tag:blogger.com,1999:blog-36622502469644092862011-04-21T18:44:07.716-07:00MySpace OpenSocial DisasterAbasihttp://www.blogger.com/profile/13638814301713130440noreply@blogger.comBlogger21100tag:blogger.com,1999:blog-3662250246964409286.post-18363232684529478542008-03-14T15:58:00.000-07:002008-03-14T16:34:58.904-07:00OpenSocial and Security - here is your source code for everyone to exploreWhy is MySpace so anal about reviewing apps and suspending them for things that are allowed on other application platforms?<div><br /><div>Because OpenSocial is insecure. Yes, that's right, this javascript client-side technology exposes a lot of things. Want to see the ENTIRE source code of "Honesty Box" application? Easy! Install that app on MySpace and "view source" in your browser. </div><div><br /></div><div>Just to make it easy for you, I'll paste it here:</div></div><br /><br /><div style="overflow:scroll;height:150px;border:1px solid #cccccc;font-size:10px;"><br /><pre><br /><script type="text/javascript"><br /><br />String.prototype.to_rfc3986 = function (){<br /> var tmp = encodeURIComponent(this);<br /> tmp = tmp.replace('!','%21');<br /> tmp = tmp.replace('*','%2A');<br /> tmp = tmp.replace('(','%28');<br /> tmp = tmp.replace(')','%29');<br /> tmp = tmp.replace("'",'%27');<br /> return tmp;<br />}<br /><br /><br />var ajaxServer = "www.honestybox.com";<br />var views = new Array("inbox","outbox","message","write","messagesent","invite","settings");<br />var tabs = new Array("tab_inbox","tab_outbox","tab_settings","tab_write");<br />var ownerId = null;<br />var viewerId = null;<br />var viewerGender = null;<br />var viewerFriends = null;<br />var debugStatus = false;<br />var msgid = 0;<br />var msie = false;<br />var classAttributeName = "class";<br />var friendDictionary = {};<br />var friendIdList = new Array();<br /><br />// for caching user friend information<br />function User(userId, userName, userThumnail, userProfileURL,userGender){<br /> this.UserId = userId;<br /> this.UserName = userName;<br /> this.UserThumbnail = userThumnail;<br /> this.UserProfileURL = userProfileURL;<br /> this.UserGender = userGender;<br />}<br /><br />function loadUserData(){<br /> var opt_params = {};<br /> opt_params[opensocial.DataRequest.PeopleRequestFields.PROFILE_DETAILS] = opensocial.Person.Field.GENDER;<br /><br /> var dataRequest = opensocial.newDataRequest();<br /> var ownerRequest = dataRequest.newFetchPersonRequest(opensocial.DataRequest.PersonId.OWNER);<br /> var viewerRequest = dataRequest.newFetchPersonRequest(opensocial.DataRequest.PersonId.VIEWER, opt_params);<br /> var viewerFriends = dataRequest.newFetchPeopleRequest(opensocial.DataRequest.Group.VIEWER_FRIENDS, opt_params);<br /><br /><br /> // Check that viewer has app installed and hit with promo text / partner text<br /> dataRequest.add(ownerRequest);<br /> dataRequest.add(viewerRequest);<br /> dataRequest.add(viewerFriends);<br /> dataRequest.send(loadUserData_Callback);<br />}<br /><br />function loadUserData_Callback(dataResponse){<br /> if(!dataResponse.hadError()){<br /> var ownerData = dataResponse.get(opensocial.DataRequest.PersonId.OWNER).getData();<br /> ownerId = ownerData.getField(opensocial.Person.Field.ID);<br /> var viewer = dataResponse.get(opensocial.DataRequest.PersonId.VIEWER);<br /> if(viewer != null){<br /> var viewerData = dataResponse.get(opensocial.DataRequest.PersonId.VIEWER).getData();<br /> for(k in viewerData['fields_']){<br /> renderStatus('Viewer: ' + k + ' = ' + viewerData['fields_'][k]);<br /> }<br /> viewerId = viewerData.getField(opensocial.Person.Field.ID);<br /> viewerGender = viewerData.getField(opensocial.Person.Field.GENDER);<br /> } else {<br /> // user shouldn't be here!