Unsafe cookies leave WordPress accounts open to hijacking, 2-factor bypass

Accounts accessed from Wi-Fi hotspots and other unsecured networks are wide open.

sad cookie

Memo to anyone who logs in to a WordPress-hosted blog from a public Wi-Fi connection or other unsecured network: It’s trivial for the script kiddie a few tables down to hijack your site even if it’s protected by two-factor authentication.

Yan Zhu, a staff technologist at the Electronic Frontier Foundation, came to that determination after noticing that WordPress servers send a key browser cookie in plain text, rather than encrypting it, as long mandated by widely accepted security practices. The cookie, which carries the tag “wordpress_logged_in,” is set once an end user has entered a valid WordPress user name and password. It’s the website equivalent of a plastic bracelets used by nightclubs. Once a browser presents the cookie, WordPress servers will usher the user behind a velvet rope to highly privileged sections that reveal private messages, update some user settings, publish blog posts, and more. The move by WordPress engineers to allow the cookie to be transmitted unencrypted makes them susceptible to interception in many cases.

Zhu snagged a cookie for her own account the same way a malicious hacker might and then pasted it into a fresh browser profile. When she visited WordPress she was immediately logged in—without having to enter her credentials and even though she had enabled two-factor authentication. She was then able to publish blog posts, read private posts and blog stats, and post comments that were attributed to her account. As if that wasn’t enough, she was able to use the cookie to change the e-mail address assigned to the account and, if two-factor authentication wasn’t already in place, set up the feature. That means a hacker exploiting the vulnerability could lock out a vulnerable user. When the legitimate user tried to access the account, the attempt would fail, since the one-time passcode would be sent to a number controlled by the attacker. Remarkably, the pilfered cookie will remain valid for three years, even if the victim logs out of the account before then. Zhu blogged about the vulnerability late Thursday.

In a Tweet made Thursday, WordPress lead developer Andrew Nacin confirmed that “cookies can be replayed until expiration.” He said a fix is scheduled for the next WordPress release. In fairness, the exploit doesn’t permit attackers to change passwords, since that setting requires a separate authentication cookie tagged “wordpress_sec,” containing the “secure” flag that causes it to be sent encrypted.

@bcrypt Briefly: Cookies can be replayed until expiration, as WP doesn't (yet) have sessions to invalidate. Already slated for next release.

— Andrew Nacin (@nacin) May 23, 2014

Fortunately, WordPress sites that are self-hosted on a server with full HTTPS support are not susceptible, as long as every page supports HTTPS and cookies contain the “secure” flag. Until a fix is available, WordPress users should ensure the site they’re logging into contains the full HTTPS support. If not, users should avoid logging in on unsecured networks. Even when using networks they trust, users should be aware that privileged employees at ISPs and network providers are able to intercept the unencrypted cookie, and government snoops may be able to do the same.

Republished from Ars Technica.

Facebook spies on private communications

Facebook has once again shown its arrogant contempt for its users and its scant regard for their privacy.

Facebook is accessing private messages between users and selling the data.

Once again this clearly demonstrates why you should not put personal information on facebook.

Would you to a stranger who stopped you in the street hand over personal information, where you live, where you studied, where you work, who your partner is?

If not, then why put on facebook?

All you are doing is turning yourself into a cash cow for facebook, increasing the likelihood of being a target for spam and junk, and making yourself an easy target for ID theft or fraud.

If you have put personal information on facebook, overwrite with false information.

I would urge everyone to delete or overwrite, render the information facebook is collecting on you worthless.

User abuse is not restricted to facebook, also includes Instagram.

• Facebook apps
• Sharing of data between facebook and third parties
• Facebook alleged to have sold information in users’ private messages
• Facebook hit with class action lawsuit over claims it spies on users’ private messages to sell data to advertisers

Facebook Is So Uncool

facebook is so uncool

More and more people are now turning away from facebook, they are sick of being abused for profit and seeing their personal privacy violated for greed.

Marc Zuckerberg has become the one person most people would rather not be seen dead with.

• Why teens are tiring of Facebook

Facebook founder complains a private facebook photo made public

Zuckerberg spat with Schweitzer

You have to laugh when facebook founder complains a private facebook photo made public.

• Oops. Mark Zuckerberg’s Sister Has A Private Facebook Photo Go Public.

