Sociablecode

I am not entirely sure whether people pass off security articles, they’ve always intrigued me. I suggest you don’t skip this one whether you’re involved in OpenSocial or not.

Before I get into the meat of the article, a few things need to be understood, notably what is XSS and CSRF? I’ll explain this in layman’s terms as opposed to sounding like a wikipedia article. Please research on your own if what I say makes no sense as it’s a pre-requisite on understanding this article and every programmer in the world should know what this is.

XSS (Cross-site scripting): XSS is a way to execute javascript on webpages around the web that would otherwise be unintended behavior. Essentially, imagine you have a comment form, someone can create a comment with text input that allows them to execute javascript on your browser. In this imagine me sending Ajax POST requests to your bank account to withdraw $1000 and put it in my account. The transaction was on your behalf because javascript is executing in your browser and is therefore a valid, non-disputable transaction as the request will have originated from your IP address.

CSRF (Cross-site request forgery): CSRF is very simply session riding. We all have seen sites that contain a url as such: http://www.url.com/?action=logout. In this case, imagine if I redirected you to that URL, gmail would log you out. Not too glamorous huh? Well imagine for a minute, I created a form on MySpace, then created a 1×1 iframe and opened a URL to post a bulletin out to all your friends on your behalf. You would’ve never known it happened and you would move along. This is the power of CSRF.

Combine XSS with CSRF and you have a catastrophe in many cases exhibited by the Samy Worm on MySpace. If you don’t know what I am talking about, Google it =).

If these became eye openers to you, continue reading. If you’re just brushing it off research a little more and the continue reading and perhaps I’ll be able to convince you.

The meat:

So what’s OpenSocial have to do with all of this? It’s secured in a nice little iframe off the container’s host right? Sure, that’s a step in the right direction however there’s much more of a problem:

Let’s walk-through how OpenSocial has been architected from a developer/hacker perspective:

• A javascript function called makeRequest() as a way to proxy Ajax calls to servers to GET/POST data.
• OpenSocial applications utilize both REST and pure non-filtered Javascript as a means to design applications. A majority today use Javascript as it is cross-compatible.
• OpenSocial contains virality mechanisms such as requestSendMessage() and requestShareApp() and activity streams as a means of spreading amongst users.
• Finally, OpenSocial is able to grab user data such as a uniquely defined user id, gender, location, etc. The same is true of an application viewer’s friends.

In some social networks, they use the actual user id on the social network as the opensocial id. These networks include MySpace.com and hi5.com. This means that I can grab a list of all my friends’ opensocial id’s which also happen to be their real id’s on the network itself. Remember this.

OpenSocial is a viral channel to the distribution of any web exploit on the internet today. “Web 2.0″ is often associated with socializing, networking, etc. OpenSocial is a new age mechanism of the exploiting, called it “Exploit 2.0″ though that’s a silly buzzword–don’t spread it around!

I am going to say something very bold: The internet is only one XSS exploit away on any social network hosting an OpenSocial application from getting infected.

Let’s try a proof of concept:

MySpace a few weeks ago contained an exploit that allowed people to use XSS and CSRF as a means to private message any user on the behalf of the person viewing the application. All these people needed was a user_id. MySpace protects it’s forms from CSRF by using a session hash in their forms that must match something on their backend–best way to defeat CSRF. Anyhow these people managed to get passed it via some sort of XSS hole, nonetheless they created an invisible iframe, created the form, set the target to the iframe, and submitted the form on your behalf. Beautiful and tricky, it’s pretty cool–nothing new though.

The problem with create XSS worms on the internet today is that they require a static element to them. For example, I once found an XSS hole in Facebook’s politics application, unfortunately the hole showed up on Facebook profiles. So I was able to literally execute javascript on my profile. I quickly changed my user input after a quick test and I linked in an external script to be executed on Facebook.com’s profile pages. That means I have complete control over Facebook to do whatever I want. So, of course, I am not completely malicious I simply photoshopped an image of Facebook, made it suhailBook and any time you visited my Facebook profile you would see the new suhailBook logo. It was priceless, however I started thinking more into it and realized that because I have complete control over Facebook, I could also send a request to the politics application to inject the same javascript file on any viewer to my profile on their behalf. The static element was that my user input was stored and could actively execute on the profile. I didn’t need to spam a url around and slowly infect people, I could exponentially do it. Every time someone viewed my profile, they would be infected and then become a host to spread it until the entire Facebook became suhailBook. This was all just a proof of concept, the hole was documented and fixed the same day.

