In facebook, your app runs on your server, and users cannot modify it. On orkut, ning, and later myspace, your app consists of javascript in a box. Simply by typing javascript:code into the address bar, you can execute requests on its behalf. What's worse, it seems there is no way in principle to defeat this, as long as the variables are on the client side. A person can execute arbitrary javascript code using firebug or some such firefox extension. And depending on the gadgets they can probably even figure out a way to do VIRAL cross-site scripting, like the "I have a million friends" hack on myspace.
The one thing I would recommend right now, to achieve a moderate degree of security is: OBFUSCATE YOUR CODE BEFORE SUBMITTING TO GOOGLE Yeah, use a packer and/or obfuscator to "compile" your code to unreadable form. A determined person can probably still unravel it back. Software programs can be decompiled too... but the impact is only confined to one person's computer. Here, it may be MUCH greater. The social networks should take care with this security. Is Google working to fix the situation? There's gotta be a way... Greg Magarshak --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
