I've never been much on centralized contact managers like Plaxo. Why would I want to outsource all of my contacts to some company in the naïve hope that they won't hose me? Turns out that this may have been a legitimate concern; this describes a trivial script injection attack against Plaxo that lets an attacker 0wn your contact data. Oops. So, if you're using Plaxo, you should probably stop.
Posted by Paul at March 12, 2004 01:40 PM | TrackBackPaul,
First, thanks for finding this. We have already made the appropriate fixes and patched the system. We appreciate the help. In the future, we would truly appreciate it if you contacted us *before* posting to the internet so that we can fix it before malicious people take do any damage to innocent folks. Our first priority is protecting our members' data and we take this very seriously. Send emails to rikk@plaxo.com (vp of eng) and trust@plaxo.com.
The good news is that no one besides yourself had found this (this was easy to determine) and therefore no plaxo member's data (besides your test on yourself) was impacted.
Also, for the record, the issue was limited to impacting the user's that a specific user was connected to. Thus, a malicious hacker would need to get INTO the address books of members that he/she was interested in messing up. Not suggesting that this was not a real issue, though.
Again, thanks very much for finding this and please continue to bang on plaxo. If there is a next time, please give us time to fix before telling the bad guys.
Thanks,
Rikk Carey
vp of engineering
Plaxo, Inc.
*** Plaxo fixed this on Friday, March 12. There was no damage to any member data. ***
Posted by: Rikk Carey on March 14, 2004 12:24 PM