Nov. 6, 2007
Posted by theharmonyguy in OpenSocial | 8 comments
iLike on Ning (Fixed)
Date: November 5, 2007
Initial hack: 20 minutes
Vulnerabilities:
Able to access listing of friends for any user and limited personal information about these friends- Able to add and remove playlist tracks for any user
Coverage: TechCrunch
Progress: Ning and iLike have both been notified. Ning has replied and stated they are working to fix the issues ASAP.
Update: First “vulnerability” not a vulnerability at all; I’m new to Ning so didn’t realize the data was already available via JSON. Ning has made some updates to fix the iLike issues; haven’t tested them yet.
Update 2: On November 14 I tested my hack again, and Ning seems to have plugged the hole. Good work.
Do you plan to release your method? Or should we just take your word for it?
I like how you are helping identify these issues with opensocial coders.
I also like that they are quick to respond. One of them already, anyway. Keep up the good work.
Since this one involves some personal information, I’m hesitant to release details until it’s patched. But with the TechCrunch story, you can take Michael Arrington’s word for it also – I’ve demonstrated the hack to him.
I would not take Arrington’s word for anything. He has proven in the past to be of the very worst kind. No kidding.
is it due to the bugs in OpenSocial API specs or due to the bugs in iLike code?
Chandra: Just posted an update on that very issue.
@Ouebslave: so true!
Michael Fomkin thinks this is interesting