Facebook

Skype And Dropbox Fix Redirect Security Hole That Could’ve Hacked Your Facebook

Nir Goldshlager just saved your identity. One of the world’s top white hat security researchers, Goldshlager this week helped Skype and Dropbox fix a critical security flaw that could have let hackers take control of their users’ Facebook accounts. Tomorrow Goldshlager will detail how he found the exploit, but he gave TechCrunch the early heads up. Here’s how hackers exploit the hole.

First the good news. Since it was reported responsibly, it appears that no one fell victim to this flaw, known as an “open redirect vulnerability.” The issue essentially occurs when a website doesn’t validate the URL where it sends a user and their access tokens. Normally sites verify that the URLs they send you to are either owned by them or one of their trusted partners. But if they don’t, a hacker who knows someone’s user ID and that they’ve granted permissions to a vulnerable site could visit http://www.MySiteIsVulnerable.com?UserID55555redirect=www.MaliciousSite.com and steal that person’s access tokens, allowing them to take actions as if they were the hacked user. Naughty identity thieves.

In this case, both metrics.skype.com and Dropbox.com were failing to validate redirects, leaving them vulnerable. To be exploited, a hacker would first need to know someone who had connected their Facebook accounts to one of these sites, say metrics.skype.com. Then they could find that person’s Facebook User ID through the Graph API explorer. If the hacker then punched in the right metrics.skype.com… URL with the user ID attached, followed by a redirect to a malicious site they control, Skype would deliver the victim’s Facebook access token. This would let the hacker do anything the user had granted Skype the ability to do, such as post to their wall, pull their personal information, and more. There is no faster way to get unfriended than by spewing spam.

Goldshlager discovered this flaw, but rather than exploit it himself or publish it for other hackers to use, he responsibly reported it to Skype, Dropbox and Facebook, who’ve all confirmed it’s now fixed. In Skype’s case, the issue was actually with one of its partners that builds software for the app, which they fixed together. Though the bug wasn’t Facebook’s fault, the company tells me:

We applaud the security researcher who brought this issue to the attention of the affected organizations and for responsibly reporting the bug to our White Hat Program. These bugs were triggered from open redirect vulnerabilities in domains that were authorized for OAuth. While not a Facebook bug, we have and will continue to work with our OAuth partners to prevent this exploit. Due to the responsible reporting of this issue to Facebook and the affected companies, we have no evidence that users were impacted by this issue.

The whole situation is nothing new for the Israeli security researcher. Goldshlager has been on the top of Facebook’s White Hat ‘Thank You” list for the last two years because he’s reported more bugs than anyone else. He also just started a White Hat security company called Breaksec that helps clients find bugs before crooks do.

Oh, and the guy keeping you safe on the web also has an awesome name. So this drink of spicy cinnamon Schnapps is on us, Mr. Goldshlager. Keep hacking for good.

[Image Credit: elhombredenegro / Flickr]

50 days ago • Google Reader • Tags: dropbox, Facebook, Security, skype, Social, TC

Skype and Messenger Coming Together: The Next Chapter

Skype is known around the world for helping people stay close whenever they’re apart. It makes us proud that more than 280 million people choose Skype to connect with their loved ones and colleagues every month.

We love the opportunity to help more people laugh, gossip, share stories or just spend time together. That’s why we’re excited about welcoming Windows Live Messenger users to Skype. Last November, we announced that Messenger and Skype are coming together with the option to sign in with a Microsoft account.

We want everyone who uses Messenger to have a positive experience. Upgrading to Skype can help you communicate in flexible ways, and be connected on more devices and platforms including Windows, Mac, iOS, Windows Phone, Android and soon Blackberry.

The upgrade from Messenger to Skype on Windows desktop will start on April 8*. The process will take a few weeks to complete. We’ll start the upgrades with our English language clients, and finish up with Brazilian Portuguese on April 30 or later.

