Google’s first OpenSocial application hacked in minutes
A hacker has claimed to have hacked the first of Google’s OpenSocial application on Plaxo –“emote” — within 45 minutes of its launch.
The hacker, who goes by the alias “theharmonyguy,” said that he has added a number of emoticons to Plaxo VP Marketing John McCrea’s profile. He also claimed to have hacked a number of Facebook applications including the Superpoke app.
In an email to Michael Arrington of TechCrunch, McCrea initially denied the hacker’s claims saying that his account didn’t appear to be hacked. But later he spotted and acknowledged that there were foreign changes made to his account.
By Arrington’s request, theharmonyguy demonstrated his hack technique by adding four quick emoticon messages in a very short span of time to Arrington’s Plaxo account.
theharmonyguy also pointed out some weakness of the application’s code.
Joseph Smarr, Plaxo’s Chief Platform Architect has taken the application down as they are now de-whitle-listing the app.
While it is expected that new platform has a lot of weakness waiting to be discover, the ease in which this was done raise some security concern. Platforms are said to be hackers’ favorite targets, especially the new ones.
Related Posts:
November 3rd, 2007
Not surprising, I also found OpenSocial-related vulnerabilities in Ning. My exploit is sort of a dual to theharmonyguy’s, in that it allows the (unprivileged) owner of a profile to hijack the session info of anyone who visits the profile page, and make arbitrary changes to the visiting user’s interaction with the website.
November 5th, 2007
12345