Posted by theharmonyguy in General | 3 comments
Some Clarification
I wanted to take a moment to clarify some issues I’ve seen several people raise…
First, when I say I’m an amateur, I’m not simply being modest. I do have a good bit of programming experience (though more in network administration), but these recent adventures have involved some skills that are less developed. I appreciate the kind words and offers people have sent my way, but I’m probably not as great a hacker as they think I am. Also, I’ve already started to show some of my ignorance in some misunderstandings of Ning – this is a learning process for me, and I’m sure for other less-experienced developers too.
Second, the “hacks” thus far have been consequently quite simple – they can hardly be called hacks. I’ve never claimed that they were advanced, so don’t be disappointed when you find out details. :) I do plan to continue digging through code and looking for more sophisticated loopholes, but this is more of a hobby for me, and these initial issues were very straightforward.
Third, by pointing out these problems, I’m not saying that OpenSocial can’t work. OpenSocial is a fine idea that will probably be very successful. But as Dan Farber pointed out, the platform is still in its early stages and there are still details being worked out. And as a developer, I’m still working out various details as well. Personally, I had expected more initially from the way things were marketed, but a more “open” development process is a fair approach, so long as people understand things are not finalized.
Finally, I’ve been trying to keep current on many of the recent social networking and web development trends, so I may share some thoughts on here from my perspective, for what they’re worth. But I probably won’t post too often, as other responsibilities keep me fairly busy these days. Still, I thought this blog would be a convenient way to post more adventures in code experimentation – it’s been fun for me to learn more about OpenSocial and the Facebook Platform the last few months, and I hope my experiences can at least help a few other developers.
Anyway, I didn’t want anyone to be mislead by any recent reports. :) Shout out to the companies I’ve mentioned here, who have all done a good job of responding to my concerns and handled the situations well. And thanks to TechCrunch for getting the word out.
Keep Reading »Posted by theharmonyguy in OpenSocial | 8 comments
iLike on Ning (Fixed)
Date: November 5, 2007
Initial hack: 20 minutes
Vulnerabilities:
Able to access listing of friends for any user and limited personal information about these friends- Able to add and remove playlist tracks for any user
Coverage: TechCrunch
Progress: Ning and iLike have both been notified. Ning has replied and stated they are working to fix the issues ASAP.
Update: First “vulnerability” not a vulnerability at all; I’m new to Ning so didn’t realize the data was already available via JSON. Ning has made some updates to fix the iLike issues; haven’t tested them yet.
Update 2: On November 14 I tested my hack again, and Ning seems to have plugged the hole. Good work.
Keep Reading »Posted by theharmonyguy in OpenSocial | 5 comments
RockYou’s Emote on Plaxo
Date: Friday, November 2, 2007
Initial hack: 45 minutes
Vulnerabilities:
- Able to change current Emote status for any user
- Able to access Emote history and current status for any user
- Able to insert HTML, including JavaScript, into Emote pages
Coverage: TechCrunch
Progress: Plaxo has removed Emote from their whitelist. As of Nov. 6, Emote remains unpatched.
Keep Reading »Content License
All content by theharmonyguy on this site, including text and images, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.