RockYou OpenSocial implementation "hacked" on Plaxo
Chris S
Always interesting to see how the media reacts to security issues.
Some funny comments in there.
I would like to see some discussion of what RockYou did wrong in their
implementation and what Plaxo is doing to guard against it. Any
thoughts?
theharmonyguy
I saw two main problems with RockYou's code. First, the application
did not sufficiently authenticate the user making a request. It was
fairly easy to make a request for any given user by spoofing certain
user details without the application ever verifying where the request
came from.
Second, the application did not parse certain input values, but did
render them in the app's HTML. This made it fairly easy to inject
code.
I hesitate to provide more details at this point, since this
application has not yet been patched and I'm starting to notice some
similar issues in other applications.