So Google made a lot of news recently with their announcement of the OpenSocial API. The goal is to create a single set of APIs for application developers allowing them to build applications across multiple social networks such as Ning, LinkedIn, MySpace, Plaxo, etc. Tapping into the huge user base of these social networks with a single API should bring the time between application launch and having a significant user base down dramatically.
Since launching the API just a few days ago, there have already been 2 very public hacks of applications using it. The first hack was an application that launched on the Plaxo network and was hacked within 45 minutes. The hack was by no means malicious and committed by a self proclaimed amateur, TheHarmonyGuy. Here are the relevant stats from his blog:
Date: Friday, November 2, 2007
Initial hack: 45 minutes
- Able to change current Emote status for any user
- Able to access Emote history and current status for any user
Progress: Plaxo has removed Emote from their whitelist. As of Nov. 6, Emote remains unpatched.
He has just followed this up with another innocuous hack of a new application using the API on the Ning platform. TheHarmonyGuy was able to access the friends of Ning founder Marc Andreessen through the iLike application. And of course, the posted stats of the hack:
Date: November 5, 2007
Initial hack: 20 minutes
- Able to access listing of friends for any user and limited personal information about these friends
- Able to add and remove playlist tracks for any user
Progress: Ning and iLike have both been notified. Ning has replied and stated they are working to fix the issues ASAP.
Update: Confirmed that the first vulnerability is a Ning issue, not an iLike issue. More details here.
It’s great to see the coverage and attention these hacks are getting from the non-security crowd. As you can see from the stats TechCrunch has been giving TheHarmonyGuy a lot of attention. It reminds me a bit of the Adrian Lamo hacking events (here and here) of a few years ago. I am hoping the lessons learned from these public displays have a longer lasting affect than Adrian Lamo had. It seems clear there was a big rush to get some of this code out (although, it turns out, the second hack is more of an issue with Ning than OpenSocial) and some basic application security steps may have been skipped. Obviously this is not the first or last time for this.