The UpStream

IT Researcher Discovers Huge Facebook Exploit, Gets Account Disabled for His Efforts

posted Sunday Aug 18, 2013 by Nicholas DiMeo

IT Researcher Discovers Huge Facebook Exploit, Gets Account Disabled for His Efforts

We've talked about vulnerabilities a lot in the past, to the point where we had to recap all of them. Even though we haven't gone into a lot of detail about Facebook's security issues, the social networking giant also has its faults, to the point where they will pay you to find bugs, but only if you report them correctly. This is what Palestinian IT researcher Khalil Shreateh discovered this week, when he identified a major flaw in Facebook's security.

Shreateh wrote to Facebook that there was an ability to post on someone's wall without being friends with them. He then wrote to Facebook, and when the company ignored him by saying "I am sorry this is not a bug," Khalil then took to Zuckerberg's wall to prove his exploit.

He posted a link to his findings, along with his story of what's transpired so far, and, within a handful a minutes, one of Facebook's lead security engineers responded to him, asking him for further information about his discovery. However, what came next is something that shocked some tech journalists, but was something I would not put past Facebook. Because Khalil took to the Zuck's page and posted the exploit there, after numerous email attempts, not only did Facebook temporarily disable his account, they also said they would not be paying him because of improper reporting methods. In an email to the researcher,

We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.

While Mr. Shreateh might not have the best English and grammar, his blog post indicates the exact issue he discovered, along with, what he understood based on reading Facebook's procedures, his best attempts at reaching out to the company. It is clear though that he did not precisely outline his discovery in the first email, potentially causing this whole thing to snowball.

In this thread on HackerNews, a Facebook employee chose to provide a bit of clarity on the subject.

We get hundreds of reports every day. Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those (if you enter a password then view-source, you can access the password! When you submit a password, it's sent in the clear over HTTPS!) provide some modicum of reproduction instructions. We should have pushed back asking for more details here.

I get that, but perhaps Facebook should shell out the money anyway, at the very least. I mean, he was bold enough to take the exploit right to the Facebook page of the head of the company. That's pretty brave. You can check out the video of the walkthrough of the exploit after the break.

22 People Injured in LG Promotional Event for New G2 in South Korea

posted Sunday Aug 18, 2013 by Nicholas DiMeo

22 People Injured in LG Promotional Event for New G2 in South Korea

Sometimes, the tech world has some mishaps and usually nobody gets hurt. Unfortunately, this is not one of those times. In Seoul, South Korea, LG was holding a promotional event this week for their newest smartphone, the LG G2. As part of the event, there was a contest of sorts where people had to race for balloons which contained a voucher for a free G2. During that contest, 22 people were injured in the sheer pandemonium that ensued.

The Korea Times is reporting that some of the people in attendance were carrying BB guns and even one woman brought a very large, sharp-ended staff with her. The armed ones were apparently trying to steal the coupons from those who decided to play fair. Because of the unfortunate injuries that took place, LG will be covering all of the medical and hospital expenses for the affected patrons.

LG has since cancelled future promotional events related to their ad campaign for the G2. From their statement after the incident,

We canceled events offering free G2 smartphones that had been scheduled in major cities nationwide, including Busan, due to safety concerns. We will provide (the injured) with proper medical treatment as we are responsible for the event

Bloggers at the event have reported that "only some 20 security guards" were on-hand working for LG and perhaps the company could have "placed more security personnel" at the event, which was promoted heavily through the various social networks and media sites.

You can hit the break to see a Korean news report showing the excitement and even some of the weapons.

Chrome Set to Replace Firefox as #2 Browser - Maybe

posted Saturday Aug 17, 2013 by Scott Ertz

Chrome Set to Replace Firefox as #2 Browser - Maybe

For the second time in 14 months, Google's Chrome browser is close to overtaking Mozilla's Firefox as the second most used desktop browser in the world. The last time, in July 2012, Chrome came within 0.1% of Firefox's marketshare, but was unable to keep its gains. In fact, Net Applications, the organization whose data is most used for these stats, erroneously called Chrome winner Al Gore-style.

This time around, however, it is a battle over which browser is losing less market and not about who is gaining more. In July, Firefox lost a whopping 11% of its market and Chrome had a minor gain to 17.8%, up 2 points, which is its highest rank since October. Between October and July, Chrome had seen a rollercoaster of ups and downs, never staying as steady as Firefox.

Almost all of Chrome and Firefox's losses have been in favor of Microsoft's Internet Explorer, whose versions 9 and 10, both available on Windows 7, have seen a resurgence of sorts. IE has taken an almost 3 point climb, landing at 56.6 percent of all desktop browsing. This growth has been a fairly consistent growth since its low at the end of 2011, bottoming out at 51.9.

If the recent trends were to continue, Chrome would overtake Firefox this month for the second spot. If you look at the past 12 months, however, the handoff will have to wait until April 2014.

It is important to note how these stats are calculated. Net Applications calculates their usage based on unique visitors on standard desktop computers. This means Windows, MacOS and standard builds of Linux are counted; Windows Phone, iOS and custom Linux builds, such as Android, webOS and Firefox OS are not counted. In combining mobile browsing into the mix, Google takes a 2 point lead on Firefox.

StatCounter, however, calculates based on page views and, based on that information, Chrome is the top browser, even ahead of Internet Explorer. This indicates that the majority of users spend significantly less time on the web than those who use Chrome browsers on any platform. It is important to know, as targeting software to a browser requires a focus on who your userbase is.

Games for Windows Live Closing, Focus on Xbox for Windows 8

posted Saturday Aug 17, 2013 by Scott Ertz

Games for Windows Live Closing, Focus on Xbox for Windows 8

In addition to Microsoft's plans to retire Microsoft Points this week, the company has also announced that it will retire the Games for Windows Live marketplace on the same day, August 22. Microsoft has been working hard to unite their brands as well as focusing on their core businesses, and non-Windows 8 gaming under a non-Xbox brand is, apparently, not one of them.

Of course, this is going to open up many concerns about currently owned games. The good news is, I have that information for you. If you have purchased a game through the marketplace, you will still be able to download and play those games going forward. You will no longer be able to purchase new games from the marketplace, however.

Obviously, many of the games that are currently available through the marketplace are also available through other distribution channels, such as Steam or Amazon. Those games will, of course, continue to be available through those stores. Any games that are Microsoft exclusives will not be available through other distribution channels. If you are interested in any of those titles, you will need to purchase them this week. If any of the games you have purchased that you continue to play after the shutdown have DLC available, it will be the responsibility of the publishers to make that content available, either in-game or through other means.

This is probably a sign of the consolidation of all of the entertainment brands under the Xbox moniker, plus the emphasis of Xbox on Windows 8. The experience through Windows 8 and Xbox is certainly a more integrated and seamless experience, even incorporating those highly sought after casual gamers. With titles ranging from AlphaJax (similar to Words with Friends) to Halo, the range available is much higher than that of Games for windows Live. Hopefully for Microsoft this move will not be a mistake, only strengthening Steam.

Icahn Loses Case to Stop Dell Buyout Rule Changes

posted Saturday Aug 17, 2013 by Scott Ertz

Icahn Loses Case to Stop Dell Buyout Rule Changes

Michael Dell's plans to take the company that holds his name private has not gone his way. First, after announcing his plans, customers grew concerned that a wrong move could end the company. Enterprises that have relied on Dell's low-end hardware to run mission critical applications were forced to consider other alternatives. In addition, certain investors, most vocally Carl Icahn, objected to the plan, suggesting it was not in the stockholders' best interests.

Mr. Icahn made a lot of noise about his objections, getting enough support to concern Michael Dell and the board of directors. Then, in counter, Dell increased his offer, but required a change to the voting rules. As they stand, the rules state that unvoted shares would be counted as a "no" vote.

With the expectation that as many as 25% of all shareholders would not respond, that would allow a vocal minority of shareholders to block the plan. The change requirement would scrap unvoted shares, only counting those that are legitimately returned. Icahn filed a suit against the board, trying to prevent them from allowing the voting rules to change. Obviously he was counting on this loophole to get his way.

Unfortunately for Icahn, a judge this week denied his request to expedite the suit. This means that the hearing will take place after the vote and there is nothing legally that he can do about it. His only option at this point, as the judge points out, is to outbid Dell and Silver Lake Partners.

Comcast Confirms Prenda Planted Torrents

posted Saturday Aug 17, 2013 by Scott Ertz

It has been two months since The Pirate Bay accused Prenda Law of planting torrents on its site in order to sue. As The Pirate Bay had suggested, Comcast has confirmed that site user Sharkmp4 is actually John Steele, founder and head of the copyright roll Prenda Law.

As it turns out, the company was running a honeypot scheme in which they would upload and seed torrents for content that they owned and then sued the users who downloaded it. Leaders at TPB searched through backups of data to reveal IP addresses used by Sharkmp4 and encouraged other groups to cross-reference the address information to their own databases.

At the time, the IPs were connected to users on several other sites, some of which wrote positively about anti-piracy policies. This was enough information for a judge to allow the discovery process in the AF Holdings v Patel legal battle, Comcast was subpoenaed for data regarding the IP address in question. Comcast was able to link the address to Steele Hansmeier PLLC, which is obviously attached to Prenda through none other than John Steele, whose name appears in the account holder's name.

This is not the only subpoena out there in the case, but it is an important one. Being able to prove that Prenda setup the scheme ruins their credibility and also proves that they are not actually interested in protecting their intellectual property, but instead is interested in a business model of legal battles against torrent users. Probably not a successful long-term strategy, especially if the whole thing is a setup.

We're live now - Join us!



Forgot password? Recover here.
Not a member? Register now.
Blog Meets Brand Stats