The point is, OpenSocial IS that static element, the applications are contained on the profile pages of users and are allowed to execute javascript and API specific calls. Now imagine, I’ve found this way to privately message all of your friends to install the application on your behalf. As soon as they do they send out a spam message to all their friends. You now have exponential growth based on the ratio of conversions you get from that message.

Let’s take it a bit further, imagine you found a way to automatically install the application just by VIEWING a profile. You have OpenSocial as your static element to virally spread (because it sits on the profile) and an exploit to auto-install. Exponential growth.

If you take it one bit further, imagine you spread a 0-day exploit because of holes in Adobe Flash, Adobe PDF, or Quicktime? Exponential infection on an OS level.

Any social network that has even 1 XSS hole let’s an OpenSocial application spread itself exponentially. The application uses it’s weight of knowledge based on user data (like user id’s) and static placement on profiles can infect users simply by opening an iframe to myspace, orkut, hi5 and injecting the external js file to commit requests on behalf of a user. This is dangerous and this channels huge viral effects if you can spread the application virally at the same rate as infection. You can channel XSS and CSRF to do almost anything, change an image, edit a status, post a comment, post a blog entry, etc ,etc.

In some cases, you don’t even need an XSS hole, all you need is a little bit of CSRF. This is a funny case but imagine everytime someone installs your application or even views it, you decide to attempt to remove your competitors application via CSRF.

Another concept is that, XSS and CSRF are interesting ways to exploit but they aren’t very fun if you don’t have a popular website people go to so you can fool. OpenSocial doesn’t just provide avenues to exploit the containers but it presents avenues to exploit OTHER websites as well, like PayPal, Facebook, etc. You have this profile that’s highly trafficked and low and behold a malicious OpenSocial application that can open up iframe’s ANYWHERE it wants to and commit attacks on any site in the world. As the application spreads so does the rate of infection to other sites. These attacks are hard under normal circumstances because malicious sites are generally unpopular–you can’t profit very much off 10 people visiting your blog that has a hidden iframe stealing email lists from anyone that is logged into a yahoo account via XSS (this was once possible FYI). On MySpace, I can open up an iframe, inject my javascript, steal the whole email list of yahoo contacts from any user that is currently logged in, and send the data to my server which is continually harvesting them. Nobody would really notice because it’s not hurting anyone directly. I can harvest millions given the popularity the user whose profile is being seen. Who is protecting against that?

You may say, sure you have to find one XSS hole first. That is trivial and extremely easy give the attitude that XSS and CSRF are small exploits. In this environment, the tiniest exploit can have devastating effects. I promise you, just because these are big companies doesn’t mean their programmers forget to sanitize and secure inputs and forms respectively. I’ve found XSS on Google, Ning, Facebook, hi5, MySpace, Digg, etc. Ever heard of them?

You have 3 huge social networks using OpenSocial today, more will follow as people note their success.

There will be someone out there that has the courage to do this and you won’t even realize you were hit. OpenSocial needs to draft a change in security today, not tomorrow.

No one is protecting their users, every network has completely circumvented nearly every security measure they have placed and have destroyed many aspects of their site they took a lot of time to harden because of the 1 XSS hole to exploit concept.

Caja is not the answer. If you’re ready to piss off 1-5k+ developers and tell them to rearchitect their code, good luck. Oh and how is Caja going to stop me from Ajaxily requesting a script on my server? It’s not the answer. Manual code reviews do not scale. FBJS was a great solution and probably the only smart one.

There is no mechanism on the internet today which invokes this new paradigm of infection so easily and is what makes OpenSocial a global unparalleled security risk.