Skype offers many features Messenger users know and love such as emoticons, group instant messaging, and screen sharing, and we think you will discover many other advantages of using Skype:

Instant message conversation history
The ability to edit and remove instant messages
Being able to share files and contact information
Video calling and instant messaging with Facebook friends
Group video calling

We’re continuing to share ways Messenger users can learn more about Skype, like this tutorial of a Messenger user getting to know how to use Skype including its instant messaging experience.

As Messenger users upgrade to Skype on their desktops, we also encourage them to download Skype on their mobile devices, and sign in with their Microsoft account to check out all that Skype has to offer. For more help on upgrading to Skype, please visit the Skype Support site. We would love to hear your feedback–select the “Give Feedback” link in the Skype Help menu to tell us what you think.

*With the exception of mainland China where Messenger will continue to be available.

97 days ago • Google Reader • Tags: Big Blog, chat, contacts, Facebook, file sharing, group video calling, IM, instant messaging, skype, Skype + Messenger, Windows Live Messenger

Facebook tries ‘buy tickets’ button on events, but links offsite

Facebook is testing new “buy tickets” buttons on events, but these buttons send users to other sites around the web and do not allow users to conduct transactions directly from an event page.

Previously, event organizers could list a site for users to buy tickets from, but that site would appear on an event page as a small bit.ly link. Facebook tells us that now it is trying more prominent buttons that direct users to wherever event tickets are being sold. These buttons appear in the info section of an event, in a user’s upcoming events section and in News Feed stories about the event, as seen in the screenshots below.

This design change could lead more users to purchase tickets after discovering an event on the social network, making Facebook Events more valuable to event organizers. Some have wondered whether the “buy tickets” button is an indication that Facebook will get into the ticketing business. Although possible, this might not be what the company is looking to do right now. Instead of diverting resources to build an entirely new business, it could make improvements to events that help its existing ad business. If the social network can make events more viral and help them better convert into ticket sales, then businesses and organizations would be more likely to buy Facebook ads to promote them.

By adding the “buy tickets” button to News Feed stories about the event, users will be able to visit a purchase page directly from an ad. Facebook gets paid for the click and advertisers can easily track their conversions.

In addition to the “buy tickets” button, we’ve recently seen Facebook encouraging users to invite their friends or post about an event after they RSVP. Facebook has also been including suggested events in News Feed.

Facebook could also be testing “buy tickets” buttons to gauge user interest and demand for a way to purchase tickets directly from the social network. If a lot of people start clicking the button, it might be an indication that Facebook could offer value — and earn revenue — by getting into the ticketing business. Another option is that down the line, the company could partner with existing ticketing platforms and begin taking a percentage of sales that originate through Facebook Events. In 2010, it seemed Facebook was working on such a partnership with Eventbrite, but that never came to fruition.

Any Facebook page that creates an event can add a link for tickets, which will create a “buy tickets” button on their event page. However, when individual users create an event, they do not have the option to add a ticket link.

Thanks to Blink VP Planning and Media Eti Suruzon for the tip

101 days ago • Google Reader • Tags: events, Facebook, Featured, tickets

Facebook Promises to Break Things Only Four Times a Year

The world’s largest social network gets a bad rap for changes to its Facebook API. Developers complain that their apps break and even called it the most broken API in a survey. Yet the company has worked to change that and today vowed to only announce “breaking changes” every quarter. You’ll only need to scramble to fix your app four times per year.

The news was given top billing in Facebook’s the latest announcement post:

In 2011, we committed to a 90 day breaking change policy, which provided developers with 90 or more days to update their apps. Today, we are excited to announce that we’re going to start bundling breaking changes on a quarterly basis.

In the past, a developer impacted by multiple breaking changes may have needed to update their apps each month. Going forward, changes will be announced at the same time each quarter to make it easier for you to plan for changes and build higher quality apps.

The “operation developer love” posts began in 2011 as a way to communicate better with developers. Each post includes breaking changes, bug reports, bug fixes and sometimes new features. Now that the breaking changes are down to quarterly, expect those lists to get pretty long. Already some months were full of breaking changes.

