All posts by Pallab De

Pallab De is a blogger from India who has a soft spot for anything techie. He loves trying out new software and spends most of his day breaking and fixing his PC. Pallab loves participating in the social web; he has been active in technology forums since he was a teenager and is an active user of both twitter (@indyan) and facebook .

YouTube XSS Vulnerability Fixed [Official Statement]

YouTube-Vulnerability Earlier today, a critical cross-site scripting (XSS) vulnerability was uncovered in YouTube. It now appears that the source of these attacks was Ebaumsworld, with 4Chan later chipping in to propagate it. Of course, both sides are accusing the other of the wrong doing.

Google swung into action fairly quickly, and the vulnerability has now been fixed. Jay Nancarrow, a spokesman for Google, reached out to us to issue the following statement:

We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago. Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.

In spite of Google’s swift response, the script kiddies managed to cause a fair amount of annoyance. A large selection of popular YouTube videos, especially Justin Bieber videos, were flooded with malicious comments. Fortunately for us, while obnoxious, most of these scripts did little damage other than irritating viewers.

iTunes Accounts Hacked – Several Users Report Fraudulent Purchases

AppleA little while ago, YouTube was hacked and exploited on a large scale. Unfortunately, YouTube is not the only major service to fall prey to hackers. Two iPhone application developers have uncovered what appears to be a widespread hacking of the iTunes App Store.

Patrick Thomson, the developer of the QuickReader iPhone application, was the first to notice that something was amiss, when his app was displaced in the rankings by numerous suspicious looking Vietnamese manga apps.

iTunes-Hacked

It appears that someone going by the name Thuat Nguyen managed to hack into people’s accounts and buy his own apps to push them up the app store rankings. The scale of the attack, as well as the methodology used isn’t known. However, the number of people who have been compromised is definitely significant. This particular thread on MacRumors forum paints a worrisome picture. Several users have been charged hundreds of dollars for purchases they never made. To make matters worse, Apple’s customer care isn’t being very helpful either.

If you have associated a credit/debit card with your iTunes account, you should immediately check your recent purchase history and remove your card from your iTunes profile.

Image Courtesy: Alex Brie

Cheaper Android Phones Coming to Asian Markets like China and India

Google-Android Android has gone from strength to strength over the past few months. Thanks to the exponential increase in the number of Android handsets and the rapid growth of the Android Market, Google is now a worthy challenger to Apple. However, there is definitely scope for more improvement. And, Google knows it.

Google is already working on Android 3.0, which will be possibly targeted at high-end devices and is expected to introduce significant improvements to the platform. However, that doesn’t mean that Google is ignoring mid-range or budget smart phones. According to Businessweek, Google is working with hardware manufacturers to introduce cheaper Android powered handsets in crucial Asian markets like China and India.

Andy Rubin, VP of engineering at Google said, “The down-market opportunity is about to happen. It’s actually quite a revolution”. In markets like India, iPhone has barely managed to make a dent. Instead, companies like Nokia rule the roost with their wide range of attractively priced handsets. By encouraging manufacturers like Huawei Technologies and LG Electronics to introduce cheaper handsets, Google is hoping to expand its reach and attract more developers.

Cerulean Studios Turns 10: Announces Trillian 5

Facebook and Twitter might be the dominant social networks, however they aren’t the only way to connect with friends and strangers. Many of us still rely on instant messaging services like Yahoo! Messenger and Windows Live Messenger or the good old IRC. In fact, most of us use multiple services on a day-to-day basis. However, using individual clients for each service can be quite inconvenient. This is why applications like Digsby are so popular.

However, even before Digsby, Trillian built its reputation as a neat multi-protocol messaging client. Unfortunately, for the past couple of years, Trillian has been struggling to retain its charm. Trillian Astra (v4) took too long to come. And when it came, it disappointed many. The good news is that with Trillian v5 things are set to change for the better.

Trillian-5-Interface
Trillian 5 – Flexible Interfaces

Earlier this week, Trillian’s developers -Cerulean Studios, celebrated its 10th anniversary by announcing Trillian 5. The new version will feature a brand new user interface, which is not only beautiful and functional but also sleek and slim. Minimalism is the ‘in’ thing these days and Cerulean Studios is following suit. The flexible interface offers 5 modes – large, medium, small, tiny and simple. Simple mode occupies very little space and is ideal for Netbook users.

