Geeks like me are often ugly, lonely as well as somehow mentally and socially disrupted. Luckily there are a bunch of social services out there which are very helpful to get around that problem. But to get on the list of people can be very cumbersome: you need to chat or even meet someone IRL i.e. at conferences, bars and stuff. So the main question is how that can work without any user interaction from the other side, injecting AJAX, using SQL injections or uberl33t exploits. In some cases the answer can be _very very_ simple, so simple that it’s not even real funny.
First of all you need to have a service which performs the interessting parts via HTTP GET requests. One example is Plazes, a quite popular geo location service. To add a person as a friend at Plazes the requests looks like *http://beta.plazes.com/friends/friendadd?friend=[hash_of_user_name]*.
Second you need to trigger this script with credentials of the person who should add you as his/her friend. For this it’s handy to have a blog, a website, a feed or something like that and include for example an image tag, but instead of using a real image, use the URI for the trigger. Since the browser doesn’t know if the request points to a picture or another ressource, it just calls the URI and performs the script for that user without his knowledge. If the user hasn’t logged off the service properly (which is the case very often) the request will be successful, even he’s not actually logged in (well, he is from the applications point of view). Most of you propably already recognized that this simple and well known technique often called CSRF (for Cross Site Request Forgeries).
I recognized a very interesting and neat detail: All users I got an my list are Mac users, and all of them are using NetNewsWire as their preferred feed reader. So NNW, as an application which is based on WebCore, shares the cookie file located under _/Users/username/Library/Cookies/Cookies.plist_ with Safari, which opens a bunch of highly entertaining possibillities.
So if you like to try that at home, hurry up. I guess they’ll change it soon and use a unique token as an extension which will make it a bit more difficult for you to get the friends you are looking for. But even if this doesn’t work any longer, there are much more services out there which are sometimes even worse …
Just to make it clear: My intention was not to show how to exploit plazes or to blame them. It was just an example on a general issue, not more, not less.