http://theharmonyguy.com Checking the security and privacy of social networking applications, white hat style... Tue, 15 Apr 2008 23:53:58 +0000 http://backend.userland.com/rss092 en Since starting this blog, I've tried to spend more time reading up on hacking to sharpen my skills andbe more helpful to other developers.  In the process I've learned two things: I'm definitely an amateur and have much left to learn. If you're a web developer and online security doesn't freak you ... http://theharmonyguy.com/2008/04/15/learning/ Uno de Waal noted yesterday that Microsoft's new contact exchange system lets you export e-mail addresses from Facebook, a feature not available to other developers and not available in any other form to users. Intrigued by this new setup, I checked the code to find out what exactly was happening.  Microsoft's ... http://theharmonyguy.com/2008/03/27/microsofts-facebook-export/ When I checked TechMeme this morning (yesterday evening was rather busy), I discovered a reminder that even a large site like Facebook is susceptible to the sort of query string problems I've discussed previously.  Kudos to those who found the hole, and to Facebook for apparently fixing it quickly once ... http://theharmonyguy.com/2008/03/25/news-facebook-private-photos/ You may have heard about the $100 hacking challenge issued by social media instructor Lee Aase.  You may have also expected me to take a stab at it.  You may have even thought I would win it. You'd almost be right. A friend sent me a link to the challenge the day ... http://theharmonyguy.com/2008/03/01/smug-facebook-challenge/ Discovered an interesting little trick today, though not one I would classify as a hack or big security risk, though it's a slight privacy hole.  After reading about an old method for accessing the friend list of a user logged into Facebook (Facebook has apparently fixed this one), I did ... http://theharmonyguy.com/2008/02/18/facebook-contacts/ Second in a series.  First post: Query Strings In this post, I'll both detail the iLike on Ning hack and raise a question about web development in general.  This particular hack makes me wonder about some larger security issues. In the early days of OpenSocial, I didn't have many platforms to test ... http://theharmonyguy.com/2008/02/11/social-security-102-client-side-code/ Rather than post about individual applications, I thought I would go ahead and do a combined post about an issue I keep encountering.  In my post on query strings, I noted that applications with some sort of history page are susceptible to a privacy problem if other people could access ... http://theharmonyguy.com/2008/02/04/facebook-application-history-pages/ Date: February 4, 2008 Initial hack: 15-20 minutes Vulnerabilities: Able to access Top Friends information (e.g. the user's top friends, who the user is a top friend of) for any user Progress: Slide, Inc. has been notified. Details: Can you tell I'm playing with Facebook apps tonight?  This hack uses the same kind of technique ... http://theharmonyguy.com/2008/02/04/top-friends-on-facebook/ Date: February 4, 2008 Vulnerabilities: Able to add a bumper sticker to profile and make it appear to have been sent by any other application user Progress: Bumper Sticker has been notified. Details: Illustrating what I posted the other day, I discovered tonight that I could use a query string hack to add bumper ... http://theharmonyguy.com/2008/02/04/bumper-sticker-on-facebook/ Perhaps people have wondered where I've been... I apologize for the long delay in posting again.  I'm actually still involved in educational pursuits, and studying for finals quickly became a priority after my last post.  I can't promise how often I'll often I'll be on here, but I have continued ... http://theharmonyguy.com/2008/02/01/social-application-security-101-query-strings/