Home Source of FriendFeed Spam Revealed – Write APIs Can Be Trouble

Source of FriendFeed Spam Revealed – Write APIs Can Be Trouble

An interesting note came across our inboxes just now – the source of yesterday’s FriendFeed spam has been revealed. If you’ve been using the social aggregator FriendFeed, then you may have noticed some odd-looking discussions yesterday where the same comment was repeated over and over by numerous different users. The source of this spam has now been identified, but this problem highlights a larger issue that could affect any company providing an open write API for developers to use – it only takes one developer’s mistake to greatly impact a service.

If you don’t know what we’re talking about, then take a look at these posts on FriendFeed here and here to see the problem in action (or just check out the image below):

According to FriendFeed’s Bret Taylor, the problem was caused by an malfunctioning API client. At the time, he didn’t know whether the problem was accidental or intentional, so they disabled the API client and researched the IP address to determine where these messages were coming from. They then got in touch with the developer to let him know what was going on.

As it turned out, the service at fault was Gridjit, a social portal service still in alpha that uses both Twitter’s and FriendFeed’s APIs to allow you to view and interact with both services from Gridjit’s web site.

As soon as FriendFeed got in touch with Gridjit, Gridjit’s founder, Ray Grieselhuber, disabled the service’s ability to post statuses, comments, and likes from within Gridjit and shut off access to the account management screens. After a day’s worth of research, the problem was discovered – it wasn’t a security issue, just a bug in the code. The issues is being addressed now and the affected users who had comments posted under their name were contacted via an email that read:

I’m sending this to let you know about a bug in Gridjit’s code that caused a comment to be posted to FriendFeed in your name.

I spent the day reviewing the system and performing security audits to ensure that that this was not a security violation – it was not.

Rather, it was a bug in the system that caused the extra comments to be posted based on some obscure query patterns. I’m taking steps to prevent this sort of thing from happening again.

If you would like to see the comments and delete them, the FriendFeed links can be found here:

http://friendfeed.com/e/6def167a-f3d2-4711-aebd-6f8171919178/http-www-geeky-gadgets-com/

http://friendfeed.com/e/8be20617-8d57-478c-a367-98da5d02a8a0/Not-a-complete-list-of-top-diggers/

I sincerely apologize for this. The quality of your experience with Gridjit is very important to me.

Additional details and updates will be posted on the Gridjit blog (http://blog.gridjit.com).

Please let me know if you have any questions.

Best regards,

Ray Grieselhuber

Write APIs – A Cause For Concern?

While in this particular case, the issue was relatively minor and more of a strange occurrence than anything, it was only through FriendFeed’s quick action that the entire service was not affected by this programming bug. Of course, it was also helpful that Gridjit is still in private alpha testing at the moment, so there aren’t a lot of users currently using their service.

But what if this bug had come from another service that was heavily used? And what if it had been a web app that’s far more mission-critical than FriendFeed?

The problem with providing an open API (that is, a write API) is that all it takes is one programmer to have a big impact on a service. Like in the case of Gridjit, it may be an accidental bug in their code, but it could have just as easily been someone with a more malicious intent.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.