<br /> }<br /><br /> var currentUser = new User(viewerData.getField(opensocial.Person.Field.ID), viewerData.getField(opensocial.Person.Field.NAME), viewerData.getField(opensocial.Person.Field. THUMBNAIL_URL), viewerData.getField(opensocial.Person.Field.PROFILE_URL), viewerData.getField(opensocial.Person.Field.GENDER));<br /><br /> var friendsData = dataResponse.get(opensocial.DataRequest.Group.VIEWER_FRIENDS).getData();<br /><br /> friendsData.each(function(friendData){<br /> var friendName = friendData.getField(opensocial.Person.Field.NAME);<br /> var friendThumbnailUrl = friendData.getField(opensocial.Person.Field.THUMBNAIL_URL);<br /> var friendId = friendData.getField(opensocial.Person.Field.ID);<br /> var friendURL = friendData.getField(opensocial.Person.Field.PROFILE_URL);<br /> var friendGender = friendData.getField(opensocial.Person.Field.GENDER);<br /><br /> var friendObj = new User(friendId, friendName, friendThumbnailUrl, friendURL, friendGender);<br /> friendDictionary[friendId] = friendObj;<br /> friendIdList.push(friendId);<br /> });<br /> <br /> //Let's shove the current user into the "friendDictionary" so we can look him/her up without silly if login<br /><br /> friendDictionary[viewerId] = currentUser;<br /><br /> unrender('loading');<br /> if(viewerId == ownerId){<br /> render("navigation");<br /> render("inbox");<br /> } else {<br /> render("navigation");<br /> render("write");<br /> }<br /> } else {<br /> unrender('loading');<br /> renderError('Unable to determine who you are, if you have the application installed, refresh the page.');<br /> }<br />}<br /><br />function surface(type){<br /> var surface_type = new opensocial.Surface(type);<br /> opensocial.requestNavigateTo(surface_type);<br />}<br /><br />function render(view){<br /> // just turn on these items, without adjusting others<br /> if(view == "status"<br /> || view == "error"<br /> || view == "navigation"<br /> ){<br /> document.getElementById(view).setAttribute(classAttributeName,"visible");<br /> return;<br /> }<br /><br /> // make adjustments to other views<br /> for(var i=0; i<views.length; i++){<br /> if(view == views[i]){<br /> document.getElementById(views[i]).setAttribute(classAttributeName,"visible");<br /> } else {<br /> document.getElementById(views[i]).setAttribute(classAttributeName,"invisible");<br /> }<br /> }<br /><br /> // special case views<br /> if(view == "write") {init_write(); setActiveTab('tab_write'); }<br /> if(view == "inbox"){ init_inbox(); setActiveTab('tab_inbox'); }<br /> if(view == "outbox") { init_outbox(); setActiveTab('tab_outbox'); }<br /> if(view == "message") { init_message(); setActiveTab('tab_inbox'); }<br /> if(view == "settings") { init_settings(); setActiveTab('tab_settings'); }<br /> if(view == "invite") { init_settings(); setActiveTab('tab_invite'); }<br />}<br /><br />function unrender(view){<br /> document.getElementById(view).setAttribute(classAttributeName,"invisible");<br />}<br /><br />function setActiveTab(tab){<br /> renderStatus('Changing to tab: ' + tab);<br /> for(var i=0; i<tabs.length; i++){<br /> if(tabs[i] == tab){<br /> renderStatus('Turning ' + tab + ' on.');<br /> document.getElementById(tabs[i]).setAttribute(classAttributeName,"active");<br /> } else {<br /> document.getElementById(tabs[i]).setAttribute(classAttributeName,"inactive");<br /> }<br /> }<br /> renderStatus('Done changing tabs!');<br />}<br /><br />function renderStatus(msg){<br /> if(debugStatus){<br /> render("status");<br /> var el = document.getElementById("status");<br /> el.innerHTML = "<b>Status:</b> " + msg + "<br />" + el.innerHTML;<br /> }<br />}<br /><br />function renderError(msg){<br /> renderStatus('renderError invoked');<br /> render("error");<br /> var el = document.getElementById("error");<br /> el.innerHTML += "<b>Error:</b> " + msg + "<br />";<br />}<br /><br />function init_inbox(){<br /> renderStatus('init_inbox invoked');<br /> var params = {};<br /> ajaxRequest("inbox",init_inbox_callback,params);<br />}<br /><br />function init_inbox_callback(data){<br /> renderStatus('init_inbox_callback invoked');<br /> var msgs = "";<br /> var i=0;<br /> for(i=0; i<data.messages.length;i++){<br /> msgs += format_thread_message(data.messages[i], true, data.messages[i].gender, 750);<br /> }<br /> var el = document.getElementById("inbox_messages");<br /> el.innerHTML = msgs;<br />// gadgets.window.adjustHeight();<br />}<br /><br />function init_outbox(){<br /> renderStatus('init_outbox invoked');<br /> ajaxRequest("outbox",init_outbox_callback, {});<br />}<br /><br />function init_outbox_callback(data){<br /> renderStatus('init_outbox_callback invoked');<br /> var msgs = "";<br /> var i=0;<br /> for(i=0; i<data.messages.length;i++){<br /> msgs += format_thread_message(data.messages[i], true, data.messages[i].gender, 750, friendDictionary[data.messages[i].recipient].UserThumbnail);<br /> }<br /> var el = document.getElementById("outbox_messages");<br /> el.innerHTML = msgs;<br />// gadgets.window.adjustHeight();<br />}<br /><br />function read_message(id){<br /> renderStatus("read_message invoked - reading message " + id);<br /> msgid = id;<br /> render("message");<br />}<br /><br />function init_message(){<br /> renderStatus("init_message invoked");<br /> if(msgid > 0){<br /> renderStatus('loading message ' + msgid);<br /> // Reset message canvas<br /> var el = document.getElementById('message_history');<br /> el.innerHTML = "";<br /> var params = {};<br /> params.msgid = msgid;<br /> ajaxRequest("thread",init_message_callback, params);<br /> } else {<br /> renderError("Invalid message");<br /> }<br />}<br /><br />function init_message_callback(data){<br /> renderStatus("init_message_callback invoked");<br /> var msgs = "";<br /> var i=0;<br /> var icon = null;<br /> for(i=0; i<data.messages.length;i++){<br /> msgs += format_thread_message(data.messages[i], false, data.messages[i].gender, 750, null);<br /> }<br /> var el = document.getElementById("message_history");<br /> el.innerHTML = msgs;<br /> var frm = document.getElementById('reply_message_form');<br />// gadgets.window.adjustHeight();<br /> frm.message.focus();<br />}<br /><br />function ajaxRequest(method, callback_func, params){<br /> // add some default values to the request<br /> renderStatus('Preparing the request for owner ' + ownerId);<br /> // params['surface'] = opensocial.Surface.getName();<br /> var queryString = "method=" + method;<br /> for (k in params) {<br /> // queryString += "&" + k + "=" + encodeURIComponent(params[k]);<br /> queryString += "&" + k + "=" + params[k].to_rfc3986();<br /> }<br /><br /> // set the datasource location<br /> var url = "http://" + ajaxServer + "/opensocial/ms_ajax.php?" + queryString + "&r=" + Math.random();<br /><br /> // set the opensocial params to sign the request and fetch JSON object<br /> renderStatus("Setting opensocial call parameters");<br /> var osParams = {};<br /><br /> osParams[gadgets.io.RequestParameters.AUTHORIZATION] = gadgets.io.AuthorizationType.SIGNED;<br /> renderStatus("Making call to " + url);<br /><br /> gadgets.io.makeRequest(url, makeRequest_callback, osParams);<br /><br /> function makeRequest_callback(data){<br /> renderStatus("Handling ajax response with typeof: " + typeof(data.data));<br /> var json = gadgets.json.parse(data.data);<br /> if(!json){<br /> renderError("Error talking to server: " + json.ErrorMessage);<br /> }<br /> callback_func(json);<br /> }<br />}<br /><br /><br />function init(){<br /> renderStatus('Init invoked');<br /> if(navigator.appName=="Microsoft Internet Explorer"){<br /> msie = true;<br /> classAttributeName = "className";<br /> renderStatus('User agent appears to be IE');<br /> }<br /> render("loading");<br /> loadUserData();<br />}<br /><br />init();<br /><br />function format_message(msg, sex){<br /> renderStatus('format_message invoked');<br /> var linked = true;<br /> var strout = "";<br /> strout += "<div class=\"message\">";<br /> strout += '<a href="#no_anchor" onclick="read_message(\'' + msg.msgid + '\');">';<br /> strout += msg.comment;<br /> strout += "</a>";<br /> strout += "</div>";<br /> return strout;<br />}<br /><br />function format_thread_message(msg, link , sex, width, icon){<br /> renderStatus('format_thread_message invoked');<br /> var columnWidth = width - 100;<br /> var imgPrefix = "gray_";<br /> var bgColor = "dddddd";<br /> switch(sex){<br /> case 'male':<br /> imgPrefix = "blue_";<br /> bgColor = "c1e6f6";<br /> break;<br /> case 'female':<br /> imgPrefix = "pink_";<br /> bgColor = "f9d9e6";<br /> break;<br /> }<br /><br /> if(icon != "undefined" && icon != null && icon.substr(0,4) == "http"){<br /> var img = icon;<br /> } else {<br /> var img = 'http://img.honestybox.com/logo/hb_circle_logo_' + imgPrefix + '50x50.png';<br /> }<br /><br /> var strout = "";<br /> strout += '<div class=\"message\" style="width:' + width + 'px;">';<br /> strout += '<img src="' + img + '" alt="" border="0" style="float:left; padding-right:10px;" />';<br /> strout += '<div style="float:right;">';<br /> strout += '<table border="0" cellpadding="0" cellspacing="0" width="' + columnWidth + '">';<br /> strout += '<tr>';<br /> strout += '<td><img src="http://img.honestybox.com/bubbles/' + imgPrefix + 'top_left.png" width="8" height="8" border="0" /></td>';<br /> strout += '<td bgcolor="' + bgColor + '"><img src="http://img.honestybox.com/images/clear.gif" width="' + (columnWidth - 16) + '" height="8" border="0" /></td>';<br /> strout += '<td align="right"><img src="http://img.honestybox.com/bubbles/' + imgPrefix + 'top_right.png" /></td>';<br /> strout += '</tr><table border="0" cellpadding="0" cellspacing="0" width="' + columnWidth + '"><tr>';<br /> strout += '<td colspan="3" bgcolor="' + bgColor + '"><div style="padding:0px 8px;">';<br /> if(viewerId == msg.sender){<br /> strout += "<b>You said:</b> ";<br /> }<br /> if(link){<br /> strout += '<a href="#no_anchor" onclick="read_message(\'' + msg.msgid + '\');">';<br /> }<br /> if(typeof(msg) == "object"){<br /> strout += msg.comment;<br /> } else {<br /> strout += msg;<br /> }<br /> if(link){<br /> strout += '</a>';<br /> }<br /> strout += '</div></td>';<br /> strout += '</tr><table border="0" cellpadding="0" cellspacing="0" width="' + columnWidth + '"><tr>';<br /> strout += '<td valign="top"><img src="http://img.honestybox.com/bubbles/' + imgPrefix + 'bottom_left.png" border="0" /></td>';<br /> strout += '<td valign="top"><img src="http://img.honestybox.com/bubbles/' + imgPrefix + 'bottom_gradient.png" width="' + (columnWidth - 48) + '" height="9" border="0" /></td>';<br /> strout += '<td align="right" valign="top"><img src="http://img.honestybox.com/bubbles/' + imgPrefix + 'bottom_right.png" height="9" border="0" /></td>';<br /> strout += '</tr>';<br /> strout += '</table>';<br /> strout += '</div>';<br /> strout += '<br clear="all" />';<br /> strout += "</div>";<br /> return strout;<br />}<br /><br /><br />function init_write(){<br /> renderStatus('Loading friend list');<br /> var friend = null;<br /> var id = null;<br /> var el = document.getElementById("write_friends");<br /> var strout = "";<br /> for(id in friendDictionary){<br /> friend = friendDictionary[id];<br /> var comment_body = "Tell <b>" + friend.UserName + "</b> what you really think...<br />" + '<textarea name="message_' + friend.UserId + '" class="message" style="padding-bottom:5px; height:60px;"></textarea>'<br /> strout += '<div id="f' + id + '">';<br /> strout += format_thread_message(comment_body, false , "unknown", 750, friend.UserThumbnail);<br /> strout += '</div>';<br /> }<br /> el.innerHTML = strout;<br />}<br /><br />function send_messages(fe){<br /> render("loading");<br /> renderStatus("send_messagess invoked");<br /> fe.form.submit_a.disabled = true;<br /> fe.form.submit_b.disabled = true;<br /> var params = {}<br /> for(var i=0; i<fe.form.elements.length; i++){<br /> if(fe.form.elements[i].name.substr(0,8) == "message_"){<br /> params[fe.form.elements[i].name] = fe.form.elements[i].value;<br /> fe.form.elements[i].value = "";<br /> }<br /> }<br /> ajaxRequest('message_new_multi', send_messages_callback, params);<br />}<br /><br />function send_messages_callback(json){<br /> renderStatus("send_messages_callback invoked.");<br /> var frm = document.getElementById("new_message_form");<br /> frm.submit_a.disabled = false;<br /> frm.submit_b.disabled = false;<br /> render("messagesent");<br />}<br /><br />function reply_message(fe){<br /> render("loading");<br /> renderStatus("reply_message invoked");<br /> fe.disabled = true;<br /> fe.form.message.disabled = true;<br /> var params = {}<br /> params['threadid'] = msgid;<br /> params['comment'] = fe.form.message.value;<br /> ajaxRequest('message_reply',reply_message_callback,params);<br />}<br /><br />function reply_message_callback(data){<br /> renderStatus("reply_message_callback invoked.");<br /> render("message");<br /> var frm = document.getElementById('reply_message_form');<br /> frm.message.disabled = false;<br /> frm.message.value = "";<br /> frm.button_send.disabled = false;<br /> renderStatus("Form reset.");<br /> read_message(msgid);<br />}<br /><br /><br />function init_settings(){<br /> renderStatus("init_settings invoked");<br /> ajaxRequest('settings',init_settings_callback,{});<br />}<br /><br />function init_settings_callback(data){<br /> var i = 0;<br /> unrender('loading');<br /> renderStatus("init_settings_callback invoked.");<br /> var frm = document.getElementById('settings_form');<br /> frm.question.value = data.settings.status;<br /> // set the gender from the data<br /> for(i=0; i<frm.gender.options.length; i++){<br /> if(frm.gender.options[i].value == data.settings.gender){<br /> frm.gender.selectedIndex = i;<br /> }<br /> }<br />}<br /><br />function settings_save(fe){<br /> renderStatus('settings_save invoked');<br /> var params = {};<br /> params['question'] = fe.form.question.value;<br /> params['gender'] = fe.form.gender.options[fe.form.gender.selectedIndex].value;<br /> ajaxRequest('settings_save',settings_save_callback, params);<br />}<br /><br />function settings_save_callback(){<br /> renderStatus('settings_save_callback invoked');<br /> render('settings');<br />}<br /><br /></script><br /></pre><br /></div><br /><br />You think that's bad? It gets even <span style="font-size:140%">worse</span>. How about the ENTIRE server-side code for one of the top Facebook apps? Yes, SERVER-SIDE, entire PHP code, database schema and everything else. You don't have to be a hacker to get to it - those guys left a few holes open and OpenSocial exposed them all.