Related ProgrammableWeb Resources

Facebook API Profile, 389 mashups

140 days ago • Google Reader • Tags: Facebook

The Year in Facebook Acquisitions 2012

Facebook bought or “acqui-hired” more than a dozen companies this year, including Instagram, the largest acquisition in the company’s history. Like last year, bringing on mobile talent was clearly a focus for the social network in 2012.

In addition to the $521 million it spent on Instagram, the company reported spending $87 million on other business acquisitions between Jan. 1 and Sept. 30. Information about the rest of the year won’t be available until the company’s Q4 earnings are released. In 2011, Facebook spent only $68 million on a similar number of acquisitions.

Below we’ll review this year’s acquisitions and acqui-hires. We also looked to Facebook’s filings with the Securities and Exchange Commission for hints on what the social network paid companies in stock.

Momentus Media

Facebook acqui-hired a co-founder of viral brand marketing agency Momentus Media, which was behind campaigns for Levi’s, LMFAO and Taio Cruz. Chris Turitzin joined the Facebook growth, engagement and mobile team while Momentus itself continues on under co-founder Carina Koo. The company grew out of the Facebook’s original fbFund, which was backed by Accel Partners and Founders Fund and run by super-angel Dave McClure.

Instagram

Facebook’s marquee acquisition was announced in April, but because of the $1-billion price tag, the deal took time to clear regulatory hurdles. With more than half the offer in shares of Facebook stock, the deal ended up being worth closer $715 million when it closed in September. The mobile photo sharing network continues to operate under the Instagram brand, but its 16 employees joined the team in Menlo Park, Calif., and Facebook now supports the app with infrastructure and engineers, among other business needs.

Tagtile

Just a few days after the Instagram deal was announced, Facebook acquired the team and most of the assets of Tagtile, a mobile-based customer loyalty management startup. The company created the Tagtile Cube, which merchants place at their checkout counter. When customers make a purchase in-store, they tap their smartphone against the Tagtile Cube and earn rewards. Merchants can access data from the Cube online, and use the information to target messages back to their customers. The service was shut down, and we haven’t yet seen what the Tagtile co-founders have ended up working on at Facebook.

According to regulatory documents, on the day the acquisition was announced, Facebook issued 40,000 shares of Class A common stock to four individuals in connection with its purchase of certain assets from a company, which may have been Tagtile.

Glancee

In early May, Facebook acquired Glancee, an ambient mobile location app that alerts users when people with similar interests are nearby. Similar to Highlight, which was getting a lot of attention at the time, Glancee’s iPhone app let users sign in with Facebook, and then it would show users other people who have things in common with them within a certain radius. Facebook tested a Find Friends Nearby feature after a Hackathon, but this seemed to be independent from Glancee and the company never rolled it out widely.

On the day the acquisition was announced, Facebook issued 36,826 shares of Class A common stock as consideration to eight individuals in connection with its acquisition of all the outstanding shares of a company, which may have been Glancee.

Lightbox

Facebook hired the seven-person team behind Android photo-sharing app Lightbox. The app, which was similar to Instagram, was shut down in mid-May when the deal was announced.

Karma

Facebook acquired the mobile gifting and commerce service Karma in May on the same day it began public trading on the NASDAQ. By the end of September, the team launched Facebook Gifts, which offers similar functionality but is built into Facebook’s mobile and desktop experiences. As it enables users to buy physical and digital goods for their friends, this acquisition has the clearest opportunity for return on investment. According to regulatory filings, Facebook issued 1,099,986 shares of Class A common stock as consideration to 29 individuals and 12 entities in connection with the acquisition. At today’s share price of $26.05, that’s more than $28.6 million.

Bolt Peters

Also in May, Facebook hired the team behind the San Francisco-based user experience research and design firm, Bolt Peters. The company, co-founded by CEO Nate Bolt in 2002, had done design work for Twitter, Zynga, Pandora and dozens of other well known clients.

