Sunday, November 04, 2007

OpenSocial, Hacked in under 45 minutes

Top blogger Michael Arrington posted about how a hacker was able to modify his personal Plaxo account profile as well as that of Plaxo’s VP Marketing John McCrea. The hacker, calling himself “theharmonyguy” and describes himself as “just an amateur”, appears to have spotted a handful of clever insufficient authorization issues which allowed him to perform horizontal privilege escalation on fellow users.

Fortunately what theharmonyguy did was only a harmless prank and sought only to bring attention to the flaw. It there’s people out there who are curious and looking for these types of issues. And if you read back to an earlier post, I directed people to a story in Insecure Magazine #13 called "Social engineering, social networking services: a LinkedIn example". According to the content, social network websites can be incredibly valuable targets for conducting personal reconnaissance and carrying out identity theft.

It’s also interesting to watch how people who ar not part of web application security world react. Michael Arrington in titling his post, “First OpenSocial Application Hacked Within 45 Minutes”, used outcome-based metrics to describe the incident without even knowing it. In the past I’ve referred to it as hackability and this is a perfect example of how I think website security and security solutions should be measured. The approach is simple, natural, and makes a lot of sense to everyone.

No comments: