The SpoofedMe social login exploit is a known weakness of the OAuth2 “spec”. The OAuth2 spec doesn’t define strict implementation standards, so developers have free reign to come up with some pretty wild implementations, or hack together a few libraries until it works. And that’s where the problem lies. There is no standard. Furthermore, social login is something that is normally built on top of OAuth2, and there’s no standard for that either. Some folks are trying to standardize social login with OpenID Connect (I like to think of this as “OAuth2-Strict”), but until then we will be facing issues like SpoofedMe because developers are not gods.
The SpoofedMe exploit is actually similar to this one, from a Google security advisory earlier this year:
“An attacker could forge an OpenID request that doesn’t ask for the user’s email address, and then insert an unsigned email address into the IDPs response. If the attacker relays this response to a website that doesn’t notice that this attribute is unsigned, the website may be tricked into logging the attacker in to any local account.” –Link
Thankfully, I read the spec and decided not to implement this gaping security hole in WP-OAuth to begin with. Properly identifying users to perform the account match was one of the biggest design challenges that I encountered because not only were there numerous docs and specs to work through, there were a lot of existing implementations that did it wrong. I had to start from scratch.
Why does it take SIX police officers to apprehend ONE 160 lb. schizophrenic homeless man, and WHY DON’T THEY PROCEED TO CUFF HIM AT ANY POINT?
Kelly was brutally murdered while terrified and crying for help.
On July 5, 2011 six police were caught on tape beating Kelly Thomas, a “peaceful homeless man” into a coma while he was screaming “Dad! Dad! Dad!” for help.
I’d like to know what procedure it was that instructed Police Officers to bash Kelly’s head in and tazer him repeatedly while more cops show up to participate, NOT ONCE PUTTING CUFFS ON HIM, until the still, lifeless body of a brain damaged man lay there on the concrete?
Turns out Kelly’s dad is an ex-police officer of the Fullerton Police Department and teaches police procedures. When he was interviewed about the killing he stated that police procedures were certainly not followed. Apparently, the Fullerton Police Department and the Orange County District Attorney are close friends. The city of Fullerton already tried to pay off Kelly’s family with $900,000. Because of this, the FBI is now involved.
My software of choice for composing music, FL Studio 10 has just been released! Previously known as FruityLoops, it started out as a sound looping program for creating grooves and patterns, but earned a poor reputation from critics and elitists for its amateur “toy-like” interface and capabilities, which is probably why those misinformed ignorants still consider the software to be of questionable quality, claiming it does not compare to a professional DAW used in a real studio. Are we still living in 1992?
The very passionate development team at Image-Line continually expanded upon FruityLoops until it became the fully fledged digital audio workstation behemoth that it is today, far more capable than FruityLoops ever was. It rivals even the best DAW software around (ProTools, Logic, I’m lookin’ at you!) and it does so at a very cut-throat price. If you’re looking for the most affordable DAW that will do practically everything, FL Studio is choice.
FL Studio has played a key role in my own music productions throughout the years, and I personally can’t wait to try out the exciting new features. Auto-tune (Newtone), here I come!
Short history debrief: First AT&T was Ma Bell, then the Federal government broke that up into several companies which created fierce competition in the market. Many of those companies grouped together again under the same umbrella, in one legal way or another. Several years later and the Ma Bell antics are in full swing once again; in 2005 it was announced that Cingular Wireless, a joint venture between AT&T and BellSouth, would be sold under the AT&T name. And now AT&T is after T-Mobile.
If history taught us anything, wasn’t it that we can’t allow corporations to monopolize an entire industry?
Big news for old gaming junkies! GameInformer reports today that Duke Nukem Forever is set to be released on May 3, 2011 after 14 years of development and delays. GearBox Software unveiled the game in playable form at PAX a few months ago. GearBox has put out some very polished stuff in the past, so we might actually see Duke hit the shelves once again, with infinitely more anger and firepower for those alien bastards who shot up his ride.
To celebrate this news, I will be personally releasing a never before seen episode pack for Duke Nukem 3D that I developed many many years ago titled Deth. Stay tuned…
Check out the new official trailer, which speaks for itself…