http://code.google.com/p/opensocial-framework/downloads/list

Please note: This framework is compatible with the 0.7 OpenSocial specification only and has been throughly tested and also compatible with all the major OpenSocial containers: MySpace, hi5, and Orkut.

I am not entirely sure how many of you have probably already written in-house frameworks for all your products, but here is one for all you small/clueless/new people out in the world

I’ll start posting more again about OpenSocial *FAIL* periodically again.

Feel free to give me your thoughts and opinions about my code. There may have been a few things here and there that I would’ve done differently but the framework is 100% tested and working. All my applications have been using it for months. Enjoy.

Here’s a quick overview of what the code looks like:

Sure enough, today was another day. Techcrunch did a decent job at summarizing basically what Tom was attempting to explain to us. I’ll try to sum it up in my own perspective which is sometimes valuable to people since I actively develop on the social network:

Essentially, users are complaining. MySpace is trying to clear up the issues and make a platform that rewards worthwhile applications in the right way.

To regulate us a few rules are in order: You cannot provide incentives to your users to help spread your application. This is obviously a direct hit to Own Your Friends on MySpace which has garnered 3 million users already.

Here’s the driving force here people. MySpace doesn’t give a shit about how viral you wish to become, they don’t want random people kicking each other in butt as a messaging mechanism. To them, opening up the platform is a way of getting viral a bit faster than you would normally on your own with your own startup. MySpace isn’t interested in how fast you can penetrate so you can achieve the highest revenue possible. Their game really appears to be about creating utilities they cannot create themselves. This is all certainly amicable however it’s not going to provide much incentive for developers who are interested in creating real applications as you’re afforded more control outside of MySpace and essentially the same incentive.

You need to think about this. MySpace’s numbers aren’t growing HUGE, they’ve tapped probably the largest portion of the U.S. on the internet. (that’s why we’re all developing there) Basically, they already have them all. They don’t need a platform to get MORE, they just need to keep them happy, engaged, willing to stay essentially. History has shown, that a large portion of the applications on Facebook are annoying, spamming, and essentially crap. What would you do if you were in the same position?

The thoughts behind this are: if you create a very valuable and interesting application, user adoption will trend much like a web startup except perhaps on steroids if it exists on MySpace. This is all hypothetical and perhaps quite wishful. postTo was sneaky attempt to stave us off as I have said before and this utility exists just not in modal box design as it is for our applications.

The world’s are clashing between money, value, quality, and rewards. Seems it’s time to sit down and think what’s right for the users for MySpace. Of course, all of us are ready with our pitchforks in hand waiting to chastise whoever created these rules

MySpace has one last attempt up its sleeve in terms of keeping us around:

“Finally, I’m pleased to give you all a heads-up that we will be enhancing our messaging APIs in June with the release of our Applications Communication Channel. “ACC” as we call it is a brand-new messaging service built specifically for apps that will enable custom app invites and notifications. More on that soon!”

Don’t screw this up MySpace, a compromise is in order if you plan to get people to stick around with your platform. There are other ways to ask for what you want without locking and restricting channels. The world isn’t so black and white in that good products always distribute themselves effectively because as you’ve seen so do crappy ones that know how to exploit channels fatiguing them well enough so nothing good makes it past the mark. postTo channels were fatigued before we even got here, we were never given a fair chance. Provide incentives to good applications, don’t be so damn afraid to punish bad ones, and regulate your channels–take a piece of advice from hi5.

Consider this, we have to deal with constant problems, downtime, and restrictions with a platform that is isn’t significantly viral. We do it because we hope for mechanisms that will provide greater distribution then we would get off-platform. You might be able to keep us around for a few months and toy with our minds but what’s going to keep us from stopping and realizing that the incentives are more or less the same outside your platform. I think it’s time you stop beating around the bush and tell us PRECISELY what ACC is, I for one am sick of all the damn secrecy only to be disappointed later.

Release Notes for v0.8 (DRAFT)

OpenSocial specification changes

Before I get into the meat of the article, a few things need to be understood, notably what is XSS and CSRF? I’ll explain this in layman’s terms as opposed to sounding like a wikipedia article. Please research on your own if what I say makes no sense as it’s a pre-requisite on understanding this article and every programmer in the world should know what this is.

XSS (Cross-site scripting): XSS is a way to execute javascript on webpages around the web that would otherwise be unintended behavior. Essentially, imagine you have a comment form, someone can create a comment with text input that allows them to execute javascript on your browser. In this imagine me sending Ajax POST requests to your bank account to withdraw $1000 and put it in my account. The transaction was on your behalf because javascript is executing in your browser and is therefore a valid, non-disputable transaction as the request will have originated from your IP address.

