Sociablecode

Things are moving at a snails pace, *yawn*:

http://code.google.com/p/opensocial-framework/downloads/list

Please note: This framework is compatible with the 0.7 OpenSocial specification only and has been throughly tested and also compatible with all the major OpenSocial containers: MySpace, hi5, and Orkut.

I am not entirely sure how many of you have probably already written in-house frameworks for all your products, but here is one for all you small/clueless/new people out in the world

I’ll start posting more again about OpenSocial *FAIL* periodically again.

Feel free to give me your thoughts and opinions about my code. There may have been a few things here and there that I would’ve done differently but the framework is 100% tested and working. All my applications have been using it for months. Enjoy.

Here’s a quick overview of what the code looks like:

Today MySpace announced a series of changes to their platform, changes that make many of the application developers angry and possibly depressed. In fact, I would say that developers themselves are becoming fatigued by the extraordinary amount of rules, regulations, and discrepancies that we face collectively. It feels like every attempt at virality is destroyed.

Sure enough, today was another day. Techcrunch did a decent job at summarizing basically what Tom was attempting to explain to us. I’ll try to sum it up in my own perspective which is sometimes valuable to people since I actively develop on the social network:

Essentially, users are complaining. MySpace is trying to clear up the issues and make a platform that rewards worthwhile applications in the right way.

To regulate us a few rules are in order: You cannot provide incentives to your users to help spread your application. This is obviously a direct hit to Own Your Friends on MySpace which has garnered 3 million users already.

Here’s the driving force here people. MySpace doesn’t give a shit about how viral you wish to become, they don’t want random people kicking each other in butt as a messaging mechanism. To them, opening up the platform is a way of getting viral a bit faster than you would normally on your own with your own startup. MySpace isn’t interested in how fast you can penetrate so you can achieve the highest revenue possible. Their game really appears to be about creating utilities they cannot create themselves. This is all certainly amicable however it’s not going to provide much incentive for developers who are interested in creating real applications as you’re afforded more control outside of MySpace and essentially the same incentive.

You need to think about this. MySpace’s numbers aren’t growing HUGE, they’ve tapped probably the largest portion of the U.S. on the internet. (that’s why we’re all developing there) Basically, they already have them all. They don’t need a platform to get MORE, they just need to keep them happy, engaged, willing to stay essentially. History has shown, that a large portion of the applications on Facebook are annoying, spamming, and essentially crap. What would you do if you were in the same position?

The thoughts behind this are: if you create a very valuable and interesting application, user adoption will trend much like a web startup except perhaps on steroids if it exists on MySpace. This is all hypothetical and perhaps quite wishful. postTo was sneaky attempt to stave us off as I have said before and this utility exists just not in modal box design as it is for our applications.

The world’s are clashing between money, value, quality, and rewards. Seems it’s time to sit down and think what’s right for the users for MySpace. Of course, all of us are ready with our pitchforks in hand waiting to chastise whoever created these rules

MySpace has one last attempt up its sleeve in terms of keeping us around:

“Finally, I’m pleased to give you all a heads-up that we will be enhancing our messaging APIs in June with the release of our Applications Communication Channel. “ACC” as we call it is a brand-new messaging service built specifically for apps that will enable custom app invites and notifications. More on that soon!”

Don’t screw this up MySpace, a compromise is in order if you plan to get people to stick around with your platform. There are other ways to ask for what you want without locking and restricting channels. The world isn’t so black and white in that good products always distribute themselves effectively because as you’ve seen so do crappy ones that know how to exploit channels fatiguing them well enough so nothing good makes it past the mark. postTo channels were fatigued before we even got here, we were never given a fair chance. Provide incentives to good applications, don’t be so damn afraid to punish bad ones, and regulate your channels–take a piece of advice from hi5.

Consider this, we have to deal with constant problems, downtime, and restrictions with a platform that is isn’t significantly viral. We do it because we hope for mechanisms that will provide greater distribution then we would get off-platform. You might be able to keep us around for a few months and toy with our minds but what’s going to keep us from stopping and realizing that the incentives are more or less the same outside your platform. I think it’s time you stop beating around the bush and tell us PRECISELY what ACC is, I for one am sick of all the damn secrecy only to be disappointed later.

Source: http://opensocial-and-gadgets-spec.googlegroups.com/web/1-OpenSocial_0_8_Release_Notes.html?gda=x–sMVQAAACm0728fg2CW3_CoKlLDx-aChq5Kc1lWGJ-v8ummsbNaWG1qiJ7UbTIup-M2XPURDTdDqZ8CspOzx7w8nEg3iE2_gR-PHt22fWilkeZ8K1gKITIXwSHFlc31AV7pr2W3Bo

Release Notes for v0.8 (DRAFT)

OpenSocial specification changes

I am not entirely sure whether people pass off security articles, they’ve always intrigued me. I suggest you don’t skip this one whether you’re involved in OpenSocial or not.

