An interesting note came across our inboxes just now – the source of yesterday’s FriendFeed spam has been revealed. If you’ve been using the social aggregator FriendFeed, then you may have noticed some odd-looking discussions yesterday where the same comment was repeated over and over by numerous different users. The source of this spam has now been identified, but this problem highlights a larger issue that could affect any company providing an open write API for developers to use – it only takes one developer’s mistake to greatly impact a service.
If you don’t know what we’re talking about, then take a look at these posts on FriendFeed here and here to see the problem in action (or just check out the image below):
According to FriendFeed’s Bret Taylor, the problem was caused by an malfunctioning API client. At the time, he didn’t know whether the problem was accidental or intentional, so they disabled the API client and researched the IP address to determine where these messages were coming from. They then got in touch with the developer to let him know what was going on.
As it turned out, the service at fault was Gridjit, a social portal service still in alpha that uses both Twitter’s and FriendFeed’s APIs to allow you to view and interact with both services from Gridjit’s web site.
As soon as FriendFeed got in touch with Gridjit, Gridjit’s founder, Ray Grieselhuber, disabled the service’s ability to post statuses, comments, and likes from within Gridjit and shut off access to the account management screens. After a day’s worth of research, the problem was discovered – it wasn’t a security issue, just a bug in the code. The issues is being addressed now and the affected users who had comments posted under their name were contacted via an email that read:
I’m sending this to let you know about a bug in Gridjit’s code that caused a comment to be posted to FriendFeed in your name.
I spent the day reviewing the system and performing security audits to ensure that that this was not a security violation – it was not.
Rather, it was a bug in the system that caused the extra comments to be posted based on some obscure query patterns. I’m taking steps to prevent this sort of thing from happening again.
If you would like to see the comments and delete them, the FriendFeed links can be found here:
http://friendfeed.com/e/6def167a-f3d2-4711-aebd-6f8171919178/http-www-geeky-gadgets-com/
http://friendfeed.com/e/8be20617-8d57-478c-a367-98da5d02a8a0/Not-a-complete-list-of-top-diggers/
I sincerely apologize for this. The quality of your experience with Gridjit is very important to me.
Additional details and updates will be posted on the Gridjit blog (http://blog.gridjit.com).
Please let me know if you have any questions.
Best regards,
Ray Grieselhuber
Write APIs – A Cause For Concern?
While in this particular case, the issue was relatively minor and more of a strange occurrence than anything, it was only through FriendFeed’s quick action that the entire service was not affected by this programming bug. Of course, it was also helpful that Gridjit is still in private alpha testing at the moment, so there aren’t a lot of users currently using their service.
But what if this bug had come from another service that was heavily used? And what if it had been a web app that’s far more mission-critical than FriendFeed?
The problem with providing an open API (that is, a write API) is that all it takes is one programmer to have a big impact on a service. Like in the case of Gridjit, it may be an accidental bug in their code, but it could have just as easily been someone with a more malicious intent.