Pieceable Software

Facebook hired the three people behind Pieceable Viewer, which is software that allows developers to demo their iOS apps on the web. The company said its viewer would be available until Dec. 31, and an open source version would be offered to developers.

Face.com

Facebook agreed to acquire facial recognition technology company Face.com in June. The Israeli company removed its apps from the App Store and shut down its APIs in July. Based on regulatory filings, Facebook seems to have granted 809,923 shares of Class A common stock to 13 individuals and 11 entities in connection with the acquisition. At today’s price of $26.05, that’s more than $21 million.

Spool

In July, Facebook hired the five-person team behind Spool, a social bookmarking service that makes web content available for offline viewing on mobile devices. Later that month, Facebook tested a new option for users to save posts in mobile and desktop News Feed for later viewing, but that project seemed to be independent from Spool and so far hasn’t rolled out widely.

Acrylic

In late July, Facebook hired designer and engineer Dustin MacDonald, who was behind Acrylic, a development studio that makes iOS and Mac software, including news reader Pulp and secure database app Wallet.

Threadsy

In August, Facebook acquired San Francisco-based Threadsy, which offered a Klout-like service called Swaylo to connect brands and influencers. Some of that product remains, including SwayloPro, which continues to operate as an independent company owned by its current investors.

Carsabi

Facebook hired Dwight Crow and Christopher Berner, the team behind used car price comparison site Carsabi. Notably, Crow appeared on the Bravo reality show “Start-Ups: Silicon Valley.” The Carsabi site itself was sold to social search company Ark.

147 days ago • Google Reader • Tags: Acquisitions, Facebook, Featured

Turn off Facebook apps permanently

If you are not using Facebook for the apps and games the service makes available, but for staying in contact with a couple of close friends, colleagues and family, you may not like the constant invitation bombardment where someone invites you to join the latest social game or application on the social networking site.

If you see more “invited you to try” notifications on Facebook than anything else, you may want to consider turning off your ability to use Facebook apps, games and websites permanently. Keep in mind that this drastic step will also prevent you from using Facebook to sign in or up on third party websites that are offering Facebook users the option to authorize using their Facebook login credentials.

To turn of apps on Facebook do the following:

Open the Facebook website and log in to your account.
Click on the down arrow icon next to the Home link in the top bar and select Privacy Settings from the context menu.
Locate Ads, Apps and Websites and click on Edit Settings next to it.

You should now see the Apps you use listing at the top.

Below the apps and services listing, which should either be empty or only include apps and websites that you do not mind removing access to, is the following option:

Turn off your ability to use apps, plugins and websites on and off Facebook. After you turn this off, we will not store information about you when you use apps or websites off Facebook.

A click on Turn off displays an overlay image on the screen that provides you with additional information about the consequences of turning off the platform on Facebook:

If you turn Platform off you can’t use the Facebook integrations on third party apps or websites. If you want to use these apps and websites with Facebook, turn Platform back on.
Using Platform allows you to bring your FAcebook experience to the other apps and websites you use on the web and to your mobile device and apps. It allows Facebook to receive information about your use of third party apps and websites to provide you with better and more customized experience.
If you turn off Platform apps:
You will not be able to log into websites or applications using Facebook.
Your friends won’t be able to interact and share with you using apps and websites.
Instant personalization will also be turned off

A click on turn off platform turns it off on Facebook. While you can turn it back on at a later time, all data that was previously available before you did turn it off won’t be available anymore.

166 days ago • Google Reader • Tags: Facebook

Facebook Could Slow Down A Tiny Bit As It Starts Switching All Users To Secure HTTPS Connections

When you’re dealing with 1 billion people’s personal info, security is critical. But Facebook didn’t want to sacrifice speed. That’s why it spent the last two years making infrastructure improvements so that its transition of all its users to HTTPS which starts this week will “slow down connections only slightly.” People will be able to opt-out of HTTPS for maximum speed if that’s how they roll.

Facebook has long employed HTTPS (Hypertext Transfer Protocol Secure) to protect users when they submit their username and password to login. HTTPS prevents man-in-the-middle attacks and eavesdropping.

In January 2011, though, it started allowing people to opt in to have all their Facebook browsing encrypted in HTTPS. At the time it warned “Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS.”

Still, Facebook said that “We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future.” Flash forward nearly two years to today, and its ready to fulfill that burning desire for security. A Facebook Developer Blog post from a few days ago announced “this week, we’re starting to roll out HTTPS for all North America users and will be soon rolling out to the rest of the world.”

I immediately wondered if that would make loading the news feed or peeping photos more sluggish. So I spoke with Facebook’s security policy manager Frederic Wolens to see what would happen to site speed, and here’s what he told me:

“It is far from a simple task to build out this capability for the more than a billion people that use the site and retain the stability & speed we expect, but we are making progress daily towards this end. This may slow down connections only slightly, but we have deployed significant performance enhancements to our load balancing infrastructure to mitigate most of the impact of moving to HTTPS, and will be continuing this work as we deploy this feature.”

So yes, there will be a slight slow down. Facebook’s HTTPS is going to be a lot faster than it could have been thanks to engineers who rolled up their sleeves, but we’ll be monitoring for complaints just to make sure this is the case. For reference, Google moved Gmail to HTTPS in January 2010.

People who aren’t too concerned with their security might not be too excited about getting switched to HTTPS. And if they insist their connection is secure and wants to browse Facebook as fast as possible, the company confirmed to me that they’ll have the option to opt out of HTTPS through their Account Security settings.

But protecting people who use the default settings is why this is an admirable decision by Facebook. It’s priority is security. It might not be as sexy as blazing speed, but a hacked user is an unhappy user. Lots of people access Facebook from public wi-fi and public computers. Persistent HTTPS makes sure they’re not getting snooped on.

Facebook could have kept HTTPS as opt in. Faster browsing leads to less frustration, longer session lengths, and more ad views. Unfortunately, the people who are the least security savvy and therefore most vulnerable are probably the least likely to voluntarily enable HTTPS.

Personal info-driven business models like Facebook’s are built on trust. It needs users to feel secure enough to keep donating their data, and that’s why this little green lock could turn into greenbacks over time.

186 days ago • Google Reader • Tags: Facebook, Security, Social, TC

Facebook tests share button on mobile touch site

Facebook is testing a share button on its mobile touch site, m.facebook.com, we’ve found. Along with this are more prominent Like and comment buttons. [Update 11/14/12 12:47 PM PT - A Facebook spokesperson confirms to us that they have begun a slow rollout out the share feature.] The share button is one of the most commonly requested features for Facebook’s mobile apps. When we asked about it in August, the company said there was no technical hurdle that made a share button difficult to implement on mobile. Facebook simply never made it a priority. Now it appears to be in testing on the mobile web, which means it could come to the native iOS and Android apps soon. Page owners are likely to see an increase in shares once the feature rolls out to all mobile users. This will help their posts get additional reach. The share button is also an additional way that users can engage with a Promoted Post or Page Post Ad in the mobile feed. The share option appears as a large button in News Feed and as a smaller call to action when users click to view a post, as seen below. From what we’ve seen, the share button does not appear on every post but it’s unclear whether or not this is a bug. There does not seem to be any pattern to whether a share button appears on post. The type of post or privacy settings may have something to do with it.

Previously, the only share option available on mobile was for links and the button only appeared when users viewed a site in the Facebook browser and clicked for more options in the top right corner. There was no way for users to quickly share a photo, status update or other posts.

When users tap the share button, they are taken to a dialog that previews the item they’re about to share and allows them to add a comment or change their privacy settings for the post.

190 days ago • Google Reader • Tags: Facebook, Mobile, Share

This Facebook “All” Link Let You See An Almost Unfiltered News Feed, Until Facebook Shut It Down

Facebook filters the news feed so you only see the 15% or so of stories it thinks you’ll find most interesting. But a newly discovered “All” link would show you almost everything posted by your friends and Pages you Like, Twitter style. Update: That is, until Facebook shut it down around 5:30pm today.

