Bookmark and Share

Friday, September 16, 2011

Google +1 button concerns about misleading use and security


The Google+ +1 button allows to link an external web site, different from the web page you are browsing.


Developers can configure the "href" parameter inside the "<g:plusone>" element and when user click on the +1 button the preference will be assigned to the external web site.


The +1 button does not show any alert or warning that the preference has been assigned to an external web site, so you can see a +1 button like this:
I like Apples :-) ..or Microsoft?
 
<g:plusone href="www.microsoft.com"></g:plusone>
You like it, you click it but.... the vote goes to Microsoft, not to Apple.
Bad guys can use this trick to show +1 button near normal images and to give the vote to XXX web sites or similar.
Here is an example

Warning! If you click +1 your vote will be assigned to youporn web site!
I like Bycles ... or youporn?


Does it seems correct?


One solution should be to show in the popup information a warning that the +1 will be assigned to an external web site, not to the page you are viewing.


Lesson learned :  people prefers youporn instead of microsoft ... 1400 likes VS 381.
Note: if you see lower numbers please open this post alone clicking on the title

Don't forget to vote this article, this +1 is genuine and links to this blog!!!
I like this article!!



19/09/2011 Additional notes:

Here is how browser sows details about the +1 button:
Chrome 15.0.874.15 dev-m:
image

Firefox 5.0:
image
And here is the actual code generated by the button, note the href parameter:
<iframe allowtransparency="true" frameborder="0" hspace="0" id="I1_1316419994232" marginheight="0" marginwidth="0" name="I1_1316419994232" scrolling="no" src="https://plusone.google.com/u/0/_/+1/fastbutton?url=http%3A%2F%2Fwww.microsoft.com%2F&amp;size=standard&amp;count=true&amp;annotation=&amp;hl=en-US&amp;jsh=r%3Bgc%2F23803279-4555db52#id=I1_1316419994232&amp;parent=http%3A%2F%2Fdevcoma.blogspot.com&amp;rpctoken=485083169&amp;_methods=onPlusOne%2C_ready%2C_close%2C_open%2C_resizeMe"></iframe>

Published by Unknown a 9/16/2011 12:15:00 PM
Tags: , ,

2 comments:

  1. Unknown11/03/2011 3:12 AM

    Good, Matteo, thanks for alerting to this new issue

    ReplyDelete
  2. Unknown11/03/2011 8:53 AM

    Google doesn't seem to worry about this issue, but IMHO an application that sends message different from the message that the user is "thinking" to send is abnormal and dangerous.
    Another aspect is that when your G+ friends search on google they will see that you "+1" the youporn site..

    ReplyDelete

Subscribe to: Post Comments (Atom)