Facebook has fixed a bug that let any website pull information from a user’s profile — including their ‘likes’ and interests — without that user’s knowledge.
That’s the findings from Ron Masas, a security researcher at Imperva, who found that Facebook search results weren’t properly protected from cross-site request forgery (CSRF) attacks. In other words, a website could quietly siphon off certain bits of data from your logged-in Facebook profile in another tab.
Masas demonstrated how a website acting in bad faith could embed an IFRAME — used to nest a webpage within a webpage — to silently collect profile information.
“This allowed information to cross over domains — essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends,” said Masas.
The malicious website could open several Facebook search queries in a new tab, and run queries that could return “yes” or “no” responses — such as if a Facebook user likes a page, for example. Masas said that the search queries could return more complex results — such as returning all a user’s friends with a particular name, a user’s posts with certain keywords, and even more personal demographics — such as all of a person’s friends with a certain religion in a named city.
“The vulnerability exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends,” he said.
A snippet from a proof-of-concept built by Masas to show him exploiting the bug. (Image: Imperva/supplied)
In fairness, it’s not a problem unique to Facebook nor is it particularly covert. But given the kind of data available, Masas said this kind of data would be “attractive” to ad companies.
Imperva privately disclosed the bug in May. Facebook fixed the bug days later by adding CSRF protections and paid out $8,000 in two separate bug bounties.
Facebook told TechCrunch that the company ..
Facebook has fixed a bug that let any website pull information from a user’s profile — including their ‘likes’ and interests — without that user’s knowledge.
Tinder is preparing to roll out more gender options in its app in India. The company will announce shortly that users will be able to edit their profile in order to choose a different option for their gender identity, instead of just “Man” or “Woman,” as well as toggle a setting that will display their gender on their profile in Tinder’s app.
These same options have been live in the U.S. since November 2016, when the dating app added options for transgender and gender non-conforming people.
The news was published earlier today to Tinder’s blog ahead of a planned announcement, a spokesperson said. It plans to share more information later tonight, they noted. (We’ll update if that’s the case).
In the post Tinder published, the company admits it hasn’t always “had the right tools” to serve its community in the past, and is now trying to learn to be a better ally to transgender and gender non-conforming people using its app. On this front, Tinder says it’s expanding its support team and educating its staff about the issues that these communities face in India.
Additionally, the company is opening up its support channels and inviting back users who were banned after being unfairly reported by others due to their gender. Tinder users will be able to email the company with a link to their Facebook profile in order to have their request reviewed by Tinder’s team, in order to be let back in. To what extent banned users will want to return, of course, is less clear at this point.
Tinder has not fared well with the trans community in particular, as some users in the past have been banned from the app even when using the identifiers for trans people and displaying this on their profile.
For the U.S. launch of the expanded gender options, Tinder had worked with organizations like GLAAD, activists and others.
In India, it worked with users and consultants, including an LGBTQ organization working for the health and human rights of the LGBTQ community since 1994, The Humsa..
Chappy, the dating app for gay men, has today announced a partnership with GLAAD. As part of the partnership, Chappy will make a donation to GLAAD for each conversation initiated on the dating app, from now throughout 2019.
The company won’t disclose the amount of the donation, but said that it hopes to raise “hundreds of thousands of dollars.”
Chappy launched in 2017 to give gay men an authentic, discrimination-free way to connect with one another. The app uses a sliding scale to let users indicate what they’re looking for in a relationship, ranging from ‘Cute’ to ‘Sexy.’ The app has more than 650,000 registered users, and has seen more than 1 billion swipes.
Chappy is backed by Bumble and controlled by Bumble shareholders, falling under the Badoo umbrella of dating apps. Last month, Bumble named Chappy its official dating app for gay men. As part of that relationship, Bumble and Chappy will be cross-promoting each other’s apps.
Adam Cohen-Aslatei, Managing Director at Chappy, says that the donations to GLAAD will be unrestricted, and can be used by GLAAD however they see fit. Cohen-Aslatei also hopes to contribute to GLAAD’s research projects, and said that he sees the opportunity for the Chappy community to provide data-based insights to that research.
Cohen-Aslatei joins the Chappy team from Jun Group, where he was Vice President of Marketing. He was appointed to the position last month.
“There are a lot of dating apps out there and a lot of gimmicks out there,” said Cohen-Aslatei. “We’re trying to improve the way the gay community meets each other and thinks about relationships, but also the way they think about their commitment to the community. We’re a relationship and advocacy app, and we want to partner with the right organizations to drive awareness to what we are.”
When you’re launching a new social media product, like an image-sharing app or niche network, common wisdom is to make it available to everyone as soon as it’s ready. But simulations carried out by Facebook — and let’s be honest, a few actual launches — suggest that may be a good way to kneecap your product from the start.
