kind of technique as the iLike on Ning [...]
Date: February 4, 2008
Vulnerabilities:
Able to add a bumper sticker to profile and make it appear to have been sent by any other application user
Progress: Bumper Sticker has been notified.
Details: Illustrating what I posted the other day, I discovered tonight that I could use a query string hack to add bumper stickers and make them appear [...]
Perhaps people have wondered where I’ve been… I apologize for the long delay in posting again. I’m actually still involved in educational pursuits, and studying for finals quickly became a priority after my last post. I can’t promise how often I’ll often I’ll be on here, but I have continued to keep up with the [...]
Vulnerability:
The Compare People application on Facebook sends user profile information, such as age, gender, city, ZIP code, favorite music, favorite movies, favorite TV shows, favorite books, “about me,” activities, interests, and political view to Google AdSense when displaying advertisements within the application.
Progress: Facebook has been notified. Compare People has commented; see below for updates.
More Detail: Today [...]