Trillian-5-Supported-Networks
Trillian 5 – Supported Networks

Trillian will support Twitter, Facebook as well as LinkedIn in addition to other networks like Windows Live Messenger, Yahoo! Messenger, Google Talk, ICQ, AIM, Skype and E-mail. It will also leverage Windows 7’s in-built GPS support to enable Foursquare check-ins.

Trillian-5-Foursquare
Trillian 5 – Foursquare

Trillian-5-Facebook
Trillian 5 – Facebook

Other features include synchronized contact list, accounts, and chat history, streamlined news feeds and enhanced performance. Trillian 5 Beta will be released to current subscribers soon.

Trillian-5-Chat-Window
Trillian 5 – Chat Window

Warning: Highly Critical XSS Vulnerability Discovered in YouTube

YouTube-VulnerabilityIt appears that YouTube is vulnerable to XSS (cross-site scripting) attacks. Details are scarce since this is a breaking story. However, according to preliminary information available with us, it is possible to hijack cookies to gain access to a logged-in user’s Gmail and YouTube accounts.

Although, it’s unclear who discovered this vulnerability, 4Chan users are already trying to actively exploit it. The exploit makes use of PHP, JavaScript, and XSS, and is being spread through comments on videos. Any logged in user who has browsed to an infected page is vulnerable. The best solution is to completely log out of YouTube until this issue has been fixed. If you are worried that you have viewed an infected video, delete all your cookies.

Spread the word to your friends and family members and help them stay protected. We will update you as soon as we learn more.

Update 1: TheNextWeb is reporting that Justin Bieber videos are being targeted in a big way.

Update 2: YouTube has now blocked all scripts from comments. However, video titles are also vulnerable and video responses are now being used to exploit the vulnerability.

Update 3: Google has issued an official statement.

Indian Government Threatens to Ban Gmail, Skype and BlackBerry

Bored with China and Pakistan banning web services left and right? Here is something new. Possibly feeling a bit left out, the Indian government has decided to join in on all the fun.

Apparently, the Indian security agencies are struggling to monitor the content being shared over Gmail, Skype and Blackberries due to their highly encrypted nature. According to The Hindu, a reputed daily newspaper in India, “Department of Telecom (DoT) will ask these companies to either ensure that data going through their networks be made available to security agencies in a readable format or face a ban from offering services in India.”

Indian security agencies are concerned that services like Skype are being used by terrorists to bypass monitoring mechanisms put in place for telephone calls. Skype and RIM (the Canadian manufacturer of BlackBerry handsets) will be given 15 days to respond, failing which services that do not allow lawful interception on a real-time basis would be banned. Google will also be asked to use encryption standards that can be monitored by the Government. However, the Government won’t impose any deadline on the search engine giant.

This is not the first time RIM has run into trouble with the Indian government. Back in 2008, there was a similar standoff. However, at that time, the Indian Government had claimed that all differences have been resolved.

Formal notices are expected to be served to all affected parties in the first week of July. While, a Google spokesperson declined to comment, Skype has come out and termed any potential ban as “a big step backwards”.

Opera 10.60 Released: Boosts Speed, Standards Support and Security

Opera Software, the little Norwegian browser maker that pioneered many of the modern web browser features, has just released Opera 10.60. As suggested by the version number, the new build is more evolutionary than revolutionary. Opera 10.60 builds upon the 10.5x releases and polishes many of the significant changes introduced in the previous releases.

Opera-10.6

Visual Enhancements

Opera 10.60 refines the existing skin by making subtle but noticeable all-around adjustments. The hideous O-menu button has been replaced by a more civilized looking button. Hover thumbnail tab previews have been cleaned up and internal tabs (like Feeds, Mail, Notes and Downloads) have been graced with pretty looking icons. Also, Speed Dials now makes better utilization of the width afforded by wide-screen monitors.

Standard Support Enhancements

HTML5 has become quite the buzzword these days. Of course, thanks to the misleading usage by vendors like Apple, most people have come to associate HTML5 with any new web technology that is cool. That being said, Opera 10.60 truely delivers better HTML5 and other standards support. With this stable release, it becomes the first browser to support WebM videos. Also supported in this release are standards like Geolocation, Appcache and Web Workers. You can find more information on these new technologies here.