Before I get into the meat of the article, a few things need to be understood, notably what is XSS and CSRF? I’ll explain this in layman’s terms as opposed to sounding like a wikipedia article. Please research on your own if what I say makes no sense as it’s a pre-requisite on understanding this article and every programmer in the world should know what this is.

XSS (Cross-site scripting): XSS is a way to execute javascript on webpages around the web that would otherwise be unintended behavior. Essentially, imagine you have a comment form, someone can create a comment with text input that allows them to execute javascript on your browser. In this imagine me sending Ajax POST requests to your bank account to withdraw $1000 and put it in my account. The transaction was on your behalf because javascript is executing in your browser and is therefore a valid, non-disputable transaction as the request will have originated from your IP address.

CSRF (Cross-site request forgery): CSRF is very simply session riding. We all have seen sites that contain a url as such: http://www.url.com/?action=logout. In this case, imagine if I redirected you to that URL, gmail would log you out. Not too glamorous huh? Well imagine for a minute, I created a form on MySpace, then created a 1×1 iframe and opened a URL to post a bulletin out to all your friends on your behalf. You would’ve never known it happened and you would move along. This is the power of CSRF.

Combine XSS with CSRF and you have a catastrophe in many cases exhibited by the Samy Worm on MySpace. If you don’t know what I am talking about, Google it =).

If these became eye openers to you, continue reading. If you’re just brushing it off research a little more and the continue reading and perhaps I’ll be able to convince you.

The meat:

So what’s OpenSocial have to do with all of this? It’s secured in a nice little iframe off the container’s host right? Sure, that’s a step in the right direction however there’s much more of a problem:

Let’s walk-through how OpenSocial has been architected from a developer/hacker perspective:

• A javascript function called makeRequest() as a way to proxy Ajax calls to servers to GET/POST data.
• OpenSocial applications utilize both REST and pure non-filtered Javascript as a means to design applications. A majority today use Javascript as it is cross-compatible.
• OpenSocial contains virality mechanisms such as requestSendMessage() and requestShareApp() and activity streams as a means of spreading amongst users.
• Finally, OpenSocial is able to grab user data such as a uniquely defined user id, gender, location, etc. The same is true of an application viewer’s friends.

In some social networks, they use the actual user id on the social network as the opensocial id. These networks include MySpace.com and hi5.com. This means that I can grab a list of all my friends’ opensocial id’s which also happen to be their real id’s on the network itself. Remember this.

OpenSocial is a viral channel to the distribution of any web exploit on the internet today. “Web 2.0″ is often associated with socializing, networking, etc. OpenSocial is a new age mechanism of the exploiting, called it “Exploit 2.0″ though that’s a silly buzzword–don’t spread it around!

I am going to say something very bold: The internet is only one XSS exploit away on any social network hosting an OpenSocial application from getting infected.

Let’s try a proof of concept:

MySpace a few weeks ago contained an exploit that allowed people to use XSS and CSRF as a means to private message any user on the behalf of the person viewing the application. All these people needed was a user_id. MySpace protects it’s forms from CSRF by using a session hash in their forms that must match something on their backend–best way to defeat CSRF. Anyhow these people managed to get passed it via some sort of XSS hole, nonetheless they created an invisible iframe, created the form, set the target to the iframe, and submitted the form on your behalf. Beautiful and tricky, it’s pretty cool–nothing new though.

The problem with create XSS worms on the internet today is that they require a static element to them. For example, I once found an XSS hole in Facebook’s politics application, unfortunately the hole showed up on Facebook profiles. So I was able to literally execute javascript on my profile. I quickly changed my user input after a quick test and I linked in an external script to be executed on Facebook.com’s profile pages. That means I have complete control over Facebook to do whatever I want. So, of course, I am not completely malicious I simply photoshopped an image of Facebook, made it suhailBook and any time you visited my Facebook profile you would see the new suhailBook logo. It was priceless, however I started thinking more into it and realized that because I have complete control over Facebook, I could also send a request to the politics application to inject the same javascript file on any viewer to my profile on their behalf. The static element was that my user input was stored and could actively execute on the profile. I didn’t need to spam a url around and slowly infect people, I could exponentially do it. Every time someone viewed my profile, they would be infected and then become a host to spread it until the entire Facebook became suhailBook. This was all just a proof of concept, the hole was documented and fixed the same day.

The point is, OpenSocial IS that static element, the applications are contained on the profile pages of users and are allowed to execute javascript and API specific calls. Now imagine, I’ve found this way to privately message all of your friends to install the application on your behalf. As soon as they do they send out a spam message to all their friends. You now have exponential growth based on the ratio of conversions you get from that message.

