First OpenSocial app hacked in 45 minutes

First OpenSocial app hacked in 45 minutes

Summary: The first app launched under Google's OpenSocial API program has been taken down, shortly after it was discovered a hacker could use it to change user profiles.

SHARE:

The first app launched under Google's OpenSocial API program has been taken down, shortly after it was discovered a hacker could use it to change user profiles.

The application was built by third party developer RockYou to run on Plaxo, a social networking Web site which allows its members to update and synchronise Microsoft Outlook, Mozilla Thunderbird and Mac OS X calendars and address books.

A developer who uses the nickname "harmonyguy" alerted Plaxo's vice president of marketing John McCrea to a vulnerability in the RockYou "emoticon" -- icons that represent a user's emotions -- application that Plaxo allowed on its platform as part of Google's OpenSocial API program.

The flaw allowed the "harmonyguy" to add emoticons to McCrea's Plaxo profile without his permission.

The application was taken down by Plaxo after "harmonyguy" identified the flaw -- which took just 45 minutes, according to TechCrunch blogger Michael Arrington.

"We have temporarily taken down this app, due to some bugs discovered today. We apologise for the inconvenience. We are at the early phase of this, so expect some ups and downs ... Your patience appreciated," wrote McCrea on the Plaxo blog last Friday.

Last week, Google announced its ambitions to unite multiple social networking Web sites under the OpenSocial API. OpenSocial standardises the API for a number of different social networking Web sites, allowing third party developers to create applications that access users' friends and update feeds, explained Google.

Plaxo is just one of the companies to become part of Google's OpenSocial API program. Some of the sites included in the program are Engage.com, Friendster, LinkedIn, MySpace, Oracle, orkut, Plaxo and Salesforce.com.

Although he claims to have hacked third party Facebook applications such as SuperPoke, "harmonyguy" said Facebook's platform makes it harder to change a user's profile.

"The main issue I've found with Facebook apps is being able to access people's app-related history; for instance, until recently, I could access the SuperPoke action feed for any user," "harmonyguy" told Arrington. Facebook is not part of OpenSocial.

Changing an emoticon may not be a malicious hack, said "harmonyguy", however, he warned that if Google does not stabilise its platform, more damaging hacks are in store.

Topics: Google, Social Enterprise

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Large blanket...

    Any time you try to make some sort of unification application, things like this will happen. Just imagine though, if this application was available across all OpenSocial sites, not good. I don't think OpenSocial is such a good idea in the first place. Facebook alone has a massive user base, if exploited you could gain a lot of information, however, if OpenSocial is exploited, just imagine the amount of personal information.
    anonymous