It’s far from a simple problem to simulate, but in the spirit of the “spherical cow in a vacuum” it’s easy enough to make a plausible model in which to test some basic hypotheses. In this case the researchers crafted a network of nodes into which a virtual “product” could be seeded, and if certain conditions were met it would either spread to other nodes or “churn” permanently, meaning this node deleted the app in disgust.
If you’re familiar with Conway’s Game of Life it’s broadly similar but not so elegant.
In the researchers’ simulation, the spread of the product is based more or less on a handful of assumptions:
User satisfaction is largely governed by whether their friends are on the app
Users start using the app at a low rate and use it either more or less based on their satisfaction
If a user is unsatisfied, they leave permanently
Based on these (and a whole lot of complex math) the researchers tried various scenarios in which different numbers and groups nodes were given access to the product at once.
It wouldn’t be unreasonable to guess that under these basic conditions, giving it to as many people as possible (not everyone, since that’s not realistic) would be the right move. But the model showed that this isn’t the case, and in fact creating a few concentrated clusters of nodes had the best results.
If you think about it, it becomes clear why: When you make it available to a large number of people, the next thing that happens is a large die-off of nodes that didn’t have enough friends at the start or whose friends weren’t active enough. This die-off limits the reach of other nearby nodes, which then die off as well, and although i..
The idea that social media can be harmful to our mental and emotional well-being is not a new one, but little has been done by researchers to directly measure the effect; surveys and correlative studies are at best suggestive. A new experimental study out of Penn State, however, directly links more social media use to worse emotional states, and less use to better.
To be clear on the terminology here, a simple survey might ask people to self-report that using Instagram makes them feel bad. A correlative study would, for example, find that people who report more social media use are more likely to also experience depression. An experimental study compares the results from an experimental group with their behavior systematically modified, and a control group that’s allowed to do whatever they want.
This study, led by Melissa Hunt at Penn State’s psychology department, is the latter — which despite intense interest in this field and phenomenon is quite rare. The researchers only identified two other experimental studies, both of which only addressed Facebook use.
Phone-addicted teens aren’t as happy as those who play sports and hang out IRL, new study suggests
143 students from the school were monitored for three weeks after being assigned to either limit their social media use to about ten minutes per app (Facebook, Snapchat, and Instagram) per day or continue using it as they normally would. They were monitored for a baseline before the experimental period and assessed weekly on a variety of standard tests for depression, social support, and so on. Social media usage was monitored via the iOS battery use screen, which shows app use.
The results are clear. As the paper, published in the latest Journal of Social and Clinical Psychology, puts it:
The limited use group showed significant reductions in loneliness and depression over three weeks compared to the control group. Both groups showed significant decreases in anxiety and fear of missing out over baseline, s..
Done cloning Snapchat, Facebook is now chasing Chinese short-form video sensation TikTok with the launch of its knock-off Lasso. Available now for iOS and Android, Lasso is Facebook’s answer to the zany mobile lipsyncing playground that’s gained ground with young users, both in China and in the West.
The release confirms TechCrunch’s scoop from last month that the company was building an app called Lasso to let people share short videos with soundtracks. With TikTok looking like the next big thing, it’s not surprising to see Facebook playing chase, much like it did, successfully, when Snapchat posed an existential threat.
A Facebook spokesperson confirmed that the launch of Lasso on iOS and Android is in the U.S. only for now, telling us “Lasso is a new standalone app for short-form, entertaining videos — from comedy to beauty to fitness and more. We’re excited about the potential here, and we’ll be gathering feedback from people and creators.” While Lasso was released under the Facebook umbrella, the company launched it informally and with relatively little fanfare via a tweet from a product manager on the team.
Facebook is building Lasso, a video music app to steal TikTok’s teens
Lasso lets you shoot up to 15-second long videos (no uploads allowed) and overlay popular songs. The app centers around an algorithmic feed of recommended videos, but also lets you tap through hashtags or a Browse page of themed collections.
The original slate of videos seeded by Lasso’s beta users look pretty good, making use of the millions of songs in its soundtrack catalog. There are no augmented reality effects or crazy filters like you’ll find in TikTok, but users are already taking advantage of the slo-mo and fast-forward recording features to make fun clips. Overall the app feels well constructed, and has that colorful and playful teen vibe.
Surprisingly, Facebook is releasing Lasso under its own name rather than trying to obscure the connection to its social netw..
Two researchers, Dr. Domenico Vicinanza of Anglia Ruskin University and Dr. Genevieve Williams, have “sonified” a video of the 5,000th Martian sunrise captured by the Mars rover, Opportunity. The music is a representation of the experience of seeing the sun rise over the red dunes as light pierces the planet’s atmosphere.
From the release:
Researchers created the piece of music by scanning a picture from left to right, pixel by pixel, and looking at brightness and colour information and combining them with terrain elevation. They used algorithms to assign each element a specific pitch and melody.
The quiet, slow harmonies are a consequence of the dark background and the brighter, higher pitched sounds towards the middle of the piece are created by the sonification of the bright sun disk.
