>From what I can make out, there are large security holes in OpenSocial
apps that need to be fixed really quickly.

First: prefs are readable by any visitor to a user's profile page so
you cannot store anything secret in there. On iGoogle this didn't
matter as you couldn't see anyone else's iGoogle page, but now it
really does matter. It means it's not possible to store a username/
password or even an infinite-session-key in there as anyone else can
read it and use it for their own nefarious purposes

Second: requests sent to external services aren't authenticated
(signed) in any way. You can't sign it from JS because the only way to
sign it would be to include the (orkut) user id. And that's infinitely
fakeable. This means that an external service just has to trust that
the data sent is legit.

How to fix these?

Second: the _IG_FetchContent etc, methods must sign each request to
the end-point in such a way that developers can be certain that the
request came from a legitimate source

First: Preferences must come from a request to the server rather than
passed in the clear and that request must be signed using an API key.
(not signed in JS, the developer works out the signature for each pref
he wants to retrieve)

The XML should include some structure based on who is viewing what.
And the OpenSocial server should decide which content block to send to
the iframe.

<content><canvas><owner> .... </owner><visitor> ... </visitor></
canvas><spotlight><owner> .... </owner><visitor> ... </visitor></

Each part is optional and will fall over to the other if it's missing.
The following would show the same canvas for everyone as there is no
sub-tags and would show the same spotlight for everyone as there is no
'owner' tag:

<content><canvas>  </canvas><spotlight><visitor> ... </visitor></

All this said, maybe I just missed something obvious that helps make
apps secure.

Rick Measham

You received this message because you are subscribed to the Google Groups 
"OpenSocial Developers" group.
To post to this group, send email to opensocial-api@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 

Reply via email to