CSRF (Cross-site request forgery): CSRF is very simply session riding. We all have seen sites that contain a url as such: http://www.url.com/?action=logout. In this case, imagine if I redirected you to that URL, gmail would log you out. Not too glamorous huh? Well imagine for a minute, I created a form on MySpace, then created a 1×1 iframe and opened a URL to post a bulletin out to all your friends on your behalf. You would’ve never known it happened and you would move along. This is the power of CSRF.

Combine XSS with CSRF and you have a catastrophe in many cases exhibited by the Samy Worm on MySpace. If you don’t know what I am talking about, Google it =).

If these became eye openers to you, continue reading. If you’re just brushing it off research a little more and the continue reading and perhaps I’ll be able to convince you.

The meat:

So what’s OpenSocial have to do with all of this? It’s secured in a nice little iframe off the container’s host right? Sure, that’s a step in the right direction however there’s much more of a problem:

Let’s walk-through how OpenSocial has been architected from a developer/hacker perspective:

• A javascript function called makeRequest() as a way to proxy Ajax calls to servers to GET/POST data.
• OpenSocial applications utilize both REST and pure non-filtered Javascript as a means to design applications. A majority today use Javascript as it is cross-compatible.
• OpenSocial contains virality mechanisms such as requestSendMessage() and requestShareApp() and activity streams as a means of spreading amongst users.
• Finally, OpenSocial is able to grab user data such as a uniquely defined user id, gender, location, etc. The same is true of an application viewer’s friends.

In some social networks, they use the actual user id on the social network as the opensocial id. These networks include MySpace.com and hi5.com. This means that I can grab a list of all my friends’ opensocial id’s which also happen to be their real id’s on the network itself. Remember this.

OpenSocial is a viral channel to the distribution of any web exploit on the internet today. “Web 2.0″ is often associated with socializing, networking, etc. OpenSocial is a new age mechanism of the exploiting, called it “Exploit 2.0″ though that’s a silly buzzword–don’t spread it around!

I am going to say something very bold: The internet is only one XSS exploit away on any social network hosting an OpenSocial application from getting infected.

Let’s try a proof of concept:

MySpace a few weeks ago contained an exploit that allowed people to use XSS and CSRF as a means to private message any user on the behalf of the person viewing the application. All these people needed was a user_id. MySpace protects it’s forms from CSRF by using a session hash in their forms that must match something on their backend–best way to defeat CSRF. Anyhow these people managed to get passed it via some sort of XSS hole, nonetheless they created an invisible iframe, created the form, set the target to the iframe, and submitted the form on your behalf. Beautiful and tricky, it’s pretty cool–nothing new though.

The problem with create XSS worms on the internet today is that they require a static element to them. For example, I once found an XSS hole in Facebook’s politics application, unfortunately the hole showed up on Facebook profiles. So I was able to literally execute javascript on my profile. I quickly changed my user input after a quick test and I linked in an external script to be executed on Facebook.com’s profile pages. That means I have complete control over Facebook to do whatever I want. So, of course, I am not completely malicious I simply photoshopped an image of Facebook, made it suhailBook and any time you visited my Facebook profile you would see the new suhailBook logo. It was priceless, however I started thinking more into it and realized that because I have complete control over Facebook, I could also send a request to the politics application to inject the same javascript file on any viewer to my profile on their behalf. The static element was that my user input was stored and could actively execute on the profile. I didn’t need to spam a url around and slowly infect people, I could exponentially do it. Every time someone viewed my profile, they would be infected and then become a host to spread it until the entire Facebook became suhailBook. This was all just a proof of concept, the hole was documented and fixed the same day.

The point is, OpenSocial IS that static element, the applications are contained on the profile pages of users and are allowed to execute javascript and API specific calls. Now imagine, I’ve found this way to privately message all of your friends to install the application on your behalf. As soon as they do they send out a spam message to all their friends. You now have exponential growth based on the ratio of conversions you get from that message.

Let’s take it a bit further, imagine you found a way to automatically install the application just by VIEWING a profile. You have OpenSocial as your static element to virally spread (because it sits on the profile) and an exploit to auto-install. Exponential growth.

If you take it one bit further, imagine you spread a 0-day exploit because of holes in Adobe Flash, Adobe PDF, or Quicktime? Exponential infection on an OS level.

Any social network that has even 1 XSS hole let’s an OpenSocial application spread itself exponentially. The application uses it’s weight of knowledge based on user data (like user id’s) and static placement on profiles can infect users simply by opening an iframe to myspace, orkut, hi5 and injecting the external js file to commit requests on behalf of a user. This is dangerous and this channels huge viral effects if you can spread the application virally at the same rate as infection. You can channel XSS and CSRF to do almost anything, change an image, edit a status, post a comment, post a blog entry, etc ,etc.

In some cases, you don’t even need an XSS hole, all you need is a little bit of CSRF. This is a funny case but imagine everytime someone installs your application or even views it, you decide to attempt to remove your competitors application via CSRF.

