Bookmark and Share

Friday, September 16, 2011

Google +1 button concerns about misleading use and security


The Google+ +1 button allows to link an external web site, different from the web page you are browsing.


Developers can configure the "href" parameter inside the "<g:plusone>" element and when user click on the +1 button the preference will be assigned to the external web site.


The +1 button does not show any alert or warning that the preference has been assigned to an external web site, so you can see a +1 button like this:

I like Apples :-) ..or Microsoft?
 
<g:plusone href="www.microsoft.com"></g:plusone>

You like it, you click it but.... the vote goes to Microsoft, not to Apple.
Bad guys can use this trick to show +1 button near normal images and to give the vote to XXX web sites or similar.
Here is an example


Warning! If you click +1 your vote will be assigned to youporn web site!
I like Bycles ... or youporn?



Does it seems correct?


One solution should be to show in the popup information a warning that the +1 will be assigned to an external web site, not to the page you are viewing.


Lesson learned :  people prefers youporn instead of microsoft ... 1400 likes VS 381.
Note: if you see lower numbers please open this post alone clicking on the title

Don't forget to vote this article, this +1 is genuine and links to this blog!!!
I like this article!!



19/09/2011 Additional notes:

Here is how browser sows details about the +1 button:
Chrome 15.0.874.15 dev-m:
image

Firefox 5.0:
image
And here is the actual code generated by the button, note the href parameter:
<iframe allowtransparency="true" frameborder="0" hspace="0" id="I1_1316419994232" marginheight="0" marginwidth="0" name="I1_1316419994232" scrolling="no" src="https://plusone.google.com/u/0/_/+1/fastbutton?url=http%3A%2F%2Fwww.microsoft.com%2F&amp;size=standard&amp;count=true&amp;annotation=&amp;hl=en-US&amp;jsh=r%3Bgc%2F23803279-4555db52#id=I1_1316419994232&amp;parent=http%3A%2F%2Fdevcoma.blogspot.com&amp;rpctoken=485083169&amp;_methods=onPlusOne%2C_ready%2C_close%2C_open%2C_resizeMe"></iframe>