Bug in Magento puts millions of e-commerce sites at risk of takeover

Exploits are as easy as embedding malicious JavaScript in registration forms.

Millions of online merchants are at risk of hijacking attacks made possible by a just-patched vulnerability in the Magento e-commerce platform.

The stored cross-site scripting (XSS) bug is present in virtually all versions of Magento Community Edition and Enterprise Edition prior to 1.9.2.3 and 1.14.2.3, respectively, according to researchers from Sucuri, the website security firm that discovered and privately reported the vulnerability. It allows attackers to embed malicious JavaScript code inside customer registration forms. Magento executes the scripts in the context of the administrator account, making it possible to completely take over the server running the e-commerce platform.

"The buggy snippet is located inside Magento core libraries, more specifically within the administrator's backend," a Sucuri advisory explained. "Unless you're behind a WAF or you have a very heavily modified administration panel, you're at risk. As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client information, anything a legitimate administrator account is allowed to do."

Read 1 remaining paragraphs | Comments

How Amazon customer service was the weak link that spilled my data

Even when doing everything right, an Amazon account is all it takes to get breached.

An employee loads a truck at an Amazon.com Inc. distribution center in Phoenix, Arizona in 2012. Photographer: David Paul Morris/Bloomberg via Getty Images (credit: Getty Images)

Eric Springer is an Australian developer who worked at Amazon as a software developer engineer. He left a few years ago to work on several Bitcoin projects, one of which he sold.

As a security conscious user who follows the best practices—using unique passwords, two-factor authentication, only using a secure computer, and being able to spot phishing attacks from a mile away—I thought my accounts and details would be pretty safe. I was wrong.

That's because when someone went after me, all those precautions were for nothing. That’s because most systems come with a backdoor called customer support. In this post I’m going to focus on the most grievous offender: Amazon.com. Amazon.com was one of the few companies I trusted with my personal information. I shop there, I am a heavy AWS user (raking up well over $600/month), and I used to work there as a software developer.

Read 15 remaining paragraphs | Comments

Microsoft’s clever curved keyboard for iOS looks very smart

A good keyboard will get even better… if you have an iPhone.

One of the enduring high points of Windows Phone and Windows 10 Mobile is the Word Flow software keyboard. It looks good and works well, with a generally sensible autocorrect algorithm and a good implementation of swipe-style typing. Earlier this month it was learned that Microsoft was planning to produce a version of this keyboard for iOS and Android, after e-mailed invitations were sent to some Windows Insiders.

Through The Verge we now have a good idea of what that keyboard will look like, and immediately we can see that it has a rather compelling feature not found in the Windows version of the keyboard: a curved one-handed mode that arcs the keyboard around either of the phone's lower corners. This neatly tackles a problem that a few of us here at Ars were pondering at lunch: how do you make a swipe keyboard work when the phone screen is so enormous that you cannot possibly reach both sides with your thumb. You'd have to hold the phone in one hand and then use your index finger, or something equally inconvenient.

The solution Microsoft has implemented in Windows 10 Mobile is to allow the keyboard to be scrunched down and pushed closer to one side of the screen or the other. The solution seen in the pictures of the iOS keyboard looks altogether neater: not only does it draw the very furthest keys in, so that they are within reach of the thumb, it also pushes the keys closest to the corner further out, away from the corner, so that you do not need to contort to reach those either.

Read 1 remaining paragraphs | Comments

MeegoPad unveils 3 new Cherry Trail mini PCs

MeegoPad unveils 3 new Cherry Trail mini PCs

MeegoPad was one of the first companies to offer a PC Stick capable of running Windows software (even if it shipped with an unlicensed copy of Windows). Now there’s no shortage of tiny, affordable Windows 10 PCs… but MeegoPad seems to think there’s room for a few more. The company is launching three new tiny computers […]

MeegoPad unveils 3 new Cherry Trail mini PCs is a post from: Liliputing

MeegoPad unveils 3 new Cherry Trail mini PCs

MeegoPad was one of the first companies to offer a PC Stick capable of running Windows software (even if it shipped with an unlicensed copy of Windows). Now there’s no shortage of tiny, affordable Windows 10 PCs… but MeegoPad seems to think there’s room for a few more. The company is launching three new tiny computers […]

MeegoPad unveils 3 new Cherry Trail mini PCs is a post from: Liliputing

Survey: Oculus Rift getting the most support from VR game developers

But most devs still aren’t working on any virtual reality games.