It’s now been a few weeks, things are settling on hi5 at last. According the engineers over there, a new notifications system has been implemented (pushed on Monday) something along the lines of an actual queue system. The changes they have made definitely show, not just in how our applications load but they are reflected in our stats:

I can’t offer real numbers, sorry! But I promise they aren’t exactly in the hundreds or anything. hi5 is definitely chugging along. If you didn’t hear or see it, hi5 posted some stats about their platform during the Web 2.0 conference last week:

• Production launch 3/31, full launch to 100% of users 4/4
• 65 applications at launch, 328 today in 21 categories
• Averaging > 1 million new installs each day
• 5 apps with > 1 million installs, 11 more with > 500k installs
• Top apps getting > 1 million daily canvas views

• ~50% of active users have at least one application installed
• Active users average ~3 apps on every profile, with as many as 16

While hi5 is giving developers instant success in some cases as I have talked to a few developers, MySpace continues to stagnant:

This is the number 1 application on MySpace right now, it’s called Truth Box (to no surprise, there are 4 of the same Truth Box style applications on MySpace). How its growth reached where it is, is quite suspect at this point but if you take a look at the weekly trend you’ll see that it’s closing in everyday on becoming more and more flat given the potential of MySpace’s real network effect. It’s growth is less attributed to MySpace and moreso to advertising and cross promotion with larger audiences on other social networks that probably also exist on MySpace as well.

A number of applications are already flat. MySpace is not pushing out fast enough and as a result we’re starting to see more blackhat techniques implemented to spark growth in lieu of actual ways to grow viral. postTo is weak attempt, I think others would agree. It may convert, but it sure as hell doesn’t convert well.

At this point, MySpace is the best platform to create the largest revenue stream while hi5 is the best platform to grow virally as expected but you’ll find it hard to be able to make revenue with the same weighted value as MySpace. It’s difficult to say who to go after but often easier to make the choice to do both. A lot of us are doing that.

MySpace give us something to grow a user-base and I bet you you’ll see some real application innovation and less black hat techniques to subvert your users. You’re not doing a great job of helping your now starving developers. We need concrete dates, we need to know exactly what’s going on. Additionally, features need to stop breaking during every push, when breaks occur they need to be documented.

One of the silliest ideas yet was for changes to not be pushed live anymore. I am not sure who came up with that idea but hi5 has created an almost brilliant one: Make a REFRESH button. Let us publish changes, see them in development mode and when we want them to go live, let us hit a nice shiny button that makes it instant. You guys are smart engineers, would you like it if we made you wait an entire day after you pushed an update to MySpace.com to see how it went? No, that would be chaotic, why impose the same restrictions on us?

I don’t even think I really even have to mention how bad Orkut is doing with their entire platform launch. I don’t think anyone cares either at this point with the bigger networks actually iterating. To sum up Orkut, I’ll write some code:

if ($network == ‘orkut’) {

while(true) { continueToBreakMorePromises(); }

}

This is a quick overview of what’s happening in the beautiful, frustrating, and highly hyped OpenSocial machine:

hi5:

1. Much better growth than MySpace, growth rates rise everyday. The only container that actually has viral growth! (Orkut’s 1% of Estonia does not count)
2. Stability issues occasionally that might be fixed now. This heavily stunted viral growth as no one has probably been able to compound their viral growth everyday. Ouch.
3. Huge language barriers with dense communities who do not necessarily speak English. hi5 ramp up your translation services, my i18n file is still in escrow and it hurts. Click here for the full explanation on how to do it.
4. Everything is ready for you on hi5 to explode in growth, once again, we just need stability.
5. Lots of bugs but lots of fixes are happening daily. Unlike MySpace the hi5 devs push daily are machines who are awake at night to help you even with the smallest problems. Paul, Lou, Anil, Zach–you guys are awesome.
6. Best support you’ll ever get is in #hi5dev. And hey it’s 10:30 PM here and they are still awake answering questions.
7. hi5 actually has analytics! Zach expressed in providing analytics later the way Facebook does, we need this quickly!
8. Oh RockYou put out a press release about reaching 2 millions users, that happened about 4-5 days ago so they are probably much bigger now

Suggestion to hi5: The language barrier is a growing issue for many developers. Some developers even see more growth on MySpace. Is there anything you can do to catering our applications harder to native English speaking users? This would let us grow properly until the i18n issue gets resolved. It’s difficult to grow under the dense Thailand users as well as the huge Spanish base.

MySpace:

1. Frustration.
2. EXTREMELY slow development process.
3. Stop staving us off with tricks like presenting us old functionality such as postTo which Zachallia (FreeGifts) has been using since the platform’s inception.
4. Cool you finally found the courage to link the gallery, great now we get a few hundred users and watch the growth decline like it did when you first launched. This is not enough.
5. Vague deadlines, nobody has a damn clue when the viral API is coming out. First it was a couple weeks, those past by, where is it? If postTo was it, that was a mean trick.