Let’s take it a bit further, imagine you found a way to automatically install the application just by VIEWING a profile. You have OpenSocial as your static element to virally spread (because it sits on the profile) and an exploit to auto-install. Exponential growth.

If you take it one bit further, imagine you spread a 0-day exploit because of holes in Adobe Flash, Adobe PDF, or Quicktime? Exponential infection on an OS level.

Any social network that has even 1 XSS hole let’s an OpenSocial application spread itself exponentially. The application uses it’s weight of knowledge based on user data (like user id’s) and static placement on profiles can infect users simply by opening an iframe to myspace, orkut, hi5 and injecting the external js file to commit requests on behalf of a user. This is dangerous and this channels huge viral effects if you can spread the application virally at the same rate as infection. You can channel XSS and CSRF to do almost anything, change an image, edit a status, post a comment, post a blog entry, etc ,etc.

In some cases, you don’t even need an XSS hole, all you need is a little bit of CSRF. This is a funny case but imagine everytime someone installs your application or even views it, you decide to attempt to remove your competitors application via CSRF.

Another concept is that, XSS and CSRF are interesting ways to exploit but they aren’t very fun if you don’t have a popular website people go to so you can fool. OpenSocial doesn’t just provide avenues to exploit the containers but it presents avenues to exploit OTHER websites as well, like PayPal, Facebook, etc. You have this profile that’s highly trafficked and low and behold a malicious OpenSocial application that can open up iframe’s ANYWHERE it wants to and commit attacks on any site in the world. As the application spreads so does the rate of infection to other sites. These attacks are hard under normal circumstances because malicious sites are generally unpopular–you can’t profit very much off 10 people visiting your blog that has a hidden iframe stealing email lists from anyone that is logged into a yahoo account via XSS (this was once possible FYI). On MySpace, I can open up an iframe, inject my javascript, steal the whole email list of yahoo contacts from any user that is currently logged in, and send the data to my server which is continually harvesting them. Nobody would really notice because it’s not hurting anyone directly. I can harvest millions given the popularity the user whose profile is being seen. Who is protecting against that?

You may say, sure you have to find one XSS hole first. That is trivial and extremely easy give the attitude that XSS and CSRF are small exploits. In this environment, the tiniest exploit can have devastating effects. I promise you, just because these are big companies doesn’t mean their programmers forget to sanitize and secure inputs and forms respectively. I’ve found XSS on Google, Ning, Facebook, hi5, MySpace, Digg, etc. Ever heard of them?

You have 3 huge social networks using OpenSocial today, more will follow as people note their success.

There will be someone out there that has the courage to do this and you won’t even realize you were hit. OpenSocial needs to draft a change in security today, not tomorrow.

No one is protecting their users, every network has completely circumvented nearly every security measure they have placed and have destroyed many aspects of their site they took a lot of time to harden because of the 1 XSS hole to exploit concept.

Caja is not the answer. If you’re ready to piss off 1-5k+ developers and tell them to rearchitect their code, good luck. Oh and how is Caja going to stop me from Ajaxily requesting a script on my server? It’s not the answer. Manual code reviews do not scale. FBJS was a great solution and probably the only smart one.

There is no mechanism on the internet today which invokes this new paradigm of infection so easily and is what makes OpenSocial a global unparalleled security risk.

Yahoo!, MySpace, and Google today announced they have agreed to form the OpenSocial Foundation to ensure the neutrality and longevity of OpenSocial as an open, community-governed specification for building social applications across the web. Yahoo!’s support of OpenSocial and role as a founding member of the new foundation are landmarks for the rapidly growing specification which will now offer developers the potential to connect with more than 500 million people worldwide.

The OpenSocial Foundation website at www.opensocial.org will serve as the portal for the community to find all information about OpenSocial and the foundation as they evolve. Developers and website owners can now visit www.opensocial.org for the latest specifications, links to other resources, and the opportunity to get involved.

I think the best way to get Opensocial into full momentum is really participating, you’ll see me there helping out in my own way. I hope you can as well, whether you work for a huge company like Slide or run your own startup business with a tight budget.

Full press release can be found here.

I’ve been a bit discouraged as of late about how some applications are getting massive amounts of installations and how my measly little 140 installs was possibly worth throwing away but big players on Facebook have told me to stick with it and I am not leaving until I see what happens after viral API is implemented.

Ever wonder how the hell you amass 6000+ installs on a platform with no viral API, no link to the application directory on profile pages, no real publicity to its own mainstream users?

Meet Pokey, the retard 3d dog:

All you need is a lot of money in the bank, how’s that for leveling the playing field MySpace?