Randi Zuckerberg — older sister to Facebook founder Mark Zuckerberg — posted a photo from a family gathering to Facebook (of course), showing her sisters using Facebook’s new Snapchat-esque ’Poke’ app on their phones, with Mark Zuckerberg watching with a confused look on his face. It popped up on the Facebook newsfeed of mediaite Callie Schweitzer who subscribes to Zuckerberg. Assuming the photo was a public one, Schweitzer tweeted it to her nearly 40,000 Twitter followers. Zuckerberg was not pleased.

How did this happen?

Facebook has once again changed privacy settings. The picture got out due to tagging.

Tagging is a violation of privacy, people may not wish to be tagged in a photo.

Rather than faulting facebook for what it does best, violating personal privacy, Randi Zuckerberg had the gall to blame Schweitzer. She tweeted:

Always ask permission before posting a friend’s photo publicly. It’s not about privacy settings. It’s about human decency.

It makes you want to throw up, a member of the Zuckerberg family tweeting to others about respecting privacy and human decency when the entire facebook business model is built around violating personal privacy. When facebook is only too happy to sell your personal data and everything you do.

Earlier this month Instagram (owned by facebook) changed their terms and conditions. Your photos would be sold to advertisers, you would not even be told about, let alone paid.

• Instagram abuses its users
• Instagram bullshit

Pot calling the kettle black!

It would appear to be OK to violate the privacy of facebook users, but not if their name is Zuckerberg

Instagram bullshit

I will be quitting Instagram today. What a bummer. You should all read their new rules. — Pink

Trust me, deleting your Instagram account is satisfying. — Mia Farrow

No more Instagram. — Kate Walsh

Either Kevin Systrom is stupid or he thinks Instagram users are stupid.

It could not have been more explicit, from 16 January 2013, new terms and conditions come into force, you have no choice, you are opted in like it or not, and once opted in Instagram deem that you have granted permission for your pictures to be sold to third parties whether you like it or not, you won’t get paid, you won’t even be notified.

We may share your information as well as information from tools like cookies, log files, and device identifiers and location data with organisations that help us provide the service to you… (and) third-party advertising partners.

To help us deliver interesting paid or sponsored content or promotions, you agree that a business may pay us to display your username, likeness, photos, in connection with paid or sponsored content or promotions, without any compensation to you.

But according to Kevin Systrom co-founder of Instagram, it does not mean what was writ, that is just poor use of English language.

Our intention in updating the terms was to communicate that we’d like to experiment with innovative advertising that feels appropriate on Instagram. Instead it was interpreted by many that we were going to sell your photos to others without any compensation. This is not true and it is our mistake that this language is confusing. To be clear: it is not our intention to sell your photos. We are working on updated language in the terms to make sure this is clear.

Now what when it is at home is ‘ experiment with innovative advertising that feels appropriate on Instagram’, other than bullshit, within a denial that is in itself bullshit.

It was not ‘ interpreted by many that we were going to sell your photos to others without any compensation’, that is what Instagram explicitly stated would happen on 16 January 2013, and the only way to stop this happening was to delete your Instagram account, which many have quite wisely chosen to do.

Facebook, which owns Instagram, and paid a ludicrous price for a fairly worthless application, is a rapacious corporation that thinks nothing of violating the privacy of its users.

Also contrast Kevin Systrom had to say with what Carolyn Everson, Facebook vice president of global marketing, had to say:

There are many brands that use Instagram right now to try to get a feel for how to engage with their followers. We will definitely be figuring out a monetisation strategy. When that will happen, I can’t comment, but it’s going to happen.

What therefore is going on?

Yesterday, according to Anonymous, 500,000 users deleted their Instagram accounts. Today Instagram violating their users and the reaction of users was the front page story on the Metro, so expect more users to delete their accounts. All of which will send facebook shares into free fall.

As already noted, facebook paid a ludicrous amount for a worthless application. The price was not paid in cash, it was cash and facebook shares. Now you will understand the statement of Kevin Systrom. It is not that he cares about users, but he does care about his wealth rapidly vanishing.

Announcing the apparent change of mind, Instagram co-founder Kevin Systrom told users: “It is not our intention to sell your photos.” He didn’t say “It never was”. He didn’t even say “We never will.”

