Potential FriendFeed Hole Allows Users to Embed Web Bugs

friendfeed-logo.jpgI have discovered a feature (or perhaps vulnerability?) of FriendFeed that, intended or not, could enable marketers to track every single view of their RSS posts to FriendFeed.  The feature revolves around the ability to embed images, via a subset of RSS called MediaRSS, into your RSS feed.  If your RSS is MediaRSS formatted, FriendFeed automatically reads the images in the feed and displays the first one as the main image in the post to your feed on FriendFeed.com.  Here’s the problem though (or maybe it’s a feature?) – FriendFeed stores the original URL to the image as the main image URL.  They don’t re-format it at all or store it on their servers.  This means you can dynamically produce anything you want on FriendFeed.com, set cookies, store IP information, etc. without the user ever knowing about it.

Screen shot 2009-12-15 at 1.25.22 PM

I discovered this hole due to an annoyance I had with my TweetMeme button always showing up as the image in my posts to FriendFeed.  I noticed that the number of retweets was dynamically updating, right on FriendFeed.  Sure enough, looking at the source of the image, the image was being generated from TweetMeme’s servers, not FriendFeed’s.

Such Web Bugs are common throughout the web, especially in advertising and other marketing-based mediums, so the threat isn’t huge.  However, this may be something the FriendFeed team may want to look at if they don’t want marketers to be getting information about their users off the FriendFeed.com site itself.  If anything, I’d like to see them just ignore 3rd-party image URLs altogether and maybe my pesky TweetMeme icon will stop showing up as the image on my posts to FriendFeed.  Is this a feature or a “bug”?

Googling, here’s some more information I found about “Web Bugs”: http://www.leave-me-alone.com/webbugs_growing.asp

Advertisements

7 thoughts on “Potential FriendFeed Hole Allows Users to Embed Web Bugs

  1. Since you're using WordPress, I suspect you have a couple of plugins interacting in unexpected ways. I suspect you're using the MediaRSS plugin and the TweetMeme button plugin, yes?

    The MediaRSS plugin isn't particularly picky. When you use another plugin to insert content (like the TweetMeme image button) into the post, then the MediaRSS plugin will see it and pick it up. Actually, this is a problem for normal smilies, however it has special code to take care of that.

    Edit the MediaRSS plugin and you'll find this code on line 65 or thereabouts:
    if ( isset( $img['class'] ) && false !== strpos( $img['class'], 'wp-smiley' ) )
    continue;

    That code makes it basically ignore any images with “wp-smiley” in their class. Happily, strpos is not picky about the needle it's looking for in the haystack. So you can change that code to this:

    if ( isset( $img['class'] ) && false !== strpos( $img['class'], array('wp-smiley', 'tweetmeme', 'anything-else-you-like') ) )
    continue;

    And voila, no more tweetmeme buttons in the MediaRSS equipped feed. Feel free to add as many excludables to that array as you like.

    Note that you're excluding based on “class” of the image here. This is an important bit to remember.

    Like

  2. Otto, thanks – I was going to do that anyway, but the problem still exists
    that anyone can utilize MediaRSS to add web bugs to their stream in
    FriendFeed. I'm not sure FriendFeed wants this functionality – maybe they
    do.

    Like

  3. Yes, but I'm not sure that it's necessarily a good idea for them to copy images and such to their own site to display them either. And having a filtering mechanism seems like a long way to go about it.

    Most modern browsers have an option to not send referrer information on to third-party sites anyway, so this isn't that big a deal. There's better ways to break web-bugs.

    Like

  4. Since you're using WordPress, I suspect you have a couple of plugins interacting in unexpected ways. I suspect you're using the MediaRSS plugin and the TweetMeme button plugin, yes?

    The MediaRSS plugin isn't particularly picky. When you use another plugin to insert content (like the TweetMeme image button) into the post, then the MediaRSS plugin will see it and pick it up. Actually, this is a problem for normal smilies, however it has special code to take care of that.

    Edit the MediaRSS plugin and you'll find this code on line 65 or thereabouts:
    if ( isset( $img['class'] ) && false !== strpos( $img['class'], 'wp-smiley' ) )
    continue;

    That code makes it basically ignore any images with “wp-smiley” in their class. Happily, strpos is not picky about the needle it's looking for in the haystack. So you can change that code to this:

    if ( isset( $img['class'] ) && false !== strpos( $img['class'], array('wp-smiley', 'tweetmeme', 'anything-else-you-like') ) )
    continue;

    And voila, no more tweetmeme buttons in the MediaRSS equipped feed. Feel free to add as many excludables to that array as you like.

    Note that you're excluding based on “class” of the image here. This is an important bit to remember.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s