Plurk Post Phantom

Last night I was on Plurk having a good ole’ time with my Pleeps when suddenly some strange text appeared on one of my friend’s posts. It looked Japanese but I couldn’t be sure. There was one thing I was sure of however, That this friend did not speak Japanese. I opened the post to find out what was going on and sure enough she was freaking out. From what we gathered a user named yungsang had somehow posted on her timeline as her. Me being the helpful and “detective like” person I am, decided to help.

First Steps

The initial reaction was that she had been hacked. So the very first step in the process was to have her change her password on Plurk. If you Feel you’ve been hacked anywhere, DO THIS FIRST! My next reaction was that it may have just been an internal error with Plurk and somehow it had confused a post the person made with my friends screen name. This seemed likely as there are still a few bugs in Plurk to be worked out. This however was proven wrong when yungsang shared this:

“I’m apologize very much. It was a Plurk internal API which used for my Plurk bookmarklet. It was not Hack thing.”

This statement got me thinking as he posted a link straight before this, and he somehow had access to the “Plurk Internal API”. Immediately after this post I started to get suspicious as the person in question profile went from public to private.

Contacting the Devs

I then thought it was time to inform the developers of Plurk, because now it was peaking peoples interests. I made a new post calling Amix or any Plurk dev to check out the thread we had been posting in. I then popped back into this thread and continued to gather information.

Getting the Facts

At this point we were all a little shaken. I was ready to call it a night and try for the A-Team in the morning when Keith Hanson (creator of Plurker) popped into the thread with some interesting things to say. Now I wont go into all the gruesome programmer details here, but long story short, He stated that it may be faulty AJAX calls, and if we could use myself as a guinea pig we could test his theory.

Well, I waited and the test came through as a fail. He then stated that if the person had access to your cookies that could be a definite alternative to being able to post via API on your account. Amix (lead Plurk Dev) Later confirmed that indeed the only way for someone to accomplish this is for them to have access to your cookies.

My Thoughts

I personally love how Amix seen my post and was quick to respond with questions and comments to get this matter resolved. I have to say that this social community on Plurk has, by far, the greatest in the amount of support and developer interaction we receive on a day to day basis. If you all see Amix around please let him know that you appreciate all his hard work and dedication to the Plurk way of life.

Resolution

Amix later had another response in which he let everyone know that there would be an upgrade to the session library, and a patch would be coming shortly. He also made clear that Plurk’s dev team is taking this matter very seriously.

Patch

Information on date/time of patch is listed below:

Security patch update (all users will be auto-logged out)

July 8th, 2008

22:00 (10:00pm) EST / 3am GMT

UPDATE

Phantom Plurker Solved - by Keith Hanson

Filed under: News