akkiliON

We're comfortable in sharing information with our Facebook friends, but it is quite sneaky for Facebook users to offer their Identities and credentials when logging in to third-party apps, they don’t trust. To deal with this issue, the social network giant has plans to improve the way users login to the third party apps with more privacy controls on the web as well as mobile devices. ANONYMOUS LOGIN At Facebook’s F8 developer conference in San Francisco on Wednesday, Keynote speaker - Chief Executive Mark Zuckerberg announced the new Facebook’s login tool, "Anonymous Login" that would let users sign into apps and websites anonymously without sharing their personal information-Biggest news for Facebook users. Today, we want to do more to put control and power back into people's hands," Zuckerberg said at the conference. " Up until now, your friends have been able to share your data via using apps. Now we're changing this, so everybody controls how their data is shared with apps, even ones others are using. USERS’ TOTAL CONTROL OVER APP PERMISSIONS Another new feature Facebook is rolling out in the next few months will also gives you total control over exactly what information you would like to share with the individual third-party app. Facebook is also planning to limit the ability of third-party app to read the content shared between the users and their friends. This new privacy feature will let user options to permit whether third-party apps will be able to access their information when their friend logs in with Facebook or not. With the new Login, I can sign in on my own terms. I can uncheck boxes I don't want to share. We've heard very clearly about how you want more control with how you're sharing with apps, and this new Login gives you that control. Video: http://pdl.vimeocdn.com/72220/556/248628807.mp4?token2=1399402431_7a776803cd8b2985c9dc10d71cb667fa&aksessionid=aef4dea1f66509d1 Once users have decided an Facebook app is trustworthy, they can connect it to their profile and allow, say, the posting of automatic status updates, or access other parts of an account. In addition to the Anonymous Login and better controls over app permissions, Facebook is also going to redesign its app permissions dashboard, making it much easier for its users to edit what permissions they have granted to their apps. At Facebook, we serve a lot of groups, including developers, advertisers, and employees—but the most important group we serve is the people who use our products, Zuckerberg said. And we must always put those people first. People want more control over how they share their information, especially with apps, and they want more control how apps share their data. Video: http://pdl.vimeocdn.com/55811/181/248628207.mp4?token2=1399402721_edef7fbf0ff515c73f0d3d4345995441&aksessionid=e6e1b1c0cdf1ba32 PLANS FOR ADVERTISERS & APP DEVELOPERS Addressing the developers, Mark Zuckerberg said the tool would let Facebook users feel free and more comfortable about signing into more apps using Facebook and moreover this new feature will let more and more people to try out new apps. By giving people more power and control, they're going to trust all the apps that we build more, and over time use them more. And that’s positive for everyone, said Zuckerberg. For advertisers and app makers, the company has also announced a new mobile AD Product dubbed as “Facebook Audience" that will leverage app developers to insert ads from Facebook’s more than 1 million advertisers into their own apps and then split the revenue, which is now open for registration. For the rest of Facebook's developer audience, the social network promised not to break things anymore, a dramatic switch in its founding motto of "Move fast and break things." This new move of the popular Internet giant is a conscious effort to get users more comfortable with sharing their information during a time when privacy concers and security breaches abound and it shows Facebook cares about your privacy. The engineers at Facebook are testing the Anonymous Login with a few developers for now, and after the testing period it will widely available to all developers "in coming months." Surs?: http://thehackernews.com/2014/05/facebook-anonymous-login-third-party-apps.html

Eu sunt mul?umit ?i cu atât.

#Update: https://bugbounty.att.com/hof.php

Reading a 'Note' created by anyone on the Facebook could trick you automatically to do malicious attacks against others unknowingly. A Security researcher Chaman Thapa, also known as chr13 claims that the flaw resides in 'Notes' section of the most popular social networking site - Facebook, that could allow anyone to launch the distributed denial-of-service (DDoS) attack of more than 800 Mbps Bandwidth on any website. While demonstrating the vulnerability on his blog, he explained that Facebook allows its users to include tags inside the post in order to draft a note with beautiful related images from any source. Facebook basically downloads external images from the original source for the first time only, and then cache them, but if the image url have dynamic parameters, then Facebook cache mechanism could be bypassed to force the Facebook servers to download all included images each time whenever anybodys open the note in its browser. Facebook will only cache the image once however using random get parameters the cache can be by-passed and the feature can be abused to cause a huge HTTP GET flood, he said. DDoS FACTOR, A SCENARIO This way one can force Facebook servers to load 1 mb of file 1000 times in one pageview and if 100 Facebook users are reading the same crafted note at the same time, then Facebook servers will be forced to download 1 x 1000 x 100 = 100,000 Mb or 97.65Gb bandwidth within few seconds from the targeted servers. 400 MBPS DDoS ATTACK DEMO The factor and danger of DDoS attack could be even higher when the image is replaced by a pdf or video of larger size, in case Facebook would crawl a huge file but the user gets nothing. Facebook allows a user to create maximum of 100 Notes in a short span of time and each Note could support more than 1000 links, but because there is no captcha for the Facebook Notes creation, so all this operation can be performed automatically and an attacker could easily creates hundreds of notes using multiple users at the time of performing attack. It seems there is no restriction put on Facebook servers and with so many servers crawling at once we can only imagine how high this traffic can get", he concluded. STILL UNPATCHED AND DON'T EXPECT ANY PATCH FROM FACEBOOK Unfortunately, Facebook has no plans to fix this critical vulnerability, "In the end, the conclusion is that there's no real way to us fix this that would stop attacks against small consumer grade sites without also significantly degrading the overall functionality," Facebook replied to the researcher. Similar kind of attack was noticed in mid of 2011 year when a security penetration tester at Italian security firm AIR Sicurezza Informatica discovered flaws in Google's Plus Servers that allowed hackers to exploit the search giant's bandwidth and launch a distributed denial-of-service (DDoS) attack on a server of their choice. Surs?: http://thehackernews.com/2014/04/vulnerability-allows-anyone-to-ddos.html

Nice https://hackerone.com/reports/2127 Yahoo! rewarded b3hr0uz with a $1,276 bounty.

Dreamcash e plin de vulnerabilit??i.

Update:

Nici o treab?.

Nu face?i "dina-lea", dar v-a?i dori unpic.

Eu m? refeream la cei de la AT&T c? sunt ni?te prosti. Mai ales la faza asta:

Eu dup? ce am primit banii de la ei, mi-or cerut s? le trimit mail (nu e-mail) cu formularul W8-BEN completat ?i semnat de mine. Le-am zis c? îl voi "trimite".

Func?ioneaz?, dar te scoate peste cateva minute de pe list?.

RST FTW !!! Leaderboard - Flappy Bird // Am fost scos de pe lista.

Înc? unu.

Nu e setat pe PC bine :/ Mersi.

Vulnerability: Cross-site-scripting Type: Reflected Author: akkiliON Date: 02/27/2014 Reported Picture:

C59249769E9900N1595-ENS7ULJH New key.

Ok. Mersi pentru r?spuns.

B?ga-mi-a? pula. :/ Când l-ai raportat ?i ai primit duplicate ?

Self.

Here !!!

Target: Yahoo Inc. URL Link: Yahoo! Author: akkiliON Vulnerability: Cross-Site-Scripting Reflected Reported Picture: