- Open social apps already have been hacked.
- Open social is not really open yet, only the client API has been published so far. It allows to put iframe apps with Javascript based business logic (or should I say "social logic") into open social containers such as orkut. Currently you have to join the waiting list, to get notified when the server API specification gets published.
Standards devised by one tech company whose main purpose is to undermine another tech company, usually don't work.
Time will tell ...
[Update:] Just after posting, I found more critique thoughts, by Julien Bond:
As a geek it pisses me off because there's absolutely no accountability or transparency in how those standards are developed. It's every bit as bad as MS trying to force the Word XML standard through the standards bodies. Google is something of a black box. There's no way to influence them. Stuff appears out of the black box fully formed.And here a detailed article about, exploiting open social XSS vulnerabilities on ning.