It's hard to make someone wearing VR goggles look cool, but this person pulls it off. (credit: Kyle Orland)

As new, high-end virtual reality headsets from the likes of Oculus, Valve/HTC, and Sony prepare to hit the market in the coming months, potential buyers may rightly wonder which VR solution is most likely to get a critical mass of support from the game development community. A new survey released ahead of March's Game Developers Conference suggests that, so far, the Oculus Rift is drawing outsized interest from those developers.

GDC's 2016 State of the Industry Report surveyed 2,000 professional developers who attended the popular annual trade show during the past three years, asking about their current work and interest in various virtual reality and augmented reality technologies (among other things). The Oculus Rift was by far the most popular VR headset among the surveyed developers, with 19 percent of respondents saying they were currently working on a game for the device. A number of Rift competitors were well behind in a statistical dead heat for second place among active VR developers: Samsung's GearVR at 8 percent of respondents, Google Cardboard at 7 percent, and HTC Vive and PlayStation VR at 6 percent each.

The Rift's lead extends to respondents' thoughts about the platform for their next VR game project; 20 percent say it will be on the Rift, compared to 9 percent for PlayStation VR and 8 percent for the HTC Vive.

Read 3 remaining paragraphs | Comments

Amazon reportedly seeks a bigger hand in Android phone software

Amazon is reportedly in talks with OEMs to “gain a bigger backdoor to Google’s Android.”

The failed Amazon Fire phone. (credit: Amazon)

After flopping with the Fire Phone, it seems Amazon is looking to dip its toe back into the mobile pool. According to a report from The Information, Amazon is hoping to partner with smartphone OEMs to deeply integrate its services into handsets. The report claims that Amazon "has discussed working with phone brands at a 'factory level' to integrate its services with devices in a deeper way than simply preloading apps."

"In essence, the retailer would like its partners’ phones to resemble Amazon’s line of Kindle Fire tablets that it builds on its own," the report states. The phones would be full of Amazon services and encourage people to become a member of Amazon Prime.

Amazon already dove into the phone market once with the Amazon Fire Phone, which the company released in July 2014 for $199 with a two-year contract, or $650 unlocked. Six weeks later, Amazon slashed about $200 off of both options and the price kept falling. The Fire Phone cratered at $130 for the unlocked version in August 2015, and it was pulled from the market shortly after. The Fire Phone flop resulted in a bunch of people getting fired from Amazon's hardware development center, and the company took a $170 million write down on the experiment in its 2014 Q3 financial report. The company's new plan sounds a lot like the Fire Phone, but Amazon would be letting someone else handle the hardware this time.

Read 5 remaining paragraphs | Comments

Report: Amazon apps, services could be bundled with future smartphones

Report: Amazon apps, services could be bundled with future smartphones

Amazon’s first attempt to design and sell a smartphone didn’t go very well. But according to a report from The Information’s Amir Efrati, Amazon isn’t giving up on the smartphone space. Instead, the company is reportedly in talks with smartphone makers that might bundle Amazon features with their phones. If the company manages to work […]

Report: Amazon apps, services could be bundled with future smartphones is a post from: Liliputing

Report: Amazon apps, services could be bundled with future smartphones

Amazon’s first attempt to design and sell a smartphone didn’t go very well. But according to a report from The Information’s Amir Efrati, Amazon isn’t giving up on the smartphone space. Instead, the company is reportedly in talks with smartphone makers that might bundle Amazon features with their phones. If the company manages to work […]

Report: Amazon apps, services could be bundled with future smartphones is a post from: Liliputing

Air Force 2014 “bent spear” nuke mishap overlooked in nuclear force review

Minuteman III had $1.8 million in damage, but at least it didn’t blow up.

Don't drop a wrench, man: airmen perform maintenance on a Minuteman III missile. (credit: US Air Force)

You'll be relieved to know that the public was never put in danger by a nuclear weapons incident that caused $1.8 million in damages to a Minuteman III missile in Colorado. But the accident, which happened in May of 2014, initially went unreported by the US Air Force even as a team of experts reviewed the service's nuclear forces in the wake of a testing scandal and security failures.

The Associated Press received what it called "the first substantive description of the accident" last Friday following more than a year of requests to the Air Force.