Systrom claimed the language the original terms and conditions used “raised questions”. His problem is that it didn’t. It told us what sort of a company Instagram is. No wonder users are still closing their accounts.

Would Systrom have even contradicted the Instagram violation of users if there had not been a mass deletion of Instagram accounts?

We all know the answer, which is why the advice is delete Instagram.

The advice is still, delete your Instagram account, post on twitter with the hashtag #BoycottInstagram that you have closed your account.

• Instagram abuses its users
• Instagram denies it wants to sell users’ photos amid threatened exodus
• Instagram and privacy: mistake or conspiracy?
• Instagram waters down plan to make profit from photos in face of fury – but it STILL plans to use your profile picture in ads

Instagram abuses its users

A dramatic shift in Instagram’s privacy policy means the company can now sell your photographs and use your images in adverts – without payment or notification.

Instagram has claimed the right use any picture uploaded to the service to promote its corporate customers’ products without any compensation to the user who originally took it.

Instagram violates users with terms and conditions

I want to delete my Instagram account

Goodbye Instagram, you won’t be missed!

There are many brands that use Instagram right now to try to get a feel for how to engage with their followers. We will definitely be figuring out a monetisation strategy. When that will happen, I can’t comment, but it’s going to happen. — Carolyn Everson, Facebook vice president of global marketing

For Facebook, this is a case study in how to waste a billion dollars. The company bought a popular service, set about stripping it of what made it successful, and paved the way for the inevitable replacement. — Forbes

Having declared war on twitter, Instagram is now violating its users.

I have never understood why anyone uses Instagram. It is a rubbish application that turns good pictures bad. If you wish to process images, then use a software package like Paintshop Pro or Photoshop.

Facebook paid a ludicrous price for Instagram, far, far more than it was worth, for a trivial application that a couple of half decent software engineers could knock out in a few days. Facebook paid a high price because it was not the application facebook was buying, it was the user database. That gives an inkling of what your personal data is worth to facebook, a company that does not recognise personal privacy.

Following a stock market flotation, with shares going into free fall, facebook has been under growing pressure to milk its assets. Its assets is you!

Milk is the operative word. Users are being herded like cattle.

Once Instagram was acquired by facebook, it was obvious abuse of personal data was going to take place. The only surprise, is that it has not happened sooner.

Nick Pickles, director of privacy and civil liberties campaign group Big Brother Watch:

People thought they were Instagram’s customers, but in reality users are Instagram’s product. It goes to show when respecting people’s data and privacy come into conflict with profit, there’s only ever going to be one winner. Users are now paying the price of Facebook’s acquisition of the company and unfortunately this kind of move will be seen time and time again as long as it is our personal data and advertising paying for services.

Last week, users found posting their Instagram pictures to twitter no longer worked. One good thing, I guess, fewer rubbish photos posted to twitter.

From 16 January 2013, new terms and conditions will be imposed on users. No choice, you are opted in by Instagram. The only way to opt out is to delete your Instagram account, but first delete all the information held, including all you pictures.

The new terms and condition are a serious breach of personal privacy, and quite possibly a breach of data protection across Europe. Users used Instagram to share with their friends, not to share with unknown third parties.

Basically in a nutshell, your pictures, personal information, can be shared with third parties, your pictures used in adversing campaigns.

Instagram can share information about its users with Facebook, its parent company, as well as outside affiliates and advertisers

All your personal information, including photos, is for sale.

You could star in an advertisement — without your knowledge

Your pictures, including of you or your friends, can be used in advertising campaigns. Let us say you hate McDonald’s, do not like Starbucks coffee or their tax dodging, how would you then feel to find they are using your photos to promote their products, how would your friends feel if pictures of them are used? And they can use your name. And you do not get paid, or even notified.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, a Washington-based advocacy group, said that the use of a person’s likeness in ads could run into some state laws protecting personal privacy.

Most states have laws that limit the use of a person’s ‘name or likeness’ for commercial purposes without consent. The legal purpose is to allow people to obtain the commercial value of their images and endorsements, which is a big issue for celebrities and others, but also a reasonable concern for Facebook users whose images are used by Facebook to encourage friends to buy products and services.

Underage users are not exempt

Would you be happy to find pictures of your kids are being used?

