Thanks, I'm a lot more confident now! :) Y.
On Wed, 2009-09-16 at 22:23 +0200, Chris Chabot wrote: > Hey Yonas, > > The situation back during the 0.5 days was that a request to a gadget's own > back-end servers wasn't signed, hence you could easily change a url from > ?song=foo&owner=yonas to ?song=bar&owner=chris.. thus "hacking" OpenSocial. > > Quickly after that initial release we've added signatures (using oauth to be > precise, see > http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests for > the exact details) to these requests which cryptographically guarantee that > a query hasn't been tampered with, so this hasn't been an issue any more for > a very long time. > > As far as the 1.0 release goes, the current thinking is that that will just > be a spec documentation fix up, so it won't be technically different from > 0.9 in any significant ways. > > So I understand your concern when you have to base your business on a bit of > unknown technology, but this platform is run in production for 800+ million > end users by the majority of the social web, many tens of thousands > applications and is used inside of security-critical enterprise situations, > we've come a long long way since the initial release and that old bit of > news really has no relevance and hasn't for a very long time already. > > -- Chris > > On Wed, Sep 16, 2009 at 9:34 PM, Yonas <[email protected]> wrote: > > > Hi, > > > > According to: > > > > http://www.techcrunch.com/2007/11/05/opensocial-hacked-again > > > > TechCrunch reported that OpenSocial was cracked within 20 minutes of > > release. > > > > > > I'm thinking of using OpenSocial/Shindig for a startup company, but I > > need to know how much of a security risk I'm taking. Since the gadget > > will be dealing with transferal of money, I'm very sceptical of the > > benefits outweighing the risk of being cracked. > > > > I understand that OpenSocial is still growing and isn't 1.0 yet, so > > maybe I should wait until then? > > > > Cheers, > > Yonas > > > >
