Don’t bury RSS just yet

RSS is dead and Facebook and Twitter killed it! Or at least that’s what some web & trend-watching bloggers conclude from the demise of Bloglines, the once cutting-edge web-based feedreader. And indeed, people are increasingly discovering news items and memes through their friends’ status updates, re-tweeting or -sharing stuff they deem interesting. And yes Flipboard, which scans your Facebook & Twitter feeds for links (scraping content from the pages instead of using feeds, to the dismay of some publishers), is the talk of the iTown. Look ma, no RSS!
But hold your horses; do you know what the most requested feature for Flipboard is? Integration with Google Reader and the ability to include RSS-feeds is in high demand as well! And while we’re at it, Google Reader seems not to be doing too bad either, according to their own stats, probably because Reader -as opposed to Bloglines- continuous to evolve,  integrating a slew of social features. Reader is also the primary source for Feedly, a popular browser add-on that offers a magazine-like view on subscribed feeds. And proving RSS is not dead yet, Automattic last week launched Subscriptions on, which displays your subscribed feeds in a stream-like fashion, including the writer’s profile picture and a ‘reblog’ and ‘like’ button (i.e. resembling what Peter Van Dijck proposed earlier that day).
Even if RSS-readers would ever become marginalized, RSS and similar standardized XML-based newsfeeds (think Atom) are indispensable to syndicate content from one site in another application. After all, how do you think news outlets and blogs feed their content into Twitter and Facebook in the first place?

iGoogle Facebook gadget security flaw fixed & explained

I just received confirmation from the Google Security Team that the bug I discovered in the iGoogle Facebook Gadget which allowed attackers to log into an other user’s Facebook account bypassing all authentication, has been fixed. So now that the hole has been closed, let’s look at what was happening, shall we?
The gadget uses the Facebook’s Javascript API to the connect with Facebook, asking you for permission to access your FB data. In the process of getting that authorization, the gadget exchanges tokens with Facebook, some of which should absolutely be kept safe from prying eyes. And that’s where things went wrong: the gadget had the authentication info in the URL. So if a user of the iGoogle Facebook gadget clicked a link to an external site in the news feed, the request for that page had a referrer that contained all authentication-info.
And that’s exactly what happened on last week, when I spotted this referrer in my blog stats:, %22session_key%22:%2291d52d2ed5a130fd941b11f1-1175373488%22, %22secret%22:%22fdee68961b3cdee5b51390a4bdeac7a0%22,%22expires%22:0, %22access_token%22:%2283101558C90fd9KfA9KJQh5uT98TqIjxQpzUi4.%22,

You can guess what happened when I opened that URL; the iGoogle Facebook gadget initialized using the embedded credentials, automatically logging me in as the guy that was unlucky enough to have clicked the link to my blog.
But how could this vulnerability have been exploited, you may ask? Well, easy enough; create a page that is viral enough for people to share or like  (likespam or even likejacking) and wait for users of the iGoolge Facebook-gadget (there’s over 1 million of them after all) to follow the links, feeding your webserver logfiles with credential-rich referrers.
As Google confirmed this bug indeed has been fixed. The new version of the gadget, which was deployed late last week, does not leak credentials in the referrer-URL any more:,iHKb-4mKuMY/lib/librpc.js,vrFMICQBNJo/lib/libcore.js,a5j4V1JuNVE/lib/libsetprefs.js

So if anyone asks me what my good deed for this year was; I helped protect 1 million people’s Facebook accounts from being hacked.
Sounds swell, no? 😉

Severe vulnerability in iGoogle Facebook-gagdet

I by chance discovered a severe security vulnerability in iGoogle’s Facebook-gadget (more than 1 million users!), which allows an attacker to log into an other user’s Facebook account, bypassing authentication.
I contacted the author and the Google security team and they confirmed there appears to be a problem which they’ll look into. While they do so, I would strongly advise everyone not to use the iGoogle Facebook gadget. Once the hole is closed, I’ll provide more info on how this could be exploited.

