Posted by todd
Thu, 25 Jan 2007 17:47:00 GMT
As I explained in the previous post, Hive7.com sounds fantastic on paper. Also, I want to point out that the problems I'm about to explain *could* be resolved, making the service far better (and not destined to be destroyed by a worm).
Normally i'd be inclined to simply email these issues to the company but since they clearly know javascript inside and out; it's hard to imagine they don't know the problem exists. Unfortunately the issue is deeply integrated into the service, and fixing it is going to break a lot of existing work.
Problem #1: Tricking users into spamming their entire contact list.
Hive7 has a neat feature which allows you to create a new user using you Gmail/AOL IM/etc... accounts. It makes perfect sense and if you are trying to build a social platform, making it simple to invite your friends is clearly important. Hive7 has taken simple a bit too far though.
When you create your account, the next screen that pops up is a list of your contacts from Gmail. The heading seems simple enough:
"Search for friends: See which of your friends are already on Hive7 and invite new ones."
I clicked this button, presuming Hive7 would search their userbase and tell me who had already signed up. Instead it sent an email to every contact in my email account.
Thanks guys....
you just invited several of my business contacts, not to mention ex-girlfriends, to a chat room with action figure avatars. It looks like i'm playing with dolls.
Honestly that got me angry enough that I'd never use the service again as a user. Still curious about the technology, I stuck around to create a few objects in my "home". What I saw next was stunning.
Problem #2: Holy hell you can upload unscrubbed javascript!
Now, I don't code professionally anymore. If you asked my friends they would argue that I never wrote code "professionally". I'm an admitted hack, but even *I* know better than to let users write code that gets executed unchecked. Also, I'm pretty good at breaking things, so this shouldnt take long.
A bit of background: Cross site scripting attacks are a huge issue in the "Web 2.0" world of AJAX andheavily interactive websites. The problem is also well documented. Generally what happens is a site accidently forgets to scrub some input field and allows the execution of javascript that a sneaky user uploaded. It's a bug.
This bug is one of the CORE FEATURES of Hive7. It's not an accident. They ASK YOU to upload your own javascript.
Within 45 minutes my friend and I had created an object that logged the Hive7 UserId, SessionID, and ChatID cookies of any user who entered the room.
That's all it took. About 3 lines of code and it was possible to hijack the sessio n of any user who entered the room. You could become that user without ever logging in, granting you access to upload/modify objects as that user. More troubling, since it had previously spammed all my contacts, this hijacked account could be used to read my contact list.
With these pieces creating a Hive7 worm would be trivial:
1) Hijack a session.
2) As the user you hijacked, upload the worm script.
3) Hijack sessions of any users who enter the captured room.
4) Repeat.
Cmon guys. Seriously.
Tags social networking, spam, viral | 39 comments
Posted by todd
Wed, 24 Jan 2007 17:13:00 GMT
With all the noise and press Second Life has been receiving lately, it's difficult to not think about the concept of online communities beyond MySpace.
It's my personal opinion that before Second Life, or any next-generation online community to truly take off to the extent MySpace did, they will need to break out of the desktop application and into the web/mobile world.
Casual users and youth don't spend all their time sitting in front of desktops that they can load software onto, but walk into any college computer lab and tell me how many people are sitting on MySpace/Facebook.
People want to have constant access to their friends. Mobile, and to a lesser extent PC web browsers make that possible.
Based on that I was excited to see a story about a small Palo Alto startup, Hive7.com, building a web based application similar to Second Life. I'm not a huge chat room person, but if I could embed a widget on my websites where people could see my "virtual room" I'd probably give it a shot.
Unfortunately, things went downhill immediately from the time I loaded the site. I recommend you don't create an account at all until they rework their platform.
An explanation to follow....
Tags social networking, spam, viral | no comments
Posted by todd
Fri, 20 Oct 2006 23:58:44 GMT
Moody's says that San Diego could see an 8.5% pricing drop, bottoming out in Q2 2008. Ouch!
As someone who moved to the area right at the peak, I'm pretty glad I stayed out of it. Condo's downtown have already dropped more than 8.5% from what I can tell. I'm planning on buying something around the end of the year but I'm beginning to second guess myself now.
Housing Price Forecast
no comments | no trackbacks
Posted by todd
Wed, 18 Oct 2006 21:45:00 GMT
The crew over at GigOM got me thinking today and convinced me that the next generation mobile platforms are on to something. (In theory) If they pull it off they could kick mobile application/game purchasers up over the measly 3% they get today.
Here's why.
