I can answer that... I saw two main problems with RockYou's code. First, the application did not sufficiently authenticate the user making a request. It was fairly easy to make a request for any given user by spoofing certain user details without the application ever verifying where the request came from.
Second, the application did not parse certain input values, but did render them in the app's HTML. This made it fairly easy to inject code. I hesitate to provide more details at this point, since this application has not yet been patched and I'm starting to notice some similar issues in other applications. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