Another concept is that, XSS and CSRF are interesting ways to exploit but they aren’t very fun if you don’t have a popular website people go to so you can fool. OpenSocial doesn’t just provide avenues to exploit the containers but it presents avenues to exploit OTHER websites as well, like PayPal, Facebook, etc. You have this profile that’s highly trafficked and low and behold a malicious OpenSocial application that can open up iframe’s ANYWHERE it wants to and commit attacks on any site in the world. As the application spreads so does the rate of infection to other sites. These attacks are hard under normal circumstances because malicious sites are generally unpopular–you can’t profit very much off 10 people visiting your blog that has a hidden iframe stealing email lists from anyone that is logged into a yahoo account via XSS (this was once possible FYI). On MySpace, I can open up an iframe, inject my javascript, steal the whole email list of yahoo contacts from any user that is currently logged in, and send the data to my server which is continually harvesting them. Nobody would really notice because it’s not hurting anyone directly. I can harvest millions given the popularity the user whose profile is being seen. Who is protecting against that?

You may say, sure you have to find one XSS hole first. That is trivial and extremely easy give the attitude that XSS and CSRF are small exploits. In this environment, the tiniest exploit can have devastating effects. I promise you, just because these are big companies doesn’t mean their programmers forget to sanitize and secure inputs and forms respectively. I’ve found XSS on Google, Ning, Facebook, hi5, MySpace, Digg, etc. Ever heard of them?

You have 3 huge social networks using OpenSocial today, more will follow as people note their success.

There will be someone out there that has the courage to do this and you won’t even realize you were hit. OpenSocial needs to draft a change in security today, not tomorrow.

No one is protecting their users, every network has completely circumvented nearly every security measure they have placed and have destroyed many aspects of their site they took a lot of time to harden because of the 1 XSS hole to exploit concept.

Caja is not the answer. If you’re ready to piss off 1-5k+ developers and tell them to rearchitect their code, good luck. Oh and how is Caja going to stop me from Ajaxily requesting a script on my server? It’s not the answer. Manual code reviews do not scale. FBJS was a great solution and probably the only smart one.

There is no mechanism on the internet today which invokes this new paradigm of infection so easily and is what makes OpenSocial a global unparalleled security risk.

I can’t offer real numbers, sorry! But I promise they aren’t exactly in the hundreds or anything. hi5 is definitely chugging along. If you didn’t hear or see it, hi5 posted some stats about their platform during the Web 2.0 conference last week:

• Production launch 3/31, full launch to 100% of users 4/4
• 65 applications at launch, 328 today in 21 categories
• Averaging > 1 million new installs each day
• 5 apps with > 1 million installs, 11 more with > 500k installs
• Top apps getting > 1 million daily canvas views

• ~50% of active users have at least one application installed
• Active users average ~3 apps on every profile, with as many as 16

While hi5 is giving developers instant success in some cases as I have talked to a few developers, MySpace continues to stagnant:

This is the number 1 application on MySpace right now, it’s called Truth Box (to no surprise, there are 4 of the same Truth Box style applications on MySpace). How its growth reached where it is, is quite suspect at this point but if you take a look at the weekly trend you’ll see that it’s closing in everyday on becoming more and more flat given the potential of MySpace’s real network effect. It’s growth is less attributed to MySpace and moreso to advertising and cross promotion with larger audiences on other social networks that probably also exist on MySpace as well.

A number of applications are already flat. MySpace is not pushing out fast enough and as a result we’re starting to see more blackhat techniques implemented to spark growth in lieu of actual ways to grow viral. postTo is weak attempt, I think others would agree. It may convert, but it sure as hell doesn’t convert well.

At this point, MySpace is the best platform to create the largest revenue stream while hi5 is the best platform to grow virally as expected but you’ll find it hard to be able to make revenue with the same weighted value as MySpace. It’s difficult to say who to go after but often easier to make the choice to do both. A lot of us are doing that.

MySpace give us something to grow a user-base and I bet you you’ll see some real application innovation and less black hat techniques to subvert your users. You’re not doing a great job of helping your now starving developers. We need concrete dates, we need to know exactly what’s going on. Additionally, features need to stop breaking during every push, when breaks occur they need to be documented.

One of the silliest ideas yet was for changes to not be pushed live anymore. I am not sure who came up with that idea but hi5 has created an almost brilliant one: Make a REFRESH button. Let us publish changes, see them in development mode and when we want them to go live, let us hit a nice shiny button that makes it instant. You guys are smart engineers, would you like it if we made you wait an entire day after you pushed an update to MySpace.com to see how it went? No, that would be chaotic, why impose the same restrictions on us?