Why I dislike Facebook’s Like widgets

I like Facebook. I like sharing stuff there, I like liking friends’ activities and I like friends sharing and liking my links and posts. But I really, really don’t like Facebook’s Like buttons and similar boxes! Because I see some serious problems with the like button;
  1. The page containing the “like”-widget loads and renders significantly slower (i.e. performance impact)
  2. Facebook can track me visiting this page, even if I don’t click on “Like” (i.e. privacy issue)
  3. When I do click “Like”, I have no way of checking what will be shown on Facebook. And indeed the buttons are already being used to spread spam, malware is expected to be next (i.e. security risk)
  4. “Liking” a page enters me into a relationship with the page owner, allowing them to “publish updates to the user [and] target ads to people who like [their] content” (i.e. 2nd privacy issue, severely aggravated by the security risk)

No, call me old-fashioned, but I’m much more at ease with the normal Facebook share-mechanism;

  • a simple link, so no performance impact
  • no contact with Facebook unless clicked on, so tracking of my surfing behavior is not possible
  • an intermediate screen shows what you’re about to share, meaning a much lower security risk
  • no forced relationship with the  page owner, i.e. “avert 2nd privacy-risk: CHECK”

But as I can’t force site-owners to remove the “Social Widgets”, I can only install something like No FB Tracking to disable the virus that is the Facebook Like-button. And whine about it on my blog, off course.

Facebook mobile websites face-off

With all the attention going to native Facebook-applications for the iPhone, Blackberry, Symbian and now also Android, one would forget that there is a mobile Facebook-website as well. Better yet, there is not one but two mobile website; and
The difference? The iPhone-version (or ‘high-end’, as it works on my Android-devices as well) looks a lot more beautiful, but the m-one has all the features one would expect from a mobile version of the Facebook site. Just look at these (low quality) screenshots;
Facebook home on M and iPhone:

facebook faceoff: home
Facebook profile on M and iPhone:
facebook faceoff: profile
Facebook friends on M and iPhone:
facebook faceoff: friends
Basically, except for the default friends-page, does not in any respect offer more or better functionality than the “low-end” version. On the contrary; the iPhone-version doesn’t even come close when compared to
Dear Facebook; bling isn’t everything and I really don’t want to install your application, so kudo’s for creating a strong, feature-rich mobile site on, but do implement at least the same functionalities on And add some smart html5/gears-based wizardry (just look at what Google does for mobile gmail) to bridge the gap with native apps while you’re at it, maybe?

My blog laughs in your Facebook

keuzestress op het webGisteren bij Peter Decroubele lekker ouderwets gereageerd op zijn tekst over hoe blogs aan populariteit lijken in te boeten ten voordele van Facebook en Twitter. En Peter linkt daarbij ook lekker ouderwets door een blogpost van Bruno Peeters over hetzelfde onderwerp. Al dat bloggrn, linken en reageren ondergraaft mijn hieronder hernomen (en lichtjes geredigeerde) reactie misschien enigszins, maar uitzondering en regel en diens meer zeker?

Met de opkomst van Facebook en Twitter is het belang van blogging als sociale netwerktool sterk verminderd. Statusberichtjes tussen de soep en de patatten laten zich nu eenmaal makkelijker schrijven dan regelmatige, min of meer vlot leesbare blogposts.
Ook het aantal reacties (en trackbacks en linken) lijkt overigens af te nemen, ten voordele van eenvoudiger (short-)URL’s, retweets, twitter-replies, facebook-comments en andere “vind ik leuk”-s. Blogs volgen, erop reageren en andere comments tracken is door het decentrale karakter van weblogs en door de beperkingen van feedreaders immers veel minder makkelijk. Ik krijg op Facebook dan ook gemiddeld meer respons op mijn daar automatisch geïmporteerde schrijfsels dan op m’n blog zelf (alhoewel dat ook van het onderwerp afhangt).
Dat alles betekent volgens mij overigens helemaal niet dat bloggen zal verdwijnen. maar ik denk dat het wel (terug?) meer maxi-dagboek en mini-journalistiek zal worden, zonder de “social” hype en zonder het incrowd-sfeertje (dat op Twitter een nieuwe thuis heeft gevonden). En al bij al is dat misschien toch niet zo’n slechte evolutie?

