Hey Yonas, The situation back during the 0.5 days was that a request to a gadget's own back-end servers wasn't signed, hence you could easily change a url from ?song=foo&owner=yonas to ?song=bar&owner=chris.. thus "hacking" OpenSocial.
Quickly after that initial release we've added signatures (using oauth to be precise, see http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests for the exact details) to these requests which cryptographically guarantee that a query hasn't been tampered with, so this hasn't been an issue any more for a very long time. As far as the 1.0 release goes, the current thinking is that that will just be a spec documentation fix up, so it won't be technically different from 0.9 in any significant ways. So I understand your concern when you have to base your business on a bit of unknown technology, but this platform is run in production for 800+ million end users by the majority of the social web, many tens of thousands applications and is used inside of security-critical enterprise situations, we've come a long long way since the initial release and that old bit of news really has no relevance and hasn't for a very long time already. -- Chris On Wed, Sep 16, 2009 at 9:34 PM, Yonas <[email protected]> wrote: > Hi, > > According to: > > http://www.techcrunch.com/2007/11/05/opensocial-hacked-again > > TechCrunch reported that OpenSocial was cracked within 20 minutes of > release. > > > I'm thinking of using OpenSocial/Shindig for a startup company, but I > need to know how much of a security risk I'm taking. Since the gadget > will be dealing with transferal of money, I'm very sceptical of the > benefits outweighing the risk of being cracked. > > I understand that OpenSocial is still growing and isn't 1.0 yet, so > maybe I should wait until then? > > Cheers, > Yonas > >