Facebook confirmed to me this morning that http://www.facebook.com/?sk=nf_all ”is an old link that allows you to access your news feed operating on an earlier version of our ranking algorithm.”

First spotted by Tom Waddington, the All feed could have made sure Facebook addicts never miss a photo or funny status update, and get marketers more eye balls. However, Facebook stressed that “This feed does not show all posts”, and since it was an “old link”, there was a good chance it could get shut down soon. And now it has been. If you visit the link, you’ll just see the normal, filtered version of your news feed.

Years ago, Facebook offered a near-firehose real-time stream you could toggle to from the home page called “Most Recent”. Based on Facebook’s statement, that might be what this link used to bring up. But since it didn’t deliver as compelling stories to the average user, Facebook ditched it in favor of a heavily filtered feed. That’s great for making sure you see the most Liked updates by friends since you last logged on. However, it can show the same updates over and over again to people who visit Facebook all the time.

Facebook tried to appease power users by returning the “Most Recent” toggle switch, but it actually still filters out a lot. So if you couldn’t get enough of what your friends and favorite brands were doing, you could check out ” https://www.facebook.com/?sk=nf_all “. But since this seems to have been something Facebook used internally and that wasn’t meant for public consumption, it shut it down.

Here’s how it worked. Though it didn’t automatically refresh with updates, it would show you a reverse chronological stream of almost every news feed post by friends and Pages starting with a few seconds ago. Judging by my initial scans of the All feed, you’d also see plenty of wall posts, new friendships, Page Likes by friends, Event RSVPs, “Trending Articles” boxes, and more.

You’dsee some stories from apps, such as a friend Liking photos on Instagram, or two friends listening to the same artist on Spotify. However, the All feed wouldn’t show you every song every friend listened to, and you won’t see every time a friend Liked or commented on someone’s status. Otherwise it’d be so cluttered that real posts to the feed would get drowned out.

There’s been a ton of controversy about Facebook Pages not being able to reach their fans with every update they post. Brands might not dig it, but that filtering makes the feed better. If people want to see more of the posts by Pages they Like, they can still try the separate Pages feed which shows the best ones but not every single update. That option could excite marketers who get big traffic and awareness boosts when people see their news feed posts.

Most important, though, was the potential for the All feed to draw even more time-on-site/app from hardcore Facebook users. It meant you didn’t have to worry about browsing a feed of reruns. Some people might have used it as a dashboard to keep up with everything going on in the lives of friends, while others could have used it as a real-time news source that could even compete with Twitter.

Why wouldn’t Facebook just make this easily accessible? Because each story in the unfiltered feed was less likely to seem interesting to the average person. It could also have confused Facebook novices. I think hiding it in the drop-down news feed sorting button on the web and the gear icon on mobile would have been a nice hat tip to Facebook’s hungriest users, but alas, it is no more.

The All feed may have been quite taxing on Facebook’s servers, and not what Facebook wanted people to see, so like a broken fire hydrant sprinkling water in the street, it wasn’t long after the fun started that it got shut off.

Have you heard this myth? We busted it. Killing Rumors With Facts: No, Facebook Didn’t Decrease Page Feed Reach To Sell More Promoted Posts

192 days ago • Google Reader • Tags: Facebook, Social, TC

Facebook redesigns Friendship pages like Timeline

Facebook friendship pages are here for a while, they are buried in somewhere and left with the old Facebook design. They do not blend with the current timeline design, but this is going to change as Facebook redesigned the friendship pages to Timeline design.

Facebook friendship pages existed since 2010 but many people don’t know about this. They include mutual friends, common posts, photos and events you have attended with that friend. Of course the information showed here will depend on the friends privacy settings. You will have friendship pages for everyone in your Facebook friends list. To see the friendship pages go to any friend page, click settings and see friendship. If you have updated your relationship with someone, then you can go to facebook.com/us to see the friendship page.