Digg Friend Invite Exploit NOT Fixed…

Author: | Posted in Digg No comments

UPDATE: It looks like they’ve FINALLY fixed the issue. After Digg was down for a brief time, I logged back in to see this message:

If you pay any attention to Digg, you’ve probably already heard about the exploit of their new Friend Invite feature. Basically, by adding a simple iframe to a page and then getting you to visit that page, anyone can automatically add themselves to your friends list without your knowledge or consent. In fact, it worked so well that this guy added more than 200 friends in just a few minutes. Obviously that got Digg’s attention and they fixed the problem…

Later that afternoon, people began reporting that the exploit had been fixed. In fact, in a recent Digg submission about this very issue, a Digg employee assured me that they had fixed the issue. I gave it a shot and thought that they had indeed closed the loophole.

In actuality, they only fixed half the problem. Right now, if you log out of Digg (or are already logged out), and visit this page, you’ll see that now infamous 1 by 1 pixel iframe and nothing dramatic happens. Once you log back into Digg, however, you’ll get this nice message:

At least now you get the message that you’ve added the person as a friend, however, it’s still an issue. Many people either won’t notice the message, or won’t bother to go track down and delete their sneaky new friend.

In other words, Digg, you’ve STILL got a problem.