Given that you are literally watching the sun rise over the sands of Mars thanks to the efforts of a little multi-wheeled robot and you can now hear the musical equivalent of this amazing breakthrough, it’s pretty hard to feel that humanity is heading toward a dark place. The next breakthrough, I suspect, will happen when we’re able to send human orchestra up there to recreate it with real instruments.
LinkedIn, the Microsoft-owned social network for the working world with some 580 million users, took a big step into professional development and education when it acquired Lynda.com for $1.5 billion and used it as the anchor for LinkedIn Learning. Now, with 13,000 courses on the platform, LinkedIn is announcing two new developments to get more people using the service. It will now offer videos, tutorials and courses from third parties such as Treehouse and the publishing division of Harvard Business School. And in a social twist, people who use LinkedIn learning — the students and teachers — will now be able to ask and answer questions around LinkedIn Learning sessions, as well as follow instructors on LinkedIn, and see others’ feedback on courses.
Unlimited access to LinkedIn Learning comes when a person pays for LinkedIn’s Premium Career tier which costs around $30/month, or when a company takes an enterprise team subscription for the Learning service. Today, LinkedIn tells me that it has around 11,000 enterprise customers, and it doesn’t break out how much traffic is has overall on LinkedIn, but says that there has been a 64 percent growth in paid learners since the start of 2017 — number that it’s clearly looking to boost with these new features.
James Raybould, the director of product for LinkedIn Learning, said that the third-party expansion will come slowly at first with a handful of partners getting access to integrate with LinkedIn Learning. Over time, this could expand to be a public API for anyone to integrate content, he added, but for now LinkedIn is doing the curating.
Notably, he also said that LinkedIn itself is not planning on curtailing the amount of content it will continue to produce for Learning: it’s currently adding on average more than 70 new courses each week on average, he said.
The content in this first wave of third-party providers feels like a natural extension of the Influencer-based content that LinkedIn has been running in its m..
Facebook must exert constant vigilance to prevent its platform from being taken over by ne’er-do-wells, but how exactly it does that is only really known to itself. Today, however, the company has graced us with a bit of data on what tools it’s using and what results they’re getting — for instance, more than 14 million pieces of “terrorist content” removed this year so far.
More than half of that 14 million was old content posted before 2018, some of which had been sitting around for years. But as Facebook points out, that content may very well have also been unviewed that whole time. It’s hard to imagine a terrorist recruitment post going unreported for 970 days (the median age for content in Q1) if it was seeing any kind of traffic.
Perhaps more importantly, the numbers of newer content removed (with, to Facebook’s credit, a quickly shrinking delay) appear to be growing steadily. In Q1, 1.2 million items were removed; in Q2, 2.2 million; in Q3, 2.3 million. User-reported content removals are growing as well, though they are much smaller in number — around 16,000 in Q3. Indeed, 99 percent of it, Facebook proudly reports, is removed “proactively.”
Something worth noting: Facebook is careful to avoid positive or additive verbs when talking about this content, for instance it won’t say that “terrorists posted 2.3 million pieces of content,” but rather that was the number of “takedowns” or content “surfaced.” This type of phrasing is more conservative and technically correct, as they can really only be sure of their own actions, but it also serves to soften the fact that terrorists are posting hundreds of thousands of items monthly.
The numbers are hard to contextualize. Is this a lot or a little? Both, really. The amount of content posted to Facebook is so vast that almost any number looks small next to it, even a scary one like 14 million pieces of terrorist propaganda.
It is impressive, however, to hear that Facebook has greatly expanded the scope of its autom..
On the heels of Tinder’s plans to go more casual, Facebook is today expanding access to its own dating service, Facebook Dating. First launched two months ago in Colombia for testing purposes, the social network is today rolling out Facebook Dating to Canada and Thailand. The company is also adding a few new features to coincide with the launch, including the ability to re-review people you passed on and take a break by putting the service on pause, among other things.
If that latter feature sounds familiar, it’s because it’s also something dating app Bumble recently announced, as well.
Bumble in September launched a Snooze button for its own app, which addressed the problem many online daters have – the need for a detox from dating apps for a bit. Sometimes that’s due to frustration or just being busy; while other times it’s because they’ve matched with someone and want to give them a chance.
Facebook says you can still message people you already matched while on pause.
Meanwhile, offering daters a chance to give someone a second look is also common among dating apps, though it’s presented in different ways. For example, OKCupid may resurface people you’ve passed on, while Tinder’s newer “Feed” feature lets you keep track of updates from matches that you had earlier decided to ignore.
Second Look will be in Facebook Dating’s Settings, and show people in reverse chronological order. You can go back through your Suggested Matches and even review people you may have accidentally passed on – features other dating apps charge for.
Also new today is the ability to review a blocked list, support for non-metric units (for things like range and height), and more interactive profile content, including tappable entry points for conversations – like a shared hometown or school.
These features will arrive in the new version of Facebook Dating, rolling out today, the company says.
It has tweaked the user interface a bit, too. Now, when scrolling through Groups and Events..