Tinder security flaw granted account access with just a phone number
Security researchers at Appsecure found a way to access anyone’s Tinder account via their phone number. The exploit took advantage of a software flaw in both the dating app’s login process as well as the Facebook API that it’s based on. The issues have been fixed since, but represent a pretty big security lapse.
“Both the vulnerabilities were fixed by Tinder and Facebook quickly,” wrote Appsecure’s Anand Prakash on Medium. Facebook and Tinder rewarded the company $5000 and $1250, respectively, for its report. This isn’t the first report of Tinder security flaws, either, like when the company failed to encrypt user photos and (back in 2014) exposed users’ exact locations for months.
When you login to Tinder, you have the option of using your phone number, which is then passed along to Facebook’s Account Kit for authentication to Tinder. The Appsecure folks found that they could get a valid access token with an API request to Facebook’s Account Kit using a phone number. In addition, Tinder’s login system wasn’t checking these access tokens to make sure they matched the associated user’s client ID, which means that any valid access token could let someone log in to your Tinder account.
Via: The Verge
Source: Appsecure
Kids play mechanics for Marvel heroes with the Electro Hero Kit
Not every child wants to be a coder or an engineer, which can make it hard to get them playing with STEM toys if they don’t really care about making their own video games or building a cool robot. However, many kids are into role playing and telling stories, which is what Tech Will Save Us’ newest set focuses on instead. The Electro Hero Kit asks children to build stuff to help out their favorite Marvel characters, while imparting some basic lessons about electricity in the process.
Tech Will Save Us is probably best known for its Dough Universe kits, which ask kids to build all sorts of electricity-powered toys out of conductive dough. Each set comes with an assortment of electrical parts and a few tubs of colorful dough. It’s very similar to Play-Doh, but with a higher salt content — if you run out, Tech Will Save Us even provides recipes on its site for making more. The sets are basically a more tactile, squishier way to teach STEM skills.
The Electro Hero Kit follows the same basic formula, asking kids to mold pieces and connect them with wires. It comes with a similar assortment of wires, LEDs and batteries too, but also a few superhero-themed molds and some custom play mats that correspond to the Hero Kit app. When kids open the app they’ll be assigned small engineering tasks set within the Marvel Universe. Now their play becomes more narrative-based: Instead of just saying “build something cool,” it’s now more along the lines of “help Captain America test his new shield.”
The kit was developed with some assistance from Disney and Marvel Studios, who approached Tech Will Save Us about building STEM products using popular Avengers like Iron Man, Captain America and the Hulk. Each mission outlined in the Hero Kit revolves around something that character is known for, like asking children to mold the individual bits of Iron Man’s arc reactor and then connecting them with LED bulbs to create a ring of light. The Hulk task is probably the most fun: Kids create a wall of bricks and a giant green fist to smash it with, with both parts wired to a speaker. When the Hulk fist makes contact with the bricks it completes the circuit, which activates a variety of smashing and crushing noises, along with some “Hulk smash!” sound bites.
Even if kids complete all the included tasks it doesn’t mean they’re done with the kit: Tech Will Save Us plans to expand the app with more missions, along with additional content on its website. There’s also the possibility of expansions and future kits that incorporate more characters like Black Panther. For now, though, the $35 Electro Hero Kit will hit stores March 5th, just in time for kids to watch their favorite heroes duke it out on the big screen again in May.
Spotify’s hardware ambitions seem like a risky distraction
Look, it’s no secret that Spotify is out to make its own hardware. As of last April, Spotify was already looking for people to help craft “a category defining product akin to Pebble Watch, Amazon Echo and Snap Spectacles.” (In hindsight, Spotify’s HR team probably should’ve left that last thing off the list.) More recently, a new set of job listings for hardware production managers and operations manager suggest Spotify is finally gearing up to build… well, whatever these things are. Consider us skeptical. After all, this is a company with zero hardware and supply chain experience — the odds of striking it big with gadgets don’t seem great.