Details of the incident have been kept secret by the Air Force because of their sensitive nature, but we now know the situation rendered an intercontinental ballistic missile inoperable. Three airmen were trying to troubleshoot the missile after it failed a diagnostic test and had become "non-operational." Ultimately, the accident would likely have been categorized as a "Bent Spear" event, the code used by the military for damaged weapons (as opposed to "Broken Arrow," the code for an accidental nuclear detonation or other weapons incident in peacetime).

Read 5 remaining paragraphs | Comments

The caste system has left its mark on Indians’ genomes

A group of researchers has identified exactly when Indians stopped intermarrying.

Lord Parshuram with Brahmin settlers commanding Lord Varuna to make the seas recede and allow Brahmins to make their homes in Kerala. (credit: Drshenoy)

Over 1,500 years ago, the Gupta emperors ruled large parts of India. They helped consolidate the nation, but they also popularized India's caste system, making it socially unacceptable for people to marry outside their castes. Now, a new analysis of genetic variation among contemporary Indians has revealed that this social shift left a distinctive genetic signature behind.

A group of researchers in India conducted this analysis by comparing the genomes of hundreds of Indians from throughout the country. As they write in a paper published today in Proceedings of the National Academy of Science, samples came from "367 unrelated individuals drawn from 18 mainland and two island (Andaman and Nicobar Islands) populations selected to represent geographic, linguistic, and ethnic diversities." Previous studies had suggested that today's Indians came from two ancestral populations, but the new analysis revealed four distinct "haplotypes," or bundles of genetic elements that travel through generations in a package. People with the same haplotypes likely came from the same ancestral groups. The researchers also found a fifth haplotype among people of the Andaman archipelago.

Careful examination of the variations between these haplotypes, compared with haplotypes of other people throughout the world, revealed that India's ancient populations probably came first from Africa. Later waves of settlement came from people who shared genetic similarities with populations in South Central Asia and East Asia. These groups remained genetically distinct, and the linguistic history of India suggests they spoke languages with dramatically different origins. Nevertheless, it appears there was a good deal of intermarriage, which shows up in genomes of people who possess genetic sequences typical of two or more haplotypes.

Read 6 remaining paragraphs | Comments

“My Little Pony” Sued For Using a Pirated Font

Typeface company Font Brothers has filed a lawsuit against Hasbro claiming that My Little Pony uses one of its fonts without permission. According to the complaint, Harbro refuses to pay the required licenses while it continues to use the font in its My Little Pony merchandise and products.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

mlpPiracy comes in all shapes and sizes and even large multinationals can sometimes cross the line.

According to Font Brothers, American toy multinational Hasbro did so when it started to use the “Generation B” font for its My Little Pony products, without permission.

The Generation B font was created by Harold Lohner and is commercially exploited by Font Brothers.

One of the best known uses of the font is for the popular My Little Pony toys and videos. However, according to a complaint filed at a New York federal court Hasbro failed to obtain a proper license, so My Little Pony is using a pirated font.

“Defendant Hasbro has used or instructed others to use unauthorized copies of the Generation B Font in the creation of, but not limited to, all products, goods, merchandise, television and film properties, and advertising materials connected with the ‘My Little Pony’ product line..,” the complaint reads.

“Defendant Hasbro has created unauthorized and infringing copies of the Generation B Font Software and impermissibly distributed the same to third parties,” it adds (pdf).

Font Brothers claim that the font is being used across a wide variety of products and the company list various examples.

While small differences can sometimes be tricky to prove that an unauthorized font is used, in this case it is also used on Hasbro’s website. The stylesheet of the website specifically mentions the Generation B and a copy of the font stored and distributed through Hasbro’s servers.

My Little Pony website using the Generation B font

mlp-generationb

In the complaint Font Brothers write that they contacted Hasbro about the infringing use, but the toy maker refused to license the font for My Little Pony products and merchandise.

“Defendant has refused to comply with Plaintiff’s reasonable request for appropriate software licensing fees given the services already rendered by Plaintiff’s GENERATION B type font software, despite several demands for such action.”

As a result, Minnesota-based Font Brothers are claiming substantial damages and requesting a jury trial to resolve the matter.

“Font Brothers has lost, and will continue to lose, substantial revenue from Defendant’s wrongful use, copying, distribution, and creation of unauthorized infringing works based upon the GENERATION B font software.”

Considering the scope of the alleged infringements, which affect pretty much the entire My Little Pony line, the potential damages run into the millions. In addition, Font Brothers demand the destruction of all products and material which utilize the infringing font.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.