OSNews

How do you know that the site is written in PHP? Not to mention that there are some php applications with a decent security record.

Security is a process not an end-state provided out-of-the-box by any existing language.

Exactly. A big example of this is the OpenBSD operating system. OpenBSD is written in C and has an excellent security record. Another example that comes to mind is the Apache Web Server.

Edited 2007-01-13 13:52

:D totally warranted post Adam; people point the finger at php, when they really should be looking at the developers of said sites.

Oh, and mugshot is Java. It only took three clicks to find that out, much easier than just presuming it's php and therefore full of holes.

But that's a whole argument I don't want to start.

You might want to try actually using Mugshot. You are not required to enter your passwords anywhere, only your usernames. You are normally be required to give this information out on a social networking service in order to, um, network.

Edited 2007-01-13 14:21

Thanks for the clarification jeremywc. I have no interest in social networking sites, so have not actually used it. If it is only using the usernames then there isn't a problem.

As for my PHP crack, just check Bugtraq.

http://search.securityfocus.com/swsearch?query=php&sbm=archive%...

You only enter your public username, not your password. So no, you can't crack into all these third party accounts just by cracking mugshot.

I'm really do not agree with your statement about PHP, but I do think you have a valid point.

All your login info in one spot feels a bit "icky" to me too.

I guess it's too much like putting all of your eggs in one basket.

except that apparently it is NOT all login info, just the username.

now i dont know much about these things, as i dont use myspace, youtube or any other of these new fancy smancy things, but as far as i know, the username is not a secret.

All your login info in one spot feels a bit "icky" to me too.

As it has already been stated, mugshot does not require passwords for accounts. Mugshot seems to take advantage of built in APIs provided by some of the sites, including rss feeds, while it may also employ some screen scraping. I can't really tell though because I don't even have an account with half of the communities that mugshot supports.