Anyhow, I’ve placed all focus on hi5. The platform is using shindig, the engineers fix bugs on a daily basis and push daily (even on weekends) and they have fully implemented working viral API that I have tested personally on a second application I am building for Opensocial. requestShareApp() works and requestSendMessage can send a user NOTIFICATION or an EMAIL to a user. requestCreateActivity works awesomely and both requestSendMessage and requestCreateActivity both can parse <a> tags for you to create links. hi5 is offering free spanish translation and free hosting to new application developers at Joyent. Take that MySpace, oh and hey, they aren’t as buggy either making it the best place to develop your applications initially and then pushing them out to MySpace and Orkut later.

Though Facebook purportedly declined to join OpenSocial because of privacy concerns, there have been several major controversies surrounding their protection of user privacy in the recent past, most notably the release of the news feed, which many believe to be Facebook’s value equivalent of ‘PageRank,’ and Beacon, the spine-tinglingly creepy initially-opt-out, still-not-totally-opt-in, social-graph-exploiting remarketing program.

Well if you haven’t already, make sure you tweak your (blatantly non-exhaustive) privacy settings.

465 practically live applications and encounting on MySpace, awesome job everyone! This report can be seen via zynganomics.com. I think a substantial amount of activity is extremely low but that’s what you get as MySpace isn’t even really launched quite yet–no viral API implementation = platform fail at the moment. On another note though, MySpace seems to have released an official REST API library for PHP. Seems lots of patches are occurring and many applications are iterating constantly and trying to find new ways to thrive due to viral API desertion as I am calling it right now. Some people have figured out their own ways so I’d like to highlight them. Blake’s Vampire, Slayers style applications which are banking on getting people to throw their link around so users can “bite” each other. It’s old school and it works. I am trying my own hands at combining a flash widget for SuperFortune Cookie that is embeddable on users pages so friends can see fortunes from other friends. A bunch of applications are getting through via simple brand recognition (e.g. FreeGifts, sorry Zachallia). In anyevent, there’s honestly not much going on over at the MySpace platform right now, it’s basically just a waiting game till we see the APIs we need. Max, you still owe me that swift kick in the ass you’re supposed to give the manager! On the plus side, it seems they have the application approval process on a maintainable path for now.

Anyhow, this post is really about hi5 and what they are doing (hence the title) as they have had the most realistic launch plans to date and now they are only a week or so away. Let’s highlight what everyone is going to drool over. Basically from the hi5 platform you can expect everything and more that you got from MySpace. You have the big set of REST API, fairly stable javascript client code, and it came out straight from the Apache shindig project. So where’s the drool part? Lou Moore gave me the scoop in IRC today: Viral API implementaiton for requestShareApp, requestCreateActivity, and requestSendMessage (TYPEs: NOTIFICATION, EMAIL). Lou Moore stated that limits, restrictions, etc will be posted in the official viral guidelines. From what I gather, it’s likely to be similar to what Orkut stated initially as far as limitations so don’t expect this to be very liberal about what you can do, but at least it is there for now. hi5 is also doing something very nice for the top 100 developers which I’ve actually been selected for: Free webhosting from Joyent (Similar to the package Facebook gives you) for 6 months, Free Spanish translation, and initial inclusion in the directory for their launch. hi5 has already started their own IRC channel: #hi5dev (irc.freenode.net) and the engineers, notably Anil, Lou Moore, and the big celebrity apparently of Opensocial these days Paul Lindner (shindig contributor) are all very helpful and adamant about making their launch successful. Hope to see you on hi5 when they launch March 31! If I were to say, their launch will be the biggest and most successful thus far with their implementation of viral APIs. There hasn’t been a network yet to introduce this, so let the real games begin.

Also, an announcement from me, I should be releasing an opensource Opensocial Javascript framework/wrapper to ease everyone’s lives around the 31st or a few weeks after, stay tuned for that. A few friends of mine are playing around with it to make sure it’s stable and easy to use. The goal is to minimize the amount of documentation you have to read and minimize the amount of verbose code you have to write.

Oh and by the way…Where did Orkut go? Weren’t you launching nearly 3-4 weeks ago?

First off, Suhail and I have been either lucky or well-prepared (or both), as our apps made it in within the first 24 hours. Others have had a really tough time.

Zach brings up a great point in the IRC: pay a lot of attention to your application and profile pictures. These apps are sitting in a queue, and one common denominator of apps that seem to be getting attention is that they look professional at a glance, i.e. if a reviewer hypothetically was looking at a long list of submitted apps and their info, including pics.

Be sure to check out:

• SuperFortune Cookie
• Brazilian Portuguese

More coming soon. I’m submitting more language applications today, and will post links to them as I get them approved (fingers firmly crossed).

Also from the venerable iWiddit:

• A-List / D-List