Google's OpenSocial app hacked in 45 minutes

The first application launched under the OpenSocial API program has been taken down following the discovery of a flaw that could enable a hacker to change user profiles

The first application launched under Google's OpenSocial API program has been taken down, shortly after it was discovered a hacker could use it to change user profiles.

The application was built by third-party developer RockYou to run on Plaxo, a social-networking website that allows its members to update and synchronise Microsoft Outlook, Mozilla Thunderbird and Mac OS X calendars and address books.

A developer who uses the nickname "harmonyguy" alerted Plaxo's vice president of marketing, John McCrea, to a vulnerability in the RockYou "emoticon" application that Plaxo allowed on its platform as part of Google's OpenSocial API (application program interface) program.

The flaw allowed the "harmonyguy" to add emoticons to McCrea's Plaxo profile without his permission.

The application was taken down by Plaxo after harmonyguy identified the flaw, which took just 45 minutes, according to TechCrunch blogger Michael Arrington.

"We have temporarily taken down this app, due to some bugs discovered today. We apologise for the inconvenience. We are at the early phase of this, so expect some ups and downs... Your patience appreciated," wrote McCrea on the Plaxo blog last Friday.

Last week, Google announced its ambitions to unite multiple social-networking websites under the OpenSocial API. OpenSocial standardises the API for a number of different social-networking websites, allowing third-party developers to create applications that access users' friends and update feeds, explained Google.

Plaxo is just one of the companies to become part of Google's OpenSocial API program. Some of the sites included in the program are, Friendster, LinkedIn, MySpace, Oracle, orkut, Plaxo and

Although he claims to have hacked third-party Facebook applications such as SuperPoke, harmonyguy said Facebook's platform makes it harder to change a user's profile.

"The main issue I've found with Facebook apps is being able to access people's app-related history; for instance, until recently, I could access the SuperPoke action feed for any user," harmonyguy told Arrington. Facebook is not part of OpenSocial.

Although changing an emoticon may not be a malicious hack, harmonyguy warned that if Google does not stabilise its platform, more damaging hacks are in store.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All