Data portability security breach
June 3, 2008
I ranted a little about data portability when I finally signed up for Facebook and did my "things change". Little did I know that only a few days later, my concerns about security on social network sites were to be proven via this data sharing feature.
Byron Ng seems to have a bit of a knack in finding vulnerabilities in websites (does this guy want a job :)). I’m no fan of "testing" sites that I’ve not been specifically asked to look at, but it must be nice to have the time to do these things. In any case, using the data sharing between Yahoo! and MySpace, Byron can pretty much look at any user’s profile on MySpace (a similar hack that he found on Facebook). There’s even some nice step-by-step instructions. [apologies to Bryon for not linking directly - if there is such a page I couldn't find it. If anyone has a direct link, please put it in the comments].
I’m not at all surprised that this vulnerability has been found, and I would bet that similar ones are going to be discovered lots of times in other social networks sharing data. This vulnerability appears (I can’t vouch for it as I haven’t fully explored it myself) to be a simple authorization failure. The good thing about this, if one can see a silver lining, is that website vulnerabilities only have to be fixed in one place - update the code, and all future users that access the site get the update. I’ve termed this before as "the instant service pack" phenomenon.
Posted in 
