Aparently there is no validation/authentication of any kind. As far as I can tell, at least for right now, the api is thoroughly and disgustingly insecure.
On Nov 5, 10:52 am, "Mat" <[EMAIL PROTECTED]> wrote: > I have exactly the same concern, I really don't like the idea of this being > javascript based. My intention is to therefore using the data api's for the > majority of the work, and just use the javascript side to bring up user > information, and other none security related tasks. Is anyone else looking > at using the data api in such a way? My main concern with this is I have yet > to understand how from a PHP session I can validate the user, could anyone > explain this? > > Mat > > -----Original Message----- > From: [email protected] > > [mailto:[EMAIL PROTECTED] On Behalf Of EGreg > Sent: 05 November 2007 16:38 > To: OpenSocial Developers > Subject: [opensocial] Really BIG Security Concern > > In facebook, your app runs on your server, and users cannot modify it. > > On orkut, ning, and later myspace, your app consists of javascript in > a box. Simply by typing javascript:code into the address bar, you can > execute requests on its behalf. What's worse, it seems there is no way > in principle to defeat this, as long as the variables are on the > client side. A person can execute arbitrary javascript code using > firebug or some such firefox extension. And depending on the gadgets > they can probably even figure out a way to do VIRAL cross-site > scripting, like the "I have a million friends" hack on myspace. > > The one thing I would recommend right now, to achieve a moderate > degree of security is: > OBFUSCATE YOUR CODE BEFORE SUBMITTING TO GOOGLE > > Yeah, use a packer and/or obfuscator to "compile" your code to > unreadable form. A determined person can probably still unravel it > back. Software programs can be decompiled too... but the impact is > only confined to one person's computer. Here, it may be MUCH greater. > > The social networks should take care with this security. Is Google > working to fix the situation? There's gotta be a way... > > Greg Magarshak --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
