Comments on: OpenSocial insecurity – no user to app authentication

By: Some OpenSocial thoughts | From the Land of Meh...

Some OpenSocial thoughts | From the Land of Meh... — Mon, 22 Jun 2009 22:51:25 +0000

[...] User data security is an issue: http://hyper.to/blog/link/opensocial-insecurity-no-user-to-app-authentication/ [...]

By: Some OpenSocial thoughts | You see a 20'x20' room, nothing else interesting...

Mon, 26 Nov 2007 05:37:30 +0000

[...] User data security is an issue: http://hyper.to/blog/link/opensocial-insecurity-no-user-to-app-authentication/ [...]

By: Open Social: la garantia soy yo!

Open Social: la garantia soy yo! — Wed, 07 Nov 2007 20:07:06 +0000

[...] de que site vem as requests Ajax e qual o ID do usuário. Como gente com experiência no assunto explica, isso não chega nem perto de ser robusto o bastante para mais do que joguinhos e [...]

By: miron

miron — Tue, 06 Nov 2007 23:18:56 +0000

Google admits to the hole and gives no timeline, here and here (third item down).

By: Tony Stubblebine

Tony Stubblebine — Tue, 06 Nov 2007 22:47:39 +0000

I’d be curious to know how the widget hacks that keep getting reported on TechCrunch are getting closed. It seems like the original Google partners should be sharing their newly learned security best practices.

Hopefully, I’d feel better about the security holes if someone on the Google side acknowledged that they rushed everything in order to get there press releases out and that they were in fact committed to working through these issues publicly.

By: miron

miron — Tue, 06 Nov 2007 18:50:13 +0000

Ramon,

You’ll have to provide more details, your comment is not clear to me.

What do you mean by “you can verify the ID …”? There is no functionality in the API to verify IDs.

The second item needs clarification. What kind of application doesn’t care about ID spoofing?

The third item doesn’t make sense, because Ajax is just another way to connect to the back end. It does not provide any additional authentication means.

Thanks.

By: Ramon

Ramon — Tue, 06 Nov 2007 14:17:58 +0000

Hi Miron and Mat,

Well you can verify if the ID provided is the actual owner of the ID, that’s the first security ‘breach’ solution.
Second: Don’t make your application authentication focused, make it owner to friends focused.
Third: Implement Ajax calls to verify and/or block any feature you think can be hacked (hijacking, etc.).

Sorry, but I cannot give a url right now due to still on going development but once I get into a beta version I will send you the link.
Best,
Ramon

By: ippimail.com » Blog Archive » OpenSocial: After the hype, the holes

ippimail.com » Blog Archive » OpenSocial: After the hype, the holes — Tue, 06 Nov 2007 02:05:03 +0000

[...] based on the standard hacked within minutes, it quickly became evident that OpenSocial is vulnerable and offers an open door to anyone who wants to put a little effort into pushing it [...]

By: Aehso’s Output » OpenSocial Doc Review Part 2 : Authentication, Hosting and Applications

Mon, 05 Nov 2007 19:48:06 +0000

[...] Miron highlights another potentially critical problem – track it [...]

By: Mat

Mat — Mon, 05 Nov 2007 17:54:53 +0000

Have to say, I agree with miron. I currently cant see how you can prevent again spoofing attacks with a javascript only API, Due to the nature of the app we are creating we need to store a substantial amount of data off on our own servers, and we cant store this in any secure maner (e.g. associating it to a certain user), as we cant trust any info coming from the browser. At the moment I cant see a solution to this, but feel free to enlighten me.

Ramon if you could give me the url of your app, maybe a demo could be in order.

Mat