Ads may not be labeled as ads

It gets worse. We usually know ads are ads. But what if they are not obviously ads?

You acknowledge that we may not always identify paid services, sponsored content, or commercial communications as such.

Want to opt out? Delete your account!

Do not like? Tough, you are automatically opted in. The only way to opt out is to delete your account. If you remain, you are deemed to have agreed to violation of your personal privacy.

This is like a rape victim being deemed to be a willing participant to rape because she did not scream out.

Instagram also reserves the right to share any cookie derived data with third parties.

The choice is yours. You do not have to be a willing victim to what amounts to rape of your personal data by Instagram. You can delete your account. And that is the recommended course of action.

Prior to deleting your account, you may wish to download all your pictures held on Instagram using Instaport (sign in with your Instagram account).

• How to Download Your Instagram Photos and Kill Your Account
• Delete Instagram: How To Download Your Photos, Kill Your Account And Find Alternatives
• How to export your Instagram photos and delete your account

There are alternatives. You can upload direct to twitter, you can upload to twitpic (which will automatically post to twitter). Or try Snapseed.

If you know Instagram users (they are the ones who send out bad pictures), then please warn them and advise to delete their Instagram accounts. Even if they do not care about abuse by Instagram, make it clear you do (as they may be holding information, pictures, relating to you).

When you delete your Instagram account please advise all your followers on twitter with the hashtag #BoycottInstagram and tell them why.

Instagram may have been one of the fastest growing companies on the net. Let’s see how quickly we can kill it.

• #BoycottInstagram Takes Off After Instagram Moves to Sell Users’ Photos
• Instagram seeks right to sell access to photos to advertisers
• Instagram says it now has the right to sell your photos
• Now Facebook claims it owns the rights to ALL your Instagram pictures and can do what it wants to make money out of them
• Instagram’s ‘suicide note’: Company to sell users’ photos
• Instagram privacy policy: Shocking new rules give company the right to sell images of users as young as 13
• Instagram users revolt over privacy changes
• Instagram’s New Policies Could Put Them Out of Business
• Instagram’s New Terms Of Service: 5 Things You Need To Know
• At Flickr, your photos are always yours
  Instagram rivals try to lure users away after photo rights flap

Is your e-book reader reading what you read?

As Winston Smith learnt to his cost, Big Brother was monitoring everything he did.

CCTV watches and tracks, face recognition picks you out. GPS pinpoints where you are. Mobile phone networks track where you are, who you are communicating with. Credit and debit cards track where you are, how much you are spending. Store cards track where you are, build a profile of what you buy, where and when.

Facebook apps monitor everything you are doing on facebook, and know who all your friends are.

How many people are aware that their e-book reader is not only monitoring what they read but even gathering fine data such as which passages in a book you may have highlighted, passages that you may pause and reflect upon?

• Is your ebook reader reading you?

It is one thing to tweet what you are reading, to write a review, even to contact the author with your thoughts on a book, but it is an entirely different matter invasive monitoring of what we read.

Philip Jones editor of The Bookseller (a vested interest if ever there was one), dismisses concerns. Clearly he has no understanding of data mining. Author Joan Brady on the other hand is very concerned at this invasion of privacy, what your e-book reader is reading about you and what the information gathered is being used for.

What are authors doing about this? Are they happy with the privacy of their readers being violated?

Maybe we should all go back to reading real books, books you hold in your hand, and when we buy books do so with cash from a secondhand bookshop.

• Nothing is as good at being a book as a book is
• Download Aleph for 99¢

Facebook e-mail account

Facebook e-mail account

A couple of weeks ago I seemed to acquire a facebook e-mail account. I have never asked for one, do not desire one, but when it comes to facebook, what does it matter what I or any other of their users think?

I looked for it this evening. I had to delve into settings to find it. At first I thought it had come and gone, but no, there is was, buried under secondary e-mail address in my e-mail settings.

Whilst I was rooting around, I thought I would check facebook apps. I have never signed up for any facebook apps, and yet there was half a dozen facebook apps. Some seemed to be sites I had visited, eg New York Times, but others I had never heard of eg Cities I have Visited.

Check out your face book apps. More important check out what they have access to.

Never use facebook apps. They have access to all your personal data. Do you know where it is going, who has access to that information? Do you even know who is behind the facebook apps?