Orkut:

1. Yay! You’re launching in about a week except you should probably put this in really tiny font: 10% of your users only.
2. Wait a second, wasn’t Orkut supposed to launch before everyone else? Does anybody really care anymore about a #6-7 social network that has a tiny non-native english speaking population
3. Before you get too excited, Orkut has limited viral API such as no requestShareApp and probably no notifications either.

Other news, I am adamant about releasing my OpenSocial wrapper/framework to the public eventually. I am not sure when but here is an outline of it currently. I have working implementations of it on both my applications. Comments about the structure are appreciated:

A brief overview of some interesting things that it contains:

- Works beautifully on all containers (Orkut, hi5, MySpace)
- owner/viewer PERSON info caching.
- Friend request batching (which can emulate paging very easily).
- Less verbose than opensocial API.
- Like any framework, utility methods to ease the pain.
- Wrappers around everything in case things change.
- Easily obtain person info without it failing on certain non-implemented fields: getUser(person).aggregate(); // Obtains all possible data at once!
- doRequest() (makeRequest) supports caching/refreshing/signed requests.
- Fully implemented viral API that is ready to go.
- MediaItems made easy for viral API.
- Fully tested, mother approved.

<Param name=”invitePingUrl” value=”http://host/path”/>

Try it out…

We’re a few days into the first full-scale release of an OpenSocial implementation. Look what’s happening; this is no joke.

Developers who made the initial hi5 gallery, and who took advantage of the viral channels offered by the network, are watching with keen interest as their servers heat up…

Talk in the IRC has turned from details of refreshing external js and implementing new API functionality towards stats tracking and methods for scaling apps. This is an exciting time.

<Optional feature=”hi5-lifecycle”>
<Param name=”installPingUrl” value=”….URL here…”/>
<Param name=”removePingUrl” value=”….URL here…”/>
</Optional>

This and other hi5 OpenSocial Extensions.

First, read this.

This admirable result is the product of a lot of conversation, both on IRC and certainly at the hi5 headquarters. Developers have been begging for some visibility into relative performance of applications, specifically requesting install numbers to be made public. Many containers take the easy way out and make their install numbers public. Some (sorry MySpace, we still love you) even rely on this questionable metric as the sole factor for ranking within the application directory.

Suhail brought up a very good point which is that public metrics provide developers a proxy for monitoring the app ecosystem. Spamming and other nefarious tactics become transparent when a community of developers has their finger on the pulse of install rates, relative pickup etc.

PL makes a strong case against simultaneously exposing the ranking metric(s) values and relative importance: developers will inevitably jump to optimize that/those metric(s), effectively throwing user experience to the side in order to arbitrage their position. This is a strong argument, and leads happily to the conversation we see started above by Zack in his blog post.

Developers need something to watch, and as Paul points out, will inevitably optimize their apps pursuant to the reward mechanism of the container. For MySpace developers, it is easy to watch installs all day, and live and die on how many people are using the app. But today, two days into the hi5 launch and with a sea of opportunity before us, what is the thought process invoked by the proposed ranking algorithm? Answer: focus on quality. I can have 10 users, but if I as a developer can optimize the experience of my - few - users, I have a shot at the system rewarding me handsomely.

The past two months have been hectic as well as wrought with unrealistic promises, high expectations by all parties, skepticism from outside the OpenSocial community. The whole Orkut fiasco was in part explained away by a (sudden) emphasis on fairness, and we’ve seen both MySpace and hi5 totally surpass a certain larger organization in their ability to implement this new technology as well as support an enthusiastic community of developers.

The emphasis should be squarely on building quality apps that add value to the host network. Without this principal, there is no reason for meganetworks to even ‘go there.’ OpenSocial excites big networks because it represents an opportunity for third-party development to affect their own bottom line positively. It’s the - now old - F8 philosophy: your apps generate pageviews, eyeballs, loyalty and more, so bring them on and keep all the money you can make with them. Quality is key here. Frankly I use Facebook less now after being barraged by notifications.

“Laura has sent you a banana! Click here to peel it!

Yeah… I’m all set.

Momentary sycophancy notwithstanding, another hi5 decision bears mentioning. As the network rolls out the brand-new app gallery to its users, hi5 is randomizing the gallery order until they have collected enough meaningful data to rank the apps intelligently. Fantastic.

