The Magic’s gone, enter Samsung Galaxy S II

Two years ago I bought a HTC Hero, my first Android handset. I lost that great device about half a year ago and -after trying a very basic Acer e110– replaced it with a 2nd hand Belgacom HTC Magic which I upgraded to Cyanogenmod 6.
Now don’t get me wrong; me and my Magic, we got along real fine. But my employer likes the smell of a fresh smartphone in the morning and subsidizes to make that happen and when I saw a colleague with a Samsung Galaxy S II, I knew me and my Magic HTC had to part ways.
The Galaxy S II sports a huge, bright screen with vivid colors (Samsung’s super AMOLED screens are simply stunning), a 1.2 GHz dual-core processor and 16Gb of internal storage (with an microSD-slot to be able to add up to 32Gb). There’s no hardware keyboard like on the HTC Desire Z I once was planning on buying, but the Galaxy does come with Swype, the virtual keyboard that takes most of the pain out of … not having a keyboard. I’ve installed all of the favorite apps from my HTC-days and as a bonus I can now finally also use Firefox Mobile (which is great, by the way).
So what’s not to like about it? Well, it’s huge, for starters. Big hands come in handy when using the S II, so I wouldn’t want to market it in China, except as a mini-tablet maybe. I’m not too thrilled about Samsung’s TouchWiz as seen on the homescreen. And battery-life isn’t that great, but that’s to be expected, with that humongous screen real estate I guess.
All in all my S II is a great smartphone. One probably doesn’t really need a dual-core handset with 16Gb of memory and a 800X480 screen, but it sure is nice little gadget to play around with for the next 2 years or so …

Google Security says “Thanks Frank”

A few weeks ago I received the following in a mail from Google;

As a small token of appreciation for helping keep Google’s users safe and secure, we’d like to credit you on our website.

And indeed, yesterday my name was added to the “Honorable Mention” paragraph on Google’s Security Hall of Fame.
I don’t consider myself a security expert by any measure (although I am very interested in web app security) and I discovered that vulnerability in the iGoogle Facebook gadget merely by chance, but it’s nice to see my name (and a link to this blog) up there! Thanks for thanking me Google!

iGoogle Facebook gadget security flaw fixed & explained

I just received confirmation from the Google Security Team that the bug I discovered in the iGoogle Facebook Gadget which allowed attackers to log into an other user’s Facebook account bypassing all authentication, has been fixed. So now that the hole has been closed, let’s look at what was happening, shall we?
The gadget uses the Facebook’s Javascript API to the connect with Facebook, asking you for permission to access your FB data. In the process of getting that authorization, the gadget exchanges tokens with Facebook, some of which should absolutely be kept safe from prying eyes. And that’s where things went wrong: the gadget had the authentication info in the URL. So if a user of the iGoogle Facebook gadget clicked a link to an external site in the news feed, the request for that page had a referrer that contained all authentication-info.
And that’s exactly what happened on last week, when I spotted this referrer in my blog stats:, %22session_key%22:%2291d52d2ed5a130fd941b11f1-1175373488%22, %22secret%22:%22fdee68961b3cdee5b51390a4bdeac7a0%22,%22expires%22:0, %22access_token%22:%2283101558C90fd9KfA9KJQh5uT98TqIjxQpzUi4.%22,

You can guess what happened when I opened that URL; the iGoogle Facebook gadget initialized using the embedded credentials, automatically logging me in as the guy that was unlucky enough to have clicked the link to my blog.
But how could this vulnerability have been exploited, you may ask? Well, easy enough; create a page that is viral enough for people to share or like  (likespam or even likejacking) and wait for users of the iGoolge Facebook-gadget (there’s over 1 million of them after all) to follow the links, feeding your webserver logfiles with credential-rich referrers.
As Google confirmed this bug indeed has been fixed. The new version of the gadget, which was deployed late last week, does not leak credentials in the referrer-URL any more:,iHKb-4mKuMY/lib/librpc.js,vrFMICQBNJo/lib/libcore.js,a5j4V1JuNVE/lib/libsetprefs.js

So if anyone asks me what my good deed for this year was; I helped protect 1 million people’s Facebook accounts from being hacked.
Sounds swell, no? 😉

Severe vulnerability in iGoogle Facebook-gagdet

I by chance discovered a severe security vulnerability in iGoogle’s Facebook-gadget (more than 1 million users!), which allows an attacker to log into an other user’s Facebook account, bypassing authentication.
I contacted the author and the Google security team and they confirmed there appears to be a problem which they’ll look into. While they do so, I would strongly advise everyone not to use the iGoogle Facebook gadget. Once the hole is closed, I’ll provide more info on how this could be exploited.