If you are on spotify, it broadcasts what you are doing to everyone on facebook. It pays artists a pittance. Do not use spotify.

Delete all your facebook apps.

Do not use facebook to sign in to other sites. Do you wish the sites to share data on you?

Delete all personal information on facebook. Would you give it to a stranger in the street? If no, then why do you hand it to the world via facebook?

But if you delete personal data on facebook, it still exists in their archives. I suggest therefore you overwrite with false data first, then delete.

Being given an e-mail address by facebook seems innocuous enough, but nothing facebook does is innocuous.

There has been a storm of protest. Those who have their phones synched to facebook, have had their address books rewritten, facebook has hijacked their e-mail address and replaced with a facebook e-mail address, e-mails have gone missing.

Have I lost e-mails? I do not know, and that is the problem. How do you know you have lost something you never knew you had?

Rachel Luxemburg writes:

Today, a co-worker discovered that his contact info for me had been silently updated to overwrite my work e-mail address with my Facebook e-mail address. He discovered this only after sending work e-mails to the wrong address. 

And even worse, the e-mails are not actually in my Facebook messages. I checked. 

They’ve vanished into the ether. 

For all I know, I could be missing a lot more e-mails from friends, colleagues, or family members, and never even know it.

On Hacker News:

This morning my mother was complaining that many of the e-mail addresses in her Droid Razr contacts had been replaced with Facebook ones. 

It would seem the Facebook app had been populating her address book with e-mails and contact photos, and decided to migrate all her Facebook-using contacts over to this convenient new system.

On Slashdot:

I sync my phone with Facebook for many of my contacts. Now I have an address book full of bogus e-mail addresses where they were correct before.

And just when you think this cannot get worse, Apple have kindly integrated their operating system with facebook so your address book gets updated without you even being notified!

On HN:

Crap thing changed the primary e-mail address of the contacts in my iPhone iOS 6.

This cannot be overstated: e-mail is being intercepted and goes who knows where!

Let us get this straight: Wikileaks hands to the public information on Big Government and Big Business and they are a bunch of criminals with Julian Assange holed up in the Ecuador Embassy in London fearing extradition to the US. Facebook hands your personal information to corporate criminals and the company gets a ridiculous overinflated valuation on Wall Street.

When something is free, always remember you are the product on sale.

Top Story in Ediscovery and DataProtection Daily (Monday 2 July 2012).

• Walled gardens and private groups within
• Facebook e-mail mess: Address books altered; e-mail lost
• Facebook changed your e-mail address, here’s how you can change it back
• Apple iOS 6 and the Facebook email address lock-in?
• And I’m The Villain?
• Facebook: the most congenitally dishonest company in America

Walled gardens and private groups within

It has recently been raised, should academics and students use facebook as a work tool in which to discuss projects and assignments, maybe do so within a private group.

• Facebook and educators

Yes, it is possible to set up a group on facebook, it can be a private group, invite only, invisible to everyone else.

But, and it is a big but. Would you wish to be connected to the people in the real world, have access to all your personal information, why then in the virtual world?

Facebook is a walled garden. Yes, you can have access to the delights within, but to gain access there is a price to pay, you gain entry by selling your digital soul at the gate.

• Web freedom faces greatest threat ever

I never cease to be amazed at the amount of personal information people put on facebook – their partner, their school, their town, their e-mail address, their place of work – more than sufficient for ID theft, more than sufficient to gain access to their bank account.

There is no such thing as a free lunch. Facebook is not a social networking site, it is a site for the collection of personal data. When something appears to be free, it is you who is the product on sale.

• Disruption Talk

I was first alerted to the security issue and cavalier attitude to personal privacy some years ago when I started getting requests for my birthday. I asked the persons. I learnt they had not sent the request, it was a facebook app.

Similarly request to send flowers, to do quizzes, play games.

Why does no one query why to play a game requires access to personal data?

Once access is gained, onto the next victim.

Access includes access to your list of friends.

I recently did a search for an article on spotify and how it rips people off. I landed on spotify, but somewhat unusual I was in a request to join. But the scary part was to save me filling out the form, one click and the required information would be transferred from facebook. That filled out included e-mail, and information that I had deleted from facebook. It also showed me the people I am connected to on facebook who use spotify.

