Really BIG Security Concern

[EGreg]

In facebook, your app runs on your server, and users cannot modify it.

On orkut, ning, and later myspace, your app consists of javascript in
a box. Simply by typing javascript:code into the address bar, you can
execute requests on its behalf. What's worse, it seems there is no way
in principle to defeat this, as long as the variables are on the
client side. A person can execute arbitrary javascript code using
firebug or some such firefox extension. And depending on the gadgets
they can probably even figure out a way to do VIRAL cross-site
scripting, like the "I have a million friends" hack on myspace.

The one thing I would recommend right now, to achieve a moderate
degree of security is:
OBFUSCATE YOUR CODE BEFORE SUBMITTING TO GOOGLE

Yeah, use a packer and/or obfuscator to "compile" your code to
unreadable form. A determined person can probably still unravel it
back. Software programs can be decompiled too... but the impact is
only confined to one person's computer. Here, it may be MUCH greater.

The social networks should take care with this security. Is Google
working to fix the situation? There's gotta be a way...

Greg Magarshak

[Mat]

I have exactly the same concern, I really don't like the idea of this being
javascript based. My intention is to therefore using the data api's for the
majority of the work, and just use the javascript side to bring up user
information, and other none security related tasks. Is anyone else looking
at using the data api in such a way? My main concern with this is I have yet
to understand how from a PHP session I can validate the user, could anyone
explain this?

Mat

[twentyafterfour]

Aparently there is no validation/authentication of any kind. As far as
I can tell,
at least for right now, the api is thoroughly and disgustingly
insecure.

[EGreg]

Why aren't any google techs responding to us?

Greg

[ramonck]

it's a good point, but you can work on javascript security within
javascript layer as well, use ajax within gadgets to control security
with server-side if it's the case.

Don't forget that opensocial is a gadget interface.

Best,
Ramon Lima

[Arne Roomann-Kurrik (Google)]

To be clear: There is currently no mechanism for authenticating/
validating requests against third party servers. This will be
resolved when we launch the Data APIs, which will allow for
authenticated calls to be made from your server directly to the Orkut
sandbox servers. Additionally, we are working on a mechanism that
will sign _IG_Fetch requests, allowing you to verify server-side that
the request was not spoofed. Both of these will certainly be in place
by the public launch of the Orkut sandbox.

In response to twentyafterfour's comment - this limitation doesn't
expose a security flaw in the JS API itself - you can only write to
VIEWER data, so there is no chance of malicious users corrupting other
users' data through use of the JS API. The problem lies in that we
haven't exposed our third party security mechanism yet, so developers
are resorting to poor security practices to pass unvalidated data back
to their server. For this reason, you should not be interacting with
a production service at this stage in development.

We understand the great demand for this functionality and it is a huge
priority for us. We want to get it right, though, so please bear with
us.

Thanks,
~Arne

[Mat]

Thanks Arne,

Just what I wanted to hear :) Any idea on a timeframe for the Data API and
JS authentication, days/weeks/months, it would help us focus our develop
efforts greatly.

Thanks,