Whatever hi5’s algorithm is, it will certainly change over time as the team receives feedback and more data with which to work. The direction is the right one, and only good can come of it.

-Christopher (markitecht)

Breaking news: Yahoo to join Opensocial 

It’s only been about a month since Opensocial has really started showing it’s wings and proving to the developers who actually take the time to read up on the documentation that’s it’s quickly moving away from bleeding edge technology during the version 0.5 days. There’s a lot to be done even still but where are we now? What has been done?

I am going to provide a brief overview at what is going on in the Opensocial space, what people are doing, what is being moved along, and what’s hot right now.

Let’s start with an obvious partner: MySpace.com. Some interesting news today is that MySpace has actually decided to version to 0.7 while keeping a big piece of 0.6 compatibility for its developers. MySpace is still fairly broken in many places and I would still consider it to be very bleeding edge today.

From a technical perspective, you’ll notice big things that are broken immediately: makeRequest(), signed requests, friend requesting, etc. The list of bugs is fairly large and perhaps this is expected from MySpace at times but from what I’ve seen, MySpace’s reputation as a fairly evil company is changing for me. I am sure most of the issues will be fixed by the end of today. The best place to get help is the IRC channel (irc.freenode.net, #myspacedev). Max (signal_loss) and Stephanie (StephanieBamBam) both sit and moderate the channel even at the latest hours of the night past 12 AM. The developers over there are really passionate about this platform and are working hard to make sure the MySpace Development Platform (MDP) is not an evil place. It’s really surprising that a big company has engineers that are willing to answer technical questions and broad generic questions in an IRC live–well done. Additionally, MySpace actually has a date for when they are launching so work hard everyone.

Let’s talk about Orkut for a bit. Aside from the big fiasco as far as launch date plans, Orkut actually has the most stable container available to test your 0.7 applications. I think a lot of developers were quite disappointed with Orkut’s launch date, myself being one of them. Thankfully, they handled in some manner to make those of us who submitted on deadline happy. The issue is, Orkut actually has no date now, no one knows when the launch is occurring when it appeared they were the front runners for showing Opensocial’s success. I think a lot of developers are switching their focus to other containers now because we all know…Orkut is the smallest of the platforms and hi5 and MySpace are much larger. Without a launch date, it’s difficult to want to develop on their platform. Google is doing a spectacular job pushing out updates, getting organized, and making their container stable and consistent–you really have to love shindig because of that.

What about hi5? From what I know, hi5 is launching March 31st and has a series of hackathons going on March 15th to the date of their launch. hi5 is the only platform in my mind that has a realistic launch date. MySpace has too many problems to expect a sensible, full-featured launch. Orkut doesn’t have a date. hi5 is the only platform that I feel will truly be ready and isn’t displeasing developers at any rate. They are big, they are iterating quickly, using shindig, and are helpful. Not much to say except be ready for their date. They have a lot things in place, you can already see their app gallery page, submit your app, and play with the API.

So where are? We’re moving a long quickly, now is the time to get on board. This much different from 0.5, things are stabilizing and applications not widgets are capable of being created. People are developing at 2-4 AM in the morning and they are getting one on one technical advice from the container engineers like Arne (kurrik from google), Max (signal_loss from MySpace), plinder from hi5. Somehow, I don’t think you’ll get such priceless time with them as things get bigger, jump on it now. From my perspective as a developer, all the containers are moving quickly. It seems daily that I change my stance for which container specifically I should be focusing on so it’s difficult to gauge which is “hot.” Right now, my pick was MySpace, if you asked me just last week, it was orkut and hi5. Things are changing rapidly, read the forums on MySpace, read the orkut blog, read the opensocial blog, constantly check google’s opensocial wiki, read the hi5 developer blog, and oh, read us from time to time =).

What has been done? 0.7 is a big improvement of 0.5, the shindig implementation is quite clean and working. Finally, we have some major compatibility between applications! MySpace, hi5, and Orkut are all backing 0.7 now–that is a major feat. There’s 100’s of developers making applications and there’s tons of applications viewable today. The best thing about Opensocial is that a lot of containers are not partnering, they are putting everyone on the same playing field. Slide and RockYou, prepare for some brand new competition. I am noticing a lot of developers are copying a lot of the applications that exist already on Facebook’s platform, notably SuperPoke–bring on the clones…