Facebook voor lamzakken (en het gevaar van twitterish)

ik importeer in facebookIk ben liever lui dan sociaal, zelfs op Facebook. Ik laat de software dus mijn werk doen; de feeds van mijn blogposts, mijn Google Reader shared items en mijn YouTube uploads en favorites worden geïmporteerd en verschijnen zo automatisch op mijn ‘prikbord’ en -als Facebook het correct doet tenminste- in de ‘stroom’ op de homepage van mijn virtuele vrienden (*). Dezelfde feeds worden overigens ook op de lifestream-pagina op mijn blog en op mybloglog geaggregeerd.

Twitteraars (nee, ik ben nog steeds niet mee) synchroniseren hun kortspraak met een Facebook-applicaties van Twitter zelf. Nu is die twittersphere een raar wereldje, waar ingewijden in hoog tempo tweeten en daarbij ook nog eens een heel eigen taaltje spreken. Want wat te denken als je op Facebook dit voorbij ziet komen;

RT @ubertwit: om 18h twunch met @twitaholic en @tweeter in #pizzahut gent, reply @twunch als je er ook zal zijn

Voor twitteraars een duidelijke boodschap (vertaling beschikbaar bij je twitterende buurjongen), maar als deze tweet volautomatisch in de context van Facebook wordt gegooid, is dit “utter gibberish” waar je FB-friends niets aan hebben. Nee, dan is de “Selective Twitter update”-applicatie een veel beter alternatief; enkel tweets waarin #fb voorkomt worden daarmee geïmporteerd. Ik zou mijn Twitterende Facebook-vrienden dan ook vriendelijk willen vragen om een beetje selectief te zijn met wat ze op Facebook gooien. Uw context is de mijne immers niet!

(*) Hoe je zelf moet importeren in Facebook? In je profiel op de ‘settings’-knop onder het status-update venster klikken en je zou iets moeten zien dat op het screenshot hierboven lijkt.

Browserless twaddle; Facebook plugin for Pidgin

If you’re using Facebook, you’ve probably already tried out its chat functionality. Yet another browser-based chat, only available when on Facebook, right? Except there’s this great plugin for the open source, cross-platform, multi-protocol IM-client that is Pidgin. Just add Pidgin-facebookchat to your plugins and you can chat with Facebook-friends the same way you chat with all your Google Talk-, MSN- or AIM-buddies. Nice work guys!

facebook pidgin plugin screenshots

And for the Twitter-loving Pidgin-users; maybe this Twitter-plugin works for you?

My Mobile bookmarks

A quick list of the most frequently used sites on my mobile phone.

  1. gmail mobile: my “homepage”. attachments and images could be handled better, but still, a great mobile web-app.
  2. google reader mobile: too many blogs, too little time. reading up on my blogfeeds everywhere i can (and yes, that includes the loo)
  3. smartphone/pda version of bbc news; the beeb was one of the first to have a version for PDA’s and smartphone’s, still great stuff.
  4. deredactie mobile: I just love the mobile version of their awful “desktop-oriented” website. Guess they took a close look at the BBC’s mobile site, no? Anyway, it would be even greater if they added links to multimedia (i.e. not force-feed video as they do on their very-very-broadband-version) and if they optimized the color usage because the readability of the purple night-version is sub-optimal.
  5. facebook mobile: I never really liked Facebook, but I must admit I’ve found myself spending time on it on an almost daily basis. The mobile version is an important part of that usage pattern.

Less frequently used mobile sites include; Truvo’s yellow and white pages, Wapedia (as wikipedia doesn’t provide a mobile version, they should) and Linkedin mobile. And although the webkit-based nokia browser handles normal sites quite well, the only non-mobile-optimized site in my bookmarks is my blog’s dashboard.
And you, what sites do you visit on your IPhone, Blackberry or Nokia e71?