Performance Enhancements

Opera-10-6-Benchmark-Official

Also included in Opera 10.60 is the customary speed improvement. I didn’t do any benchmarks with the final build, but Opera claims that the new build fares 50% better than it’s predecessor in some benchmarks. Earlier, Opera 10.60 alpha had managed to edge out Chrome’s dev channel releases.

Security Enhancements

Opera has added AVG anti fraud, malware and phishing feeds to beef up it’s phishing and malware protection feature. According to Opera, “Live feeds supply fresh information on the latest web threats to the users and keep them in the know about potential malware, harm or scams”. In certain regions, Opera will also be using data supplied by Yandex for fraud protection.

Other Enhancements

Live Search Suggestions are coming to Opera. For now, it works only with few search engines like Wikipedia. Hopefully, more search engines will be supported in the near future. Opera has also added Bing as an search option. Google remains the default search engine, but Bing will be used as the Speed Dial search engine.

This is also the first time UNIX users would get to try the significant enhancements introduced in Opera 10.50, since Opera was not offered in final version for the 10.5x series.

Opera 10.60 for Windows/Mac/UNIX can be downloaded from opera.com/browser/download. You can view real-time downloads of the browser in an interactive map available at opera.com/livemap.

Ouch! Nokia Mocks Apple over iPhone 4 Signal Issues

You have probably heard by now about the iPhone 4’s infamous death grip. Hold the phone in a particular fashion, and your signal will plummet leading to calls being dropped. When users complained, Steve Jobs’ famously quipped, “Just avoid holding it in that way”.

Earlier today, Nokia jibed at Apple by showing off different ways a Nokia phone can be held. Head over to the official Nokia Conversations blog for Nokia’s brilliant sneer. Here are some selected excerpts:

We’ve been looking around and noticed there are many ways to hold your Nokia device. Whether you’re left-handed or right-handed, there’s no shortage of ways to hold your phone…

The cup
Nokia-The-CupPopular with smaller devices, and typically comfortable for longer phone calls, the cup basically enables you to cup the phone with your whole hand. This might result in much of the phone’s edges being covered and the back of the device sitting snugly in the palm of your hand but don’t be concerned about this, it won’t impact the device’s performance. QWERTY device users will also find this handy for tapping out messages and navigating the phone, as the thumb is typically left free with much of the device’s weight being carried by the palm….

The four edge grip
Nokia-Four-EdgeRegardless of the size of your hands, the Four Edge Grip (FEG, for short) is a universal grip which involves all of your fingers and thumb, each having hold of one edge of the device (the middle and ring fingers actually double up to provide an opposing force to the much stronger thumb). You’ll find a little gap develops between the back of the phone and the palm, which is useful. For something.

We’ve found any of the four grips mentioned above to be both comfortable and as you can see, offer no signal degradation whatsoever. This isn’t a feature you’ll only find on high-end Nokia devices either. It’s something that’s been a part of pretty much every Nokia device ever made (perhaps with the exception of that teardrop 3G one, which was a bit ridiculous).

The key function on any Nokia device is its ability to make phone calls. After all, that’s why we know them universally as mobile phones (or smart phones, feature phones or mobile computers though the same grip styles work for those, too). One of the main things we’ve found about the 1 billion plus Nokia devices that are in use today is that when making a phone call, people generally tend to hold their phone like a…. well, like a phone. Providing a wide range of methods and grips for people to hold their phones, without interfering with the antennae, has been an essential feature of every device Nokia has built.

Of course, feel free to ignore all of the above because realistically, you’re free to hold your Nokia device any way you like. And you won’t suffer any signal loss. Cool, huh?

It’s always amusing to see companies mocking competitors, especially when done right. Motorola parodied the iPhone to hilarious effect in their iDoes ad-campaign. Opera created comic gold with their parody of Google Chrome. Nokia’s attempt is another brilliant example of competitors having some harmless fun at each other’s expense. Of course, the fact that Nokia and Apple are currently engaged in bitter lawsuits against each other does make things a bit more interesting.

Chinese Government Throws Google a Lemon: Google Tries to Make Lemonade

Google-China Back in January, Google threatened to pull out of China and promised to stop censoring results served to Chinese users. They followed through on their promise in March and started redirected all Google.cn users to the uncensored Google.hk domain. Quite obviously, this didn’t sit well with the government of China.

Although, the government didn’t officially react to Google’s move, they must have privately made their displeasure known to Google. Google’s David Drummond has now revealed that the Chinese government won’t renew Google’s Internet Content Provider license, if Google didn’t stop redirecting users to the Hong Kong site. Google’s ICP license is up for renewal on June 30 and without an ICP license Google would basically go dark in mainland China.

