White Label Social Networks

aside 8 Apr

Security Loophole In Ning Social Networking App?



Image Source: sxc.hu

I’m not a security expert but there have been a number of cases within the social network for Darjeeling that I run (with over 1,000 members) using Ning where someone logs in as another person and wreaks havoc giving the administrators a hard time.

One of our members dropped me a Facebook message informing me of the security loophole telling me that Ning transmits email address and password in cleartext.

the site is transmitting userid and password in clear text. i know the login form with ning id is secure but there there a field named xg_token as “xg_token=&emailAddress=me@gmail.com&password=password” somewhere in the code that is doing this.

Like I said before, I’m not an online security expert but I downloaded a sniffer from Effetech to test the claim using my own email address and password in Ning. I could see my password in cleartext (masked in the screenshot below). Additionally, as a logical test I tried sniffing my own Gmail username and password which was unsuccessful. In my own layman way, this probably means that the Ning password is being sent in cleartext while Gmail sends it securely.

I have informed Ning and let’s see what they have to say about it. Meanwhile, has anyone had this issue with Ning before?

• Social Links

• Ten Recent Posts

  • Empire Building Kit Week 6 Learning Notes
  • Week 5 Highlights from Chris Guillebeau’s Empire Building Kit (Learning Notes)
  • Poke The Box by Seth Godin: Mind Map Book Review & Summary
  • Chris Guillebeau’s Empire Building Kit: Insights from Week 4
  • How Full Is Your Bucket by Donald O Clifton and Tom Rath
  • Lessons from Week 3 of Chris Guillebeau’s Empire Building Kit
  • Book Review of Do The Work by Steven Pressfield
  • Review of A Whole New Mind by Daniel Pink
  • Review of Start Something That Matters by Blake Mycoskie
  • Week 2 Mindmap of Chris Guillebeau’s Empire Building Kit

• 5 Most Popular Posts

  • Blog Development And Launch Checklist

    07 Oct 2009

  • List Of Blog Ping Services

    07 Oct 2009

  • Hide Affiliate Links With WordPress Redirection Plugin

    09 Apr 2009

  • Dumb MySpace Doesn't Seem To Know That Singapore Is Not In China

    13 Apr 2009

  • How To Create A Facebook Page Badge Tutorial

    05 May 2010

• Archives

  • February 2012
  • January 2012
  • December 2011
  • November 2010
  • June 2010
  • May 2010
  • January 2010
  • October 2009
  • September 2009
  • August 2009
  • July 2009
  • June 2009
  • May 2009
  • April 2009
  • March 2009

• Blog Tags

  Affiliate Marketing BallHype behance.net Blake Mycoskie Blip.fm Blogger brightkite Buzznet cafemom Chris Guillebeau ClickBank Current Cyworld DailyMotion delicious Digg diigo Disqus Dropjack eBay EBK eHow Empire Building Kit epinions Etsy Facebook Families.com Faves Joomla Projects Keyword Competition Keyword Difficulty Keyword Relevance Keyword Research Kontera Kuzzuk Link Cloaking MySpace Ning Problogger Singapore Twitter Unconventional Guides White Label Social Networks Wordpress WordPress Plugin