Social Media

Coding Horror at Digg

As a result of a mistake made by developers at Digg, not only did the site inadvertently create a flaw in their newly added friend referral feature, but they made its user-base vulnerable to a potential privacy disaster.
The referral feature works through a URL-based friend adding mechanism, which means that if you’re logged into your Digg profile and you visit a link of the form http://digg.com/invitefrom/username, ‘username’ is automatically added as a friend of yours. The problem, however, occurs when someone inserts code such as the following,
into their website, they can automatically force-add themselves as your friend without your permission and without you even knowing (unless of course you check your Digg friends page). As of 2.00 AM this morning the flaw had still not been fixed. I visited the above-linked webpage and that person was automatically added as my friend (with no action required on my part):

What’s worse is that because you can track visitors to your site based on their IP addresses, and subsequently know when you are added as their friend, through some creative coding, one could easily link a list of IP addresses (of visitors) to a list of Digg usernames (now friends), creating possible privacy concerns. These issues were first reported 4 days ago.
**Disclaimer: I am a Netscape Navigator.

Comments are closed.

3 thoughts on “Coding Horror at Digg