Contrary to Google’s initial assertion, it appears that Google isn’t quite ready to face the prospect of “having to shut down Google.cn”. Google has backtracked slightly from their original stance and will stop redirecting users to its Hong Kong services. Instead, Google will direct Chinese users to a new landing page that will prominently link to Google.hk, which the users must browse to, if they wish to use Google Search. Google will provide only services like music and translation from its Chinese domain name.

It will be interesting to see if Google’s clever bit of maneuvering is sufficient for the Chinese government. If it is not, then Google’s determinedness to do the right thing will be really tested.

Lots More Windows 8 Information: Power Conservation, Evolved Identity Management, Stereo 3D and More

There has been a deluge of Windows 8 related information over the past few hours. We have already covered various aspects of the successor to Windows 7 including online app store, tablet optimizations, facial recognition and more. It appears that the source of all the leaked information was Win7Vista.com, which published a huge stockpile of confidential documents. Of course, as you can imagine, Microsoft is not bemused. Francisco Martin’s blog, which was hosted on Microsoft Live Spaces, has already been pulled down (possibly by Microsoft). Worse still, in their eagerness to share the confidential documents, Win7Vista might have exposed their source. One of the slides clearly identifies one Mr. Derek Goode from HP as the legitimate owner of the documents.

Anyway, the documents are still available for download from the aforementioned forum. If you are excited about Windows 8, then you should really check them out. In this post, I will highlight some of the stuff (other than that has already been mentioned) that caught my fancy.

Fascinated by Apple

Really! Microsoft openly acknowledges Apple’s cool cred and discusses Apple in at least three of the slides. No wonder, Apple keeps mocking Windows for stealing ideas.

Windows-8-Apple
Windows-8-Apple-2
Windows-8-Apple-3

Optimized for Variety of Platforms

Microsoft will continue with its philosophy of using the same operating system on different form factors. Windows 8 will be optimized for tablet PCs, laptops and normal desktops.

Windows-8-Form-Factors

Instant On

I briefly discussed this earlier, but going through the slides I found a lot more information. With Windows 8, Microsoft is aiming for “Instant On”. The documents also suggest that Microsoft might be weighing Logoff + Hibernate as an alternative to conventional shutdown.

Windows-8-Form-Instant-On-1
Windows-8-Form-Instant-On-1
Windows-8-Form-Instant-On-2
Windows-8-Form-Instant-On-3
Windows-8-Form-Instant-On-4
Windows-8-Form-Instant-On-5

Energy Efficiency

Given that Windows 8 will run on both laptops and tablet devices, power efficiency is a critical aspect.

Windows-8-Form-Power-1
Windows-8-Form-Power-2
Windows-8-Form-Power-3
Windows-8-Form-Power-4

Improved Help and Support

Microsoft wants to broaden the Windows Help and Support by integrating more resources including custom resources provided by the OEMs.

Windows-8-Help-Support-1
Windows-8-Help-Support-2

Improved Recovery Option

Windows 8 will provide an option called “Factory Reset”, which will reset your system to its original condition, while retaining your data and configurations. Microsoft also wants to provide a pre-boot recovery environment, which will be simple enough to be useful to everyone, but will also house advanced diagnostic tools for power users.

Windows-8-Recovery-1
Windows-8-Recovery-2

3D

There are a lot of people who believe that 3D is a passing fad. However, Microsoft is not one of them. As suggested by the following slides, Windows 8 ecosystem will be capable of providing a rich 3D experience.

Windows-8-3D-1
Windows-8-3D-2

Improved Identity and Authentication

Windows 8 might include a system level key ring to manage all your login information, thus freeing you from the burden of remembering hundreds of passwords. It also means independence from web browsers and other 3rd party tools for managing passwords.

Windows-8-Password-Manager-1
Windows-8-Password-Manager-2

With Windows 8, user accounts will finally become user centric. Your cloud based user account will follow you, from machine to machine.

Windows-8-Identity-1
Windows-8-Identity-2

As a part of its enhanced focus on simplified user authentication, Microsoft wishes to integrate facial recognition in Windows 8. Check our previous post for more on the Kinect-like features Microsoft is currently contemplating for Windows 8.

Windows-8-Facial-Recognition-1