Facebook spices up profiles with looping video, temporary pictures, larger images and more

As part of a continued effort to avoid the same fate as MySpace, Facebook on Wednesday announced a handful of major changes that add a bit of spice to users’ profiles.

The first change you may notice is the ability to replace your static profile photo with a looping video, an obvious next step as we continue to shift towards a video-centric web.



Facebook is also adding temporary profile pictures that allow users to display them for a set amount of time before reverting back to their original one. Facebook product managers Aigerim Shorman and Tony Hsieh suggested using the feature to support your favorite sports team leading up to the big game, to celebrate a special milestone like a birthday or vacation or to show off a throwback Thursday photo.

And speaking of, profile pictures are now larger and centered.



As it has done multiple times before, Facebook is making changes to its profile controls. Specifically, they’re adding a new customizable space at the top of your profile and adding a new one-line “bio” field. You’ll also be able to add up to five feature photos to showcase at the top of your profile. The space is visible to anyone that visits your profile although you’ll have full control over what information is shown, we’re told.

Facebook said it has already started to roll the changes out to a small number of iPhone users in California and the UK. Assuming all goes well, the rollout will continue to expand in the near future.

Exploiting Browser Cookies to Bypass HTTPS and Steal Private Information

A newly discovered critical flaw in the implementation of web cookies by major browsers could open secured (HTTPS) browsing to Man-in-the-middle attacks.

The US Computer Emergency Response Team (CERT) has revealed that all the main browser vendors have improperly implemented the RFC 6265 Standard, also referred to as "Browser Cookies," allowing…

…remote attackers to bypass secure HTTPS protocol and reveal confidential private session data.

Cookies are small pieces of data sent from web sites to web browsers, which contains various information used to identify users, or store any information related to that particular website.

HTTPS Cookie Injection Vulnerability

Whenever a website (you have visited) wants to set a cookie in your browser, it passes a header named “Set-Cookie” with the parameter name, its value and some options, including cookie expiration time and domain name (for which it is valid).

It is also important to note that HTTP based websites does not encrypt the headers in any way, and to solve this issue websites use HTTPS cookies with "secure flag", which indicates that the cookies must be sent (from browser to server) over a secure HTTPS connection.

However, the researchers found that some major web browsers accept cookies via HTTPS, without even verifying the source of the HTTPS cookies (cookie forcing), allowing attackers with man-in-the-middle position on a plain-text HTTP browsing session to inject cookies that will be used for secure HTTPS encrypted sessions.

For an unprotected browser, an attacker can set HTTPS cookie masquerading as another site (example.com) and override the real HTTPS cookie in such a way that even the user might not realise it's a fake while looking through their cookie list.

Now, this malicious HTTPS cookie is controlled by the attacker, thus being able to intercept and grab private session information.

The issue was first revealed at the 24th USENIX Security Symposium in Washington in August when researchers presented their paper that said that cookie injection attacks are possible with major websites and popular open source applications including…

…Google, Amazon, eBay, Apple, Bank of America, BitBucket, China Construction Bank, China UnionPay, JD.com, phpMyAdmin, and MediaWiki, among others.

Affected Browsers:

The Affected major web browsers includes previous versions of:

    Apple’s Safari

    Mozilla’s Firefox

    Google’s Chrome

    Microsoft’s Internet Explorer

    Microsoft’s Edge

    Opera

However, the good news is that the vendors have now fixed the issue. So, if you want to protect yourself from this kind of cookie injection MitM (Man-in-the-Middle) attack vectors, upgrade to the latest versions of these web browsers.

CERT also recommended webmasters to deploy HSTS (HTTP Strict Transport Security) on their top-level domain.

iOS 9 Hack: How to Access Private Photos and Contacts Without a Passcode

A hacker has found a new and quite simple method of bypassing the security of a locked iOS device (iPhone, iPad or iPod touch) running Apple's latest iOS 9 operating system that could allow you to access the device's photos and contacts in 30 seconds or less.

Yes, the passcode on any iOS device running iOS 9.0 is possible to bypass using the benevolent nature of Apple’s personal assistant Siri.

Here's the List of Steps to Bypass Passcode:

You need to follow these simple steps to bypass passcode on any iOS device running iOS 9.0:

Wake the iOS device and Enter an incorrect passcode four times.For the fifth time, Enter 3 or 5 digits(depending on how long your passcode is), and for the last one, press and hold the Home button to invoke Siri immediately followed by the 4th digit.After Siri appears, ask her for the time.Tap the Clock icon to open the Clock app, and add a new Clock, then write anything in the Choose a City field.Now double tap on the word you wrote to invoke the copy & paste menu, Select Alland then click on "Share".Tap the 'Message' icon in the Share Sheet, and again type something random, hit Return and double tap on the contact name on the top.Select "Create New Contact," and Tap on "Add Photo" and then on "Choose Photo".You'll now be able to see the entire photo library on the iOS device, which is still locked with a passcode. Now browse and view any photo from the Photo album individually.

Video Demonstration 

You can also watch a video demonstration (given below) that shows the whole hack in action.

It isn't a remote flaw you need to worry about, as this only works if someone has access to your iPhone or iOS device. However, such an easy way to bypass any locked iOS device could put users personal data at risk.

How to Prevent iOS 9 Hack

Until Apple fixes this issue, iOS users can protect themselves by disabling Siri on the lock screen fromSettings > Touch ID & Passcode. Once disabled, you’ll only be able to use Siri after you have unlocked your iOS device using the passcode or your fingerprint. 

France rejects Google's appeal against implementing 'right to be forgotten' globally

France’s data protection watchdog, the Commission Nationale de l’Informatique et des Libertés (CNIL), has rejected Google’s appeal against the global enforcement of the ‘right to be forgotten’ rule.

In May this year, the CNIL ordered Google to apply the right to be forgotten rule – which lets people ask search engines to not display certain unflattering links resulting from a search on their name – to its google.com global domain and not just European domains such as google.fr or google.co.uk.

Google filed an informal appeal against the order in July, claiming it would restrict the public’s right to information, was a form of censorship, and was attempting to extend French law outside the country’s borders. The president of the CNIL, Isabelle Falque-Pierrotin, rejected the appeal on Monday, saying that delistings must be applied across all extensions of the search engine and that not doing so would mean the RTBF ruling could be easily circumvented. The CNIL added that it just wanted non-European companies to respect European laws when offering their services in the continent - rejecting Google’s claims it was going beyond its jurisdiction.

"The President of the CNIL rejects Google's informal appeal against the formal notice requesting it to apply delisting on all of the search engine's domain names […] Contrary to what Google has stated, this decision does not show any willingness on the part of the CNIL to apply French law extraterritorially. It simply requests full observance of European legislation by non European players offering their services in Europe," it said in a statement.

Under French law, Google has no legal possibility of appealing the order at this stage. If the company refuses to remove the tens of thousands of delistings from its non-European domains for named searches, then the CNIL will likely look at imposing sanctions - including the possibility of a fine up to 5 percent of its worldwide revenue - against the internet giant.

A Google spokesman said: “We’ve worked hard to implement the ‘right to be forgotten’ ruling thoughtfully and comprehensively in Europe, and we’ll continue to do so. But as a matter of principle, we respectfully disagree with the idea that one national data protection authority can assert global authority to control the content that people can access around the world.”