Why aren't any google techs responding to us? Greg
On Nov 5, 1:23 pm, twentyafterfour <[EMAIL PROTECTED]> wrote: > Aparently there is no validation/authentication of any kind. As far as > I can tell, > at least for right now, the api is thoroughly and disgustingly > insecure. > > On Nov 5, 10:52 am, "Mat" <[EMAIL PROTECTED]> wrote: > > > I have exactly the same concern, I really don't like the idea of this being > > javascript based. My intention is to therefore using the data api's for the > > majority of the work, and just use the javascript side to bring up user > > information, and other none security related tasks. Is anyone else looking > > at using the data api in such a way? My main concern with this is I have yet > > to understand how from a PHP session I can validate the user, could anyone > > explain this? > > > Mat > > > -----Original Message----- > > From: [email protected] > > > [mailto:[EMAIL PROTECTED] On Behalf Of EGreg > > Sent: 05 November 2007 16:38 > > To: OpenSocial Developers > > Subject: [opensocial] Really BIG Security Concern > > > In facebook, your app runs on your server, and users cannot modify it. > > > On orkut, ning, and later myspace, your app consists of javascript in > > a box. Simply by typing javascript:code into the address bar, you can > > execute requests on its behalf. What's worse, it seems there is no way > > in principle to defeat this, as long as the variables are on the > > client side. A person can execute arbitrary javascript code using > > firebug or some such firefox extension. And depending on the gadgets > > they can probably even figure out a way to do VIRAL cross-site > > scripting, like the "I have a million friends" hack on myspace. > > > The one thing I would recommend right now, to achieve a moderate > > degree of security is: > > OBFUSCATE YOUR CODE BEFORE SUBMITTING TO GOOGLE > > > Yeah, use a packer and/or obfuscator to "compile" your code to > > unreadable form. A determined person can probably still unravel it > > back. Software programs can be decompiled too... but the impact is > > only confined to one person's computer. Here, it may be MUCH greater. > > > The social networks should take care with this security. Is Google > > working to fix the situation? There's gotta be a way... > > > Greg Magarshak --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