• Sharing of data between facebook and third parties

I have absolutely no wish to us spotify. Spotify is the facebook model, it collects personal data.

I am baffled why anyone uses spotify when bandcamp is far far superior.

On Earth Day, Imogen Heap streamed live an event from the Roundhouse. You can still watch the event, but you have to go through a facebook app. No way!

• “Me The Machine” Live Event

A facebook app has access to all your personal information, including your profile picture and who you are connected to. Remember that lewd profile picture that you now feel embarrassed by that you thought only your friends could see? Every facebook app you ever gave consent to, also has a copy.

Who is behind the facebook app, what do they do with this information?

The Dewarists make their music available but you have to go through facebook to get it. Why? Why not put it on bandcamp?

So where do we go from here. We wish to enter the walled garden, but we do not like the entry fee.

By all means enter but do the following:

• remove all personal data
• do not fill out the profile information, school, university, workplace etc
• never use facebook apps and delete those you are connected to
• sign in to sites with ID and password, not one click facebook however tempting

If you have information on facebook that you wish people to see, then create tunnels through the wall. Provide links to give direct access. Do not force them to join facebook.

Who needs NSA, GCHQ when facebook so effectively does their job for them?

Top Story in Privacy Daily (Tuesday 1 May 2012).

Facebook apps

Why it is bad to use a facebook app, is best illustrated by an example.

At the weekend on Earth Day, Imogen Heap streamed a live event from the garden of the Round House. You could watch it from her website or on facebook, that I chose her website will soon become apparent.

– “Me The Machine” Live Event

You can still watch the video, but for some perverse reason, only through a facebook app.

– Re-watch ‘Me, The Machine’ + Earth Day Broadcast

This app requires the following:

• your basic information
• your e-mail address
• your profile info: birthday, likes and location
• your events

What is basic information?

Well its is actually quite a long list: name, profile picture, gender, networks, user ID, list of friends, and any other information you made public.

All handed over with a single click.

Now you may be happy to see all this information handed over to who knows where, to do as they please, but what of your friends? If you have no concern for your own privacy, do you not have an obligation to respect that of your friends, did you ask each and everyone if it was OK that their name be passed to this app?

But just when you think it can get no worse, what else can the app do or gain access to?

Any posts the app may make to your timeline, the default is public, ie anyone can see. An example of this is The Guardian app, everyone can see what you are looking at at The Guardian. The Guardian came in for a lot of criticism, which thy duly ignored.

But it should be noted that this privacy setting, default public, only controls what the app does on your timeline, it does not control what happens within the app, who has access to the information. It does not control or set who can see your activity within the app itself or when you are tagged within the app by someone else.

Pause and reflect for a moment. If you were filling out a form on a website, I think you would baulk at providing all this information, and at the very least you know where it is going, who is collecting it, or you think you know.

But do you know with an app, who is behind the app, what are they collecting this information for?

– Sharing of data between facebook and third parties

On a website, there is often an assurance that this information will not be shared with anyone else.

Those whose personal data has just been bought by facebook for a $1 billion probably thought that. Now please do not tell me you thought facebook were paying a billion dollars for something a couple of competent software engineers could knock out in a few weeks, something that a handful of software designers did knock out in a few weeks.

– Facebook, Instagram, Google, and the Monopoly Fallacy
– A billion reasons to beware of the latest dotcom bubble
– Don’t want Facebook to have more of your data? Here’s how to download and delete your Instagram account

Pause and reflect again. Would you hand this information over to a stranger who stops you in the street? You probably would not hand over even your e-mail address or telephone number.

Going back to my original example, this is a lot of information to hand over merely to watch what was streamed on Earth Day.

And who is collecting this information, what do they want it for, what are they going to do with it?

If it is Imogen Heap, then why not a form to fill out on her website?

If you wish to be kept informed of what she is doing, then fine, you hand over your e-mail address and she sends you a newsletter.

I have raised this with Imogen Heap, asked that she makes this film footage available without having to go through facebook. I can see no reason why not, it was possible to watch live on the night on her website without going through facebook.

I await her response.

Facebook is a walled garden. To gain access to the delights within your are forced to pay with your digital soul at the gate.

– Web freedom faces greatest threat ever
– Tim Berners-Lee: Don’t let record labels upset web openness