Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

AntiSocial Responses to OpenSocial

Google's OpenSocial initiative, the wrapper that is designed to provide a single point of data entry and management for multiple social networking sites (MySpace, Orkut, Salesforce, LinkedIn, Ning, Hi5, Plaxo, Friendster, Viadeo and Oracle), has come under attack from several different directions within days of the project being announced. Not unexpectedly several Microsoft employees have openly criticised the Google product.

Rather than being lumped in with 'expected criticism from a competitor (especially if it is Microsoft)', the critiques presented by the Microsoft bloggers help cut through the hype that has surrounded what is essentially a very early beta release of some potentially useful programming interface tools to help people manage their identities and representation across multiple sites. There is the expected complaining and chest beating, but there are several useful points brought up throughout the arguments that show there is a fair way to go before OpenSocial is a mature platform. The same criticism can be pointed at almost all social networking sites, so this is not necessarily an isolated problem that only Google is facing.

Users have already had an unwelcome reminder of the privacy and data management difficulties that are associated and exposed with OpenSocial (and any social networking site). From initial appearances, it seems that there are (were) design and coding flaws in the 'emote' OpenSocial application built by Plaxo (no longer available until they fix the problem), which was hacked within 45 minutes of appearing on the Internet. A user going by the name 'theharmonyguy', who also claims to have successfully hacked a number of Facebook applications, demonstrated the ability to modify content belonging to other users. While the underlying cause for the vulnerability has not been publicised, the following code comments from emote (before it was pulled) suggest that the emote developers need to tighten their development practices somewhat - even more critical when anybody can see your code by clicking 'Show Source'.

// TODO: no error checking - we?re bold?
// TODO: figure out why this is necessary???

The way that OpenSocial has been developed, it comes down to the developers who are implementing OpenSocial-based solutions as to how secure the end products are going to be. This means that there are going to be many, many more problems to come in the future for OpenSocial-based products, just as there are for tools that interact with or are based on other social networking platforms.

It is unlikely to be the case that the current Social networking site of the moment, Facebook, will join the OpenSocial initiative, given Microsoft's investment in the site and early rumours about an upcoming Facebook announcement. With the online battle lines being drawn between Google and Microsoft through the proxies of OpenSocial and Facebook, it will be an interesting fight to watch, given that Google seems to be coming off the back foot in this case. Users of the various sites involved will undoubtedly benefit as the companies attempt to lure more users to their services with more efficient services and products. Companies that offer services to enhance the experience users find on these sites will soon find that they are being singled out by Google or Microsoft to bring those services into their particular flavour of social networking.

6 November 2007

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.