I am not a heavy video game player, but in the past month I've purchased several games using
Valve's Steam platform. To clarify, I purchased more games in the past month than I did in the previous two
years. Don't get the wrong idea; it's not that I've given up on having a life! I'm not reliving my college years either. (actually that would involve less games and more alcohol)
The reason is that it's been so long since I went into a game store, or read about them that I'd basically forgotten about them. In the back of my mind I knew my computer could play them, and that I liked them... but it never crossed my mind that I should get a new one.
When talking about mobile adoption my father is my favorite example. He was an early adopter of mobile phones...back when they were only mobile if you were strong. He's *always* had a cell phone.
He's also never purchased a game, ring tone, or anything else for his phone. He wasn't even aware that the phone he has came with a golf game pre-loaded. In the back of his mind he knew his phone could play them....but it never crossed his mind that he should try it.
He still hasn't.
To convince the majority of people to try something new you have to stuff it down their throats, ideally in a way that is valuable to them even without making a purchase....but at the very least without making it feel like you are spamming them.
I'm biased of course; this is what we are doing at
Vocel.com. We make this possible today. The emerging platforms (
BREW UIOne, OpenWave MIDAS, and
Adobe Flash Lite) are going to enable the next stage, and in the process make mobile gaming known to the masses. Previews and teasers pushed to the device, and into the faces of non-traditional users..
Like Steam has done on the PC, the answer to mobile data isn't to sell more things to people who already want it. The answer is to engage more people and teach them to want it.
-Todd
Tags games, mobile, steam | no comments | no trackbacks
Posted by todd
Wed, 18 Oct 2006 06:06:00 GMT
Ok, I don't want to be Mr. Negativity here but if I hear one more startup company claim their revenues are going to come from advertising clicks.... Pow! Right in the kisser!
Yes, Google and Yahoo (less so) make piles of money with their advertising models. Yes, the Myspaces of the world generate real revenue from advertising.
As Andy Kessler points out, they own a huge channel. The part that baffles me is why are so many companies being funded on the hope that they can just USE these pipes (often even without any recognizable traffic)!
If there is any question in your mind that the advertising model is out of control; take a step back and think about your web surfing habits. How often do you *really* click on an ad? Personally, I'd say I do it roughly once in a hundred SITE views (not page views). On top of that, I'd hazard a guess that I click more than most people because I live on the web and spend my time doing research. I click to find out who is competing in a space.
I guess we are left with a question.
How many clicks does it take to get to the revenue center of an advertising based shop? One... Two... WAY MORE THAN THREE. (Sorry, that was terrible)
-T
Tags advertising, CTR, eyeballs | no comments | no trackbacks
Posted by todd
Wed, 18 Oct 2006 05:59:00 GMT
I'm not sure how I missed the fact that "ToorCon" was down the street from me in San Diego last weekend, but anyway...
There was a session there discussing the vulnerabilities of AJAX in web applications, and it's going to be an interesting problem. I haven't been hacking code enough lately to understand the details, but from the sounds of it this may be about as good as Unix security back in the day.
One difference, back then the majority of the world didn't check their credit card statements in Unix.
The article also mentions the "Sami" worm, which is probably my favorite geek story in years.
"An AJAX-capable browser can load up pages and step through complex forms without the browser's owner ever knowing anything has happened. This technique was used most famously by a teenager named "Sami," who wrote an AJAX worm and put it on his Myspace profile which caused anyone who looked at his site to "friend" him and propagate the exploit on their own page. To his dismay and surprise, within a day he had a million new friends. This was a relatively harmless application, but Stamos warns that the damage doesn't end there. "There are a lot of (AJAX bugs) that are being exploited now.""
Read the whole article
HERE.
Tags 2.0, ajax, bugs, security, virii, worms | no comments | no trackbacks
Posted by todd
Wed, 18 Oct 2006 05:54:00 GMT
Well, this is the first post for my refurbished blog. It's now a site for things that interest me from a business perspective....namely, mobile technology, venture capital, and growing small businesses into big businesses.
As a geek who has gone to the "dark side", I've spent countless hours talking to my geek friends about ideas that could change the world or make everyone rich. They really could! Unfortunately they never have, and I know why. So does Ron Garret.
A selection from his article of tips for geek entrepreneurs:
Myth #9: The idea is the most important part of my business plan.
Reality: The idea is very nearly irrelevant. What matters is
1) who are your customers?
2) Why will they buy what you're selling? (Note that the reason for this could very well be something like, "Because I'm famous and I have a huge fan base and they will buy sacks of stale dog shit if it has my name on it." But in your case it will more likely be, "Because we have a great product that blows the competition out of the water.")
3) Who is on your team? and
4) What are the risks?
Read the full article
HERE.
Tags entrepreneurs, geeks, ideas, patents, startups | no comments | no trackbacks
