How I hacked Friendster with CoComment

Update: Just received an email from Stephanie Booth of CoComment acknowledging the bug. She indicated that the CoComment team is working on a fix - kudos to them for the quick follow-up! (I'm guessing they made the quick discovery with CoComment on this Techcrunch conversation - bravo, definitely a worthy app despite the bug)

---

I just stumbled upon an interesting loophole with Friendster using CoComment which allows me to see a list of sent messages belonging to other users, presumably those that are also registered with CoComment, and are keeping track of their sent messages using the form on the default Friendster Send Message page (http://www.friendster.com/sendmessage.php)

Here's how it happened:

• I received a private message in Friendster from a friend.
• I clicked on reply, and chose to keep track of the conversation with CoComment.
• Moments later, I receive a notification from CoComment that the conversation has been updated.
• I log on to my CoComment conversations page, and notice that it's a message sent by mrblinky, who happens to be another user that has signed up with CoComment and has chosen to keep track of his/her Friendster messages

Messages from mrblinky to honeybear won't change the world, but this is definitely a privacy loophole. And it's creepy because now everyone else on CoComment will be able to see my Friendster sent messages! You can bet that I'm going to stay away from replying to any Friendster message until this is fixed.

The following screenshot shows my sent message amongst 97 other sent messages that do NOT belong to me:




The screenshots below shows the message in my Friendster inbox which I replied to. The reply form is hosted on http://www.friendster.com/sendmessage.php:




Relevant links:

• Articles on CoComment by Techcrunch
• Techcrunch > CoComment: Tracking Your Blog Comments
• Friendster
• CoComment