Blog Archive

25 March 2008

Insecure Facebook Photos, and Sometimes, Insecure Networks

By Tony Ruscoe & Philipp Lenssen

Private Facebook photos were exposed to the public through a simple URL edit, Associated Press and ReadWriteWeb report. The hole is now apparently closed. Similar cases have appeared before on other sites with photo hosting and sharing, like MySpace and SmugMug.

Furthermore, as we found out, with a little workaround anyone can see what we understand is intended to be an employee-only Google network. Once in that network, you can then also view e.g. photos and profiles which the Google employees have flagged to be seen only by members of that network, or read along the network’s discussions. (There are currently 8,529 members in the Google network.)

We alerted Facebook and Google security of this today (it’s somewhat hard to define which of the two companies is responsible for this security issue) and can reveal details once they had some time to fix it. Note the workaround may or may not be applicable to other networks; it depends on the network. The safest option until it’s fixed may be to temporarily leave private networks, or perhaps choose some other option to make a profile more private.

Labels: , ,


14 March 2008

A Very Special Google Docs Feature (Potential Spoiler)

By Tony Ruscoe & Philipp Lenssen

Unless something is going really, really wrong with Google, we have a suspicion this is just an upcoming April Fool’s joke for Google. If that’s the case, then note that spoilers follow below.

OK. Remember Microsoft’s Clippy, that annoying “living” and talking paper clip, popping up with useless tips whenever you wanted to get some work done in Word? It looks like Google Docs is preparing integrating a similar feature called Cliply. Instead of a paper clip, this time it’s a living Google logo (cached image). And it probably will be just as annoying as Clippy was. The following code showed up live in the source of a Google Docs document...

if (writely.Vars.getSiteVar('enable_cliply')) { // Beta
document.getElementById('newlogo').src = '/images/cliply.gif';
writely.Cliply.init({
'strength': 0.4,
'dexterity': 0.9,
'constitution': 0.7,
'intelligence': 0.1,
'wisdom': 0.3,
'charisma': 0.8});
}

But again, before you sign in to Google to delete your account forever, remember (even when Google’s apps are moving in the direction of Microsoft Office) this is very likely just an April Fool’s prank or general easter egg by Google engineers. If not, then be scared, very, very scared... as Clippy is about to return!

Update: We now got confirmation it’s not an April Fool’s hoax preparation... it’s indeed an easter egg.

Labels: ,