To be clear: There is currently no mechanism for authenticating/ validating requests against third party servers. This will be resolved when we launch the Data APIs, which will allow for authenticated calls to be made from your server directly to the Orkut sandbox servers. Additionally, we are working on a mechanism that will sign _IG_Fetch requests, allowing you to verify server-side that the request was not spoofed. Both of these will certainly be in place by the public launch of the Orkut sandbox.
In response to twentyafterfour's comment - this limitation doesn't expose a security flaw in the JS API itself - you can only write to VIEWER data, so there is no chance of malicious users corrupting other users' data through use of the JS API. The problem lies in that we haven't exposed our third party security mechanism yet, so developers are resorting to poor security practices to pass unvalidated data back to their server. For this reason, you should not be interacting with a production service at this stage in development. We understand the great demand for this functionality and it is a huge priority for us. We want to get it right, though, so please bear with us. Thanks, ~Arne On Nov 5, 6:25 pm, EGreg <[EMAIL PROTECTED]> wrote: > Why aren't any google techs responding to us? > > Greg > > On Nov 5, 1:23 pm, twentyafterfour <[EMAIL PROTECTED]> wrote: > > > Aparently there is no validation/authentication of any kind. As far as > > I can tell, > > at least for right now, the api is thoroughly and disgustingly > > insecure. > > > On Nov 5, 10:52 am, "Mat" <[EMAIL PROTECTED]> wrote: > > > > I have exactly the same concern, I really don't like the idea of this > > > being > > > javascript based. My intention is to therefore using the data api's for > > > the > > > majority of the work, and just use the javascript side to bring up user > > > information, and other none security related tasks. Is anyone else looking > > > at using the data api in such a way? My main concern with this is I have > > > yet > > > to understand how from a PHP session I can validate the user, could anyone > > > explain this? > > > > Mat > > > > -----Original Message----- > > > From: [email protected] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of EGreg > > > Sent: 05 November 2007 16:38 > > > To: OpenSocial Developers > > > Subject: [opensocial] Really BIG Security Concern > > > > In facebook, your app runs on your server, and users cannot modify it. > > > > On orkut, ning, and later myspace, your app consists of javascript in > > > a box. Simply by typing javascript:code into the address bar, you can > > > execute requests on its behalf. What's worse, it seems there is no way > > > in principle to defeat this, as long as the variables are on the > > > client side. A person can execute arbitrary javascript code using > > > firebug or some such firefox extension. And depending on the gadgets > > > they can probably even figure out a way to do VIRAL cross-site > > > scripting, like the "I have a million friends" hack on myspace. > > > > The one thing I would recommend right now, to achieve a moderate > > > degree of security is: > > > OBFUSCATE YOUR CODE BEFORE SUBMITTING TO GOOGLE > > > > Yeah, use a packer and/or obfuscator to "compile" your code to > > > unreadable form. A determined person can probably still unravel it > > > back. Software programs can be decompiled too... but the impact is > > > only confined to one person's computer. Here, it may be MUCH greater. > > > > The social networks should take care with this security. Is Google > > > working to fix the situation? There's gotta be a way... > > > > Greg Magarshak --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