<br /><br />Don't believe me? You can get it yourself if you like complete with all passwords and security keys, but here is an excerpt of their PHP code:<br /><br /><div style="overflow:scroll;height:150px;border:1px solid #cccccc;font-size:10px;"><br /><pre><br /><?php<br />require 'config/myspace.php';<br />require 'smarty.php';<br />require 'database.php';<br />require_once 'classes/Notable.php';<br />require_once 'classes/User.php';<br />require_once 'classes/People.php';<br />require_once '../platform/Space.php';<br /><br />$_GET['criteria'] = in_array($_GET['criteria'], array('from', 'to', 'top')) ? $_GET['criteria'] : 'top';<br /><br />$current_user = User::get_current_user();<br />$friends_notables = Notable::get_cached_data(array('Notable', 'list_friends_superlatives'), array($_GET['criteria'], $current_user));<br /><br />$ids = array();<br />foreach ($friends_notables as $row)<br />{<br /> foreach (array('to_user_id', 'from_user_id') as $field)<br /> {<br /> if (FALSE == in_array($row[$field], $ids))<br /> {<br /> $ids[] = $row[$field];<br /> }<br /> }<br />}<br />$people = People::get_many($ids);<br /><br />$smarty->assign('friends_notables', $friends_notables);<br />$smarty->assign('people', $people);<br />$smarty->assign('criteria', $_GET['criteria']);<br />$smarty->display('friends.tpl');<br />?><br /><br /></pre><br /></div><br /><br />And now, have fun using and developing OpenSocial applications.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3662250246964409286-1836323268452947854?l=myspace-disaster.blogspot.com' alt='' /></div>Abasihttp://www.blogger.com/profile/13638814301713130440noreply@blogger.com0tag:blogger.com,1999:blog-3662250246964409286.post-74008510304011509852008-03-14T15:40:00.001-07:002008-12-10T13:47:00.781-08:00MySpace OpenSocial Disaster<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_SaAAG0moPoY/R9sCIvy73fI/AAAAAAAAAAM/p4Sqf7rdKXM/s1600-h/Picture+1.png"><img style="float:left; margin:0 5px 5px 0;cursor:pointer; cursor:hand;padding:20px;" src="http://3.bp.blogspot.com/_SaAAG0moPoY/R9sCIvy73fI/AAAAAAAAAAM/p4Sqf7rdKXM/s320/Picture+1.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5177734545884831218" /></a><br />It's been less than 24 hours since MySpace OpenSocial platform opened their doors. While Facebook and Bebo value their developers, provide support and rely on their feedback, MySpace is obviously different.<br /><br />So what do we have so far?<br /><br />- Angry developers complaining about the fact that MySpace "suspended" their applications without explanation. Some received vague reasons for their apps being denied, like:<br /><br />"Application logo violates copy rights issue. This logo is belong to google talk."<br />"Ads in the application navigate the site away from MySpace"<br />"Application is not working fine."<br /><br />Judging by not-so-perfect English it looks like the review process was outsourced overseas?<br /><br />According to the developer community forum there is no way to edit/test or re-submit suspended applications right away.<br /><br />Great start.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3662250246964409286-7400851030401150985?l=myspace-disaster.blogspot.com' alt='' /></div>Abasihttp://www.blogger.com/profile/13638814301713130440noreply@blogger.com0