Email us! Subscribe to Liquidmatrix!

Application With OpenSocial API Hacked

Author: Dave Lewis
November 3, 2007 at 7:44 pm · Filed under App Security, Hacker

Image From TechCrunch

Hmm. A couple days after I picked up the story on the “our little secret” error messages in Plaxo, they resurface. Google released the OpenSocial application this week which “provides a common set of APIs for social applications across multiple websites. With standard JavaScript and HTML, developers can create apps that access a social network’s friends and update feeds.”

Well, if that isn’t like waving a red flag in front of a bull I don’t know what is. Plaxo was the first application out of the gate to leverage the new API. And within 45 minutes…it was hacked.

From Tech Crunch:

A developer who goes by the alias “theharmonyguy” and describes himself as “just an amateur” claims to have compromised the RockYou OpenSocial application on Plaxo called emote (see the Plaxo blog for details on the application). Specifically, he claims to have added a number of emoticons to Plaxo VP Marketing John McCrea’s profile within 45 minutes of it launching.

In an email, McCrea said he added all of the emoticons himself and his account doesn’t appear to be hacked. But when I asked theharmonyguy to hack my Plaxo account he did, within minutes, adding four quick emoticon messages such as “michael arrington is getting my bling on” and “michael arrington is w00t”.

If you build it, they will hack it.

Article Link

Tags: , , ,

Tag It: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Slashdot
  • Technorati
  • SphereIt
  • StumbleUpon
  • Fark
  • YahooMyWeb
  • Furl
  • Spurl
  • Ma.gnolia
  • NewsVine
Related Articles:

  • Security Briefing: November 5th
  • F3.org.uk Website Hacked
  • CanSecWest: Countering Misinformation
  • Spammers Hack Al Gore’s Enviro Site
  • Vermont State Computer Hacked

    • theharmonyguy said,

    November 3, 2007 @ 8:16 pm

    Just to be clear, the API itself wasn’t hacked - an application using the API was. Still, I think it was significant to the API, as I detailed in this comment: http://www.techcrunch.com/2007/11/02/first-opensocial-application-hacked-within-45-minutes/#comment-1724901

    Dave Lewis said,

    November 3, 2007 @ 8:44 pm

    @theharmonyguy

    Ah! Thanks for the clarification.

    So, why the anonymity?

    theharmonyguy said,

    November 5, 2007 @ 2:37 am

    Partly personality, partly that I’m not sure I really want to be known as “the guy who hacked the first OpenSocial app.” When I e-mailed Arrington, I didn’t really expect all the attention that I’ve ended up getting.

    Besides, theharmonyguy is simply an Internet nickname I’ve used for years… it’s really not that anonymous.

    Liquidmatrix Security Digest » Security Briefing: November 5th said,

    November 5, 2007 @ 8:51 am

    [...] everyone had a good weekend. Some interesting news that surfaced over the weekend was the Plaxo hack which involved the OpenSocial API to a certain [...]

    Dave Lewis said,

    November 5, 2007 @ 9:00 am

    @theharmonyguy

    Fair enough. Congrats on the find nevertheless. It’s funny how the news like this can spread like wildfire.

    Well, your “anonymity” won’t be exposed here.

    :)

    cheers

    RSS feed for comments on this post · TrackBack URI

    Leave a Comment