Coding Horror at Digg

As a result of a mistake made by developers at Digg, not only did the site inadvertently create a flaw in their newly added friend referral feature, but they made its user-base vulnerable to a potential privacy disaster.

The referral feature works through a URL-based friend adding mechanism, which means that if you're logged into your Digg profile and you visit a link of the form http://digg.com/invitefrom/username, 'username' is automatically added as a friend of yours. The problem, however, occurs when someone inserts code such as the following,

msaleem_frexploitdigg2.png

into their website, they can automatically force-add themselves as your friend without your permission and without you even knowing (unless of course you check your Digg friends page). As of 2.00 AM this morning the flaw had still not been fixed. I visited the above-linked webpage and that person was automatically added as my friend (with no action required on my part):

msaleem_frexploitdigg.png

What's worse is that because you can track visitors to your site based on their IP addresses, and subsequently know when you are added as their friend, through some creative coding, one could easily link a list of IP addresses (of visitors) to a list of Digg usernames (now friends), creating possible privacy concerns. These issues were first reported 4 days ago.

**Disclaimer: I am a Netscape Navigator.

Trackbacks (0)

There are no trackbacks for this post yet.

Reader Comments (5)

Stan Schroeder, April 2, 2007

I wouldn't call that coding horror. I would call it 'not-thinking-at-all' horror.

LGR, April 2, 2007

I am surprised that in four days it has not been taken down until they fix the problem.

Chas Grundy, April 2, 2007

This is called a Cross-Site Request Forgery. As far as exploits go, it is relatively rare. Unfortunately, I think it's just a matter of awareness. It's easy to execute and is horribly common for many sites.

About CSRF: http://en.wikipedia.org/wiki/CSRF

A different, and even more potent way to exploit Digg - by auto-digging your articles!: http://4diggers.blogspot.com/

I'm not at all hesitant to post these because I'm sure they are being exploited already and it's just a matter of exposure before Digg pays attention and fixes it.

engtech, April 2, 2007

I think the same exploit would work on Twitter.

engtech, April 3, 2007

Nope, doesn't work on Twitter. Looks like Twitter ignores add a friend requests that don't come from Twitter... you have to manually go to the page to add someone as a friend.

http://twitter.com/et