Simon Willison’s Weblog


Sunday, 23rd August 2009

Facebook Hacked By 4chan, Accounts Compromised. It wasn’t Facebook that got hacked: 4chan members got hold of a list of usernames and passwords from an insecure Christian dating site and started using them to raise complete hell. Yet another demonstration that storing your user’s passwords in the clear is extremely irresponsible, and also a handy reminder that regular users who “don’t have anything worth securing” actually have a great deal to lose if their password gets out.

# 10:02 am / 4chan, facebook, identitytheft, passwords, security

For those who haven't heard the story the details were pulled from a Christian dating site which had a query parameter injection vulnerability. The vulnerability allowed you to navigate to a person's profile by entering the user id and skipping authentication. Once you got there the change password form had the passwords in plain text. Someone wrote a scraper and now the entire database is on Mediafire and contains thousands of email/password combinations.

rossriley on Hacker News

# 10:10 am / passwords, security, sql-injection

Bokode (via) New take on the humble barcode from the MIT Media Lab—Bokodes are 3mm wide but can be read at a distance by a regular digital camera lens using out of focus photography, exploiting the bokeh effect. The way in which the Bokode is read allows both distance and relative angle to the camera to be derived, making it ideal for Augmented Reality systems.

# 10:29 am / augmentedreality, barcodes, bokeh, bokode, mitmedialab, optics

We completely understand the public’s concern about futuristic robots feeding on the human population, but that is not our mission.

Harry Schoell, CEO of Cyclone

# 10:51 am / cyclone, funny, robots

Exploring OAuth-Protected APIs. One of the downsides of OAuth is that it makes debugging APIs in your browser much harder. Seth Fitzsimmons’ oauth-proxy solves this by running a Twisted-powered proxy on your local machine which OAuth-signs every request going through it using your consumer key, secret and tokens for that API. Using it with a browsers risks exposing your key and token (but not secret) to sites you accidentally browse to—it would be useful if you could pass a whitelist of API domains as a command line option to the proxy.

# 11:06 am / apis, oauth, proxy, python, sethfitzsimmons, twisted

2009 » August