Second in a series. First post: Query Strings
In this post, I’ll both detail the iLike on Ning hack and raise a question about web development in general. This particular hack makes me wonder about some larger security issues.
In the early days of OpenSocial, I didn’t have many platforms to test on. After working with Plaxo, […]
Perhaps people have wondered where I’ve been… I apologize for the long delay in posting again. I’m actually still involved in educational pursuits, and studying for finals quickly became a priority after my last post. I can’t promise how often I’ll often I’ll be on here, but I have continued to keep up with the […]
Date: November 5, 2007
Initial hack: 20 minutes
Vulnerabilities:
Able to access listing of friends for any user and limited personal information about these friends
Able to add and remove playlist tracks for any user
Coverage: TechCrunch
Progress: Ning and iLike have both been notified. Ning has replied and stated they are working to fix the issues ASAP.
Update: First “vulnerability” not […]
Date: Friday, November 2, 2007
Initial hack: 45 minutes
Vulnerabilities:
Able to change current Emote status for any user
Able to access Emote history and current status for any user
Able to insert HTML, including JavaScript, into Emote pages
Coverage: TechCrunch
Progress: Plaxo has removed Emote from their whitelist. As of Nov. 6, Emote remains unpatched.