I don’t even think I really even have to mention how bad Orkut is doing with their entire platform launch. I don’t think anyone cares either at this point with the bigger networks actually iterating. To sum up Orkut, I’ll write some code:

if ($network == ‘orkut’) {

while(true) { continueToBreakMorePromises(); }

}

It didn’t take me long to emphasize the slow development, problems, and qualms that I was having with the developement platform these last few weeks. I partly think it’s because Max is away and not as active in the community since he’s off in Asia. It started out fairly strong hence my disappointment.

Anyway, to the juicy stuff! I asked Max to provide a straight answer for the virality API, particularly requestSendMessage() (Notifications) and he stated “April 30th, unless something goes terribly wrong.”

I complained about adjustHeight(), he stated he was drafting an email to his team at the same time. Expect a fix soon hopefully.

Max stated invite sending is a good month away, so no real ETA on it–apparently a separate team is working on it.

I suggested an analytics service for us as it’s been very helpful on hi5.com, he expressed some interest in it–hopefully it made his email.

Max said he has been spending sometime additionally working on a better client caching system. Anyway, hopefully Max gives his team a swift kick in the ass tomorrow or the next day all the way from Asia. To keep up with what’s happening, Max writes actively on his blog on his MySpace profile at:

http://myspace.com/signalloss

Max stated that he was planning on taking Friday off (today!) but said he may pop in the channel, get his team ready:

signal_loss: ok, im off
signal_loss: flying back to seattle
signal_loss: take care all

hi5:

1. Much better growth than MySpace, growth rates rise everyday. The only container that actually has viral growth! (Orkut’s 1% of Estonia does not count)
2. Stability issues occasionally that might be fixed now. This heavily stunted viral growth as no one has probably been able to compound their viral growth everyday. Ouch.
3. Huge language barriers with dense communities who do not necessarily speak English. hi5 ramp up your translation services, my i18n file is still in escrow and it hurts. Click here for the full explanation on how to do it.
4. Everything is ready for you on hi5 to explode in growth, once again, we just need stability.
5. Lots of bugs but lots of fixes are happening daily. Unlike MySpace the hi5 devs push daily are machines who are awake at night to help you even with the smallest problems. Paul, Lou, Anil, Zach–you guys are awesome.
6. Best support you’ll ever get is in #hi5dev. And hey it’s 10:30 PM here and they are still awake answering questions.
7. hi5 actually has analytics! Zach expressed in providing analytics later the way Facebook does, we need this quickly!
8. Oh RockYou put out a press release about reaching 2 millions users, that happened about 4-5 days ago so they are probably much bigger now

Suggestion to hi5: The language barrier is a growing issue for many developers. Some developers even see more growth on MySpace. Is there anything you can do to catering our applications harder to native English speaking users? This would let us grow properly until the i18n issue gets resolved. It’s difficult to grow under the dense Thailand users as well as the huge Spanish base.

MySpace:

1. Frustration.
2. EXTREMELY slow development process.
3. Stop staving us off with tricks like presenting us old functionality such as postTo which Zachallia (FreeGifts) has been using since the platform’s inception.
4. Cool you finally found the courage to link the gallery, great now we get a few hundred users and watch the growth decline like it did when you first launched. This is not enough.
5. Vague deadlines, nobody has a damn clue when the viral API is coming out. First it was a couple weeks, those past by, where is it? If postTo was it, that was a mean trick.

Orkut:

1. Yay! You’re launching in about a week except you should probably put this in really tiny font: 10% of your users only.
2. Wait a second, wasn’t Orkut supposed to launch before everyone else? Does anybody really care anymore about a #6-7 social network that has a tiny non-native english speaking population
3. Before you get too excited, Orkut has limited viral API such as no requestShareApp and probably no notifications either.

Other news, I am adamant about releasing my OpenSocial wrapper/framework to the public eventually. I am not sure when but here is an outline of it currently. I have working implementations of it on both my applications. Comments about the structure are appreciated:

A brief overview of some interesting things that it contains:

- Works beautifully on all containers (Orkut, hi5, MySpace)
- owner/viewer PERSON info caching.
- Friend request batching (which can emulate paging very easily).
- Less verbose than opensocial API.
- Like any framework, utility methods to ease the pain.
- Wrappers around everything in case things change.
- Easily obtain person info without it failing on certain non-implemented fields: getUser(person).aggregate(); // Obtains all possible data at once!
- doRequest() (makeRequest) supports caching/refreshing/signed requests.
- Fully implemented viral API that is ready to go.
- MediaItems made easy for viral API.
- Fully tested, mother approved.

Try it out…

Developers who made the initial hi5 gallery, and who took advantage of the viral channels offered by the network, are watching with keen interest as their servers heat up…

Talk in the IRC has turned from details of refreshing external js and implementing new API functionality towards stats tracking and methods for scaling apps. This is an exciting time.

This and other hi5 OpenSocial Extensions.