mrapol's picture

For the curious developers or security folk following us we wanted to share the methodology behind our SmartShare: safer social sharing plugin.

The State of Social Sharing

Commercial sharing tools provide simple and fast social sharing of web content. Tools like AddThis, ShareThis, and other CMS plugins that enable social sharing, are ubiquitous. Every contemporary website utilizes some on-site bookmark sharing tool. Social Sharing buttons/links are preset to recognize the URL of the page they appear on, allowing visitors to quickly propagate content to their digital/social networks. The tools are simple to install and provide countless “free” benefits. However free is never really free, few people realize that most of the companies that provide those solutions only do so to gain access to valuable information about you and your users. Those companies rely on the adoption of their 'free' social sharing tools to build vast web-wide user profile databases. They use the data they collect to power ad targeting businesses, and sometimes, they even sell the data itself. Rarely, if ever, do the websites that provide all that data see any compensation.

The “Smart” in SmartShare

Similar to commercial sharing tools SmartShare has a simple to use UI and is easy to install on a webpage. SmartShare differentiates from most other sharing plugins in the following ways:

  • No user tracking. In most other tools all actions you perform with the tool are tracked – unless you explicitly check the “Do not track” link.
  • Sharing with a limited set of ‘trusted’ social networks. Veracode’s sharing tool shares with 4 networks rather than the hundreds that come standard with other tools. The issue with hundreds of networks being available is that JavaScript from each of those sites can potentially be pulled down to the users’ browser. This additional code increases the risk profile of the sharing application.
  • Locally hosted and security reviewed Third-party JavaScript
  • Use of IFRAME to commingle distrusted content with our existing site layout.
  • No advertisements, ever. Though there is a link to the SmartSocial Share tool page, this is simply meant to spread security awareness and is easily removable with no consequence.
  • Smart Social Sharing users get access to the full, un-obfuscated, JavaScript code. Users also get easy to follow install instructions.

The Nuts and Bolts

Tried to find the simple best solution for plugin generator for the 4 major networks :
Facebook , Google +, Twitter, Linkedin -

Of the 4 networks above only facebook and Twitter provide a Iframe implementation of their "Like" and "Tweet" buttons

  1. Facebook "Like" buttonWe took the iframe implementation of the Like button code as that is best method to go about which does not require any installation of the Javascript SDK, more details can be found here.
  2. Twitter "Tweet" button
    Similar to facebook like button Twitter has an iFrame implementation of the Tweet-button. Using query string parameters we customized the Tweet Button's behavior for scrolling and horizontal smartShare tool. More details can be found here.
    Tweet Button Implementation Using an iFrame
  3. Google + and LinkedinGoogle + and Linkedin do not provide iFrame implementation, we felt the safe option would be to locally host the javascript that puts the button code on our sharing page.We tried wrapping the +1 button code but when you click on the +1 button it displays a share dialog. This dialog is much larger than the +1 button itself. For this reason, if you put +1 button code inside an iFrame that is smaller than the share dialog, parts of the share dialog can be cut off.

    Google +1 button code is actually inside an iFrame. As you can see here we are locally hosting the plusone.js file to pull the +1 code. When you inspect the elements inside the Google +1 button you would see that +1 code is populated inside an iFrame.

    Google Plus one code within an iFrame

    After getting all the plugins together into one html div tag, we used jQuery and jQueryUI libraries to position and scroll the SmartShare.


This Isn’t 100% Secure

It’s important that you understand that SmartShare still has risks – it makes a Web service call to Google and LinkedIn libraries. Google and LinkedIn are reputable providers of software but the security quality of the social sharing web services we are leveraging is unknown to us. That’s why this tool is not called “SecureShare”. One of our goals is to bring to light that the software supply chain is inherently a hard process to secure. We have made an effort with SmartShare. We want to highlight the risks associated with current methods of sharing, and the reckless use of Third-party JavaScript, and get people to think about less risky alternatives.

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.