We can’t be sure about what Spotify is actually trying to build in Stockholm, but its search for employees are in line with what you’d expect from a company trying to make a smart speaker. Last April, Spotify was looking for people with expertise in voice recognition and natural language processing. And more recently Spotify sought out someone with “graduate-level expertise” in natural language understanding to join its team in Boston and “multiple years of industrial experience in building conversational agents via speech or text (e.g., chatbots).” This focus on a spoken interface could apply to future, voice-controlled versions of the Spotify app, but it’s not much of a stretch to think Spotify could be trying to build a Google Home or Sonos rival.
Let’s say for the sake of argument that’s what’s going on. The initial cost of research, development and production will be significant, but it could be worth it. If that effort yields a firm foundation for Spotify to build on, revenue for hardware like smart speakers could help boost Spotify’s bottom line in the long run. I do mean long run: hardware projects are notoriously hard, and ambitious attempts like Apple’s HomePod are proof that even with loads of money and brainpower, first attempts at a new kind of product often feel unfinished. It could be years before the unprofitable Spotify starts to hit its stride in an industry its unfamiliar with, and that’s assuming the company has the guts to stick it out that long.
The move into the smart speaker market is also peculiar because, HomePod aside, you can access Spotify’s extensive library of songs and playlists on Amazon’s Echos or Google’s Homes or Sonos’ everythings. Spotify is like the WhatsApp of streaming music services — you can basically use it everywhere. The company’s stated desire to build a “category defining product” could alienate its Spotify Connect partners, but I’m honestly not too worried about that. I am, however, concerned that the head-starts enjoyed by potential competitors mean it’ll never fully catch up.
Given the potential headaches of building a completely new kind of business inside an existing one, I’d honestly rather see Spotify devote that money and resources into making its service even better. Right now, Spotify is arguably the best at figuring out what you might enjoy hearing based on things you’ve chosen to listen to in the past. That nuanced ability to predict your preferences through raw listening data forms the core of my love for Spotify, and I’m not the only one who feels that way. Connecting those musical dots in new ways and forging more lucrative — or at least, less odious — deals with big music labels might be enough to guarantee continued growth for the world’s largest streaming company. I can’t imagine the Spotify’s inevitable shareholders to turn their noses up at that.
It’s far too early to tell whether Spotify’s hardware plans will be an absolute boondoggle. We (obviously) love gadgets around here, and I honestly hope Spotify proves me wrong — as a subscriber, I have something of a vested interest in the company doing cool, impactful things. Cautious optimism is called for here, so Spotify, show us what you’ve got.
Medium suspends alt-right trolls following major rules change
Medium is taking its own steps in the fight against fake news and following a major reworking of its rules, has suspended the accounts of a handful of writers. As The Outline reports, the accounts of Mike Cernovich, Jack Posobiec and Laura Loomer now link to a largely blank page that says, “This page is unavailable.”
Earlier this month, Medium revamped its Rules page, saying at the time, “Beyond Medium itself, we recognize that we are also part of the larger internet ecosystem. Just as we rely on outside technology, systems and information to run Medium, we also consider off-platform signals when assessing potential rules violations. We have all seen an increase and evolution of online hate, abuse, harassment and disinformation, along with ever-evolving campaigns of fraud and spam. To continue to be good citizens of the internet, and provide our users with a trusted and safe environment to read, write and share new ideas, we have strengthened our policies around this type of behavior.”
Comparing the current Rules page with one from last November, The Outline points out an entirely new section among the many changes. Under the new “Related Content” heading, Medium says, “We do not allow posts or accounts that engage in on-platform, off-platform or cross-platform campaigns of targeting, harassment, hate speech, violence or disinformation. We may consider off-platform actions in assessing a Medium account, and restrict access or availability to that account.” And that alone could be enough to explain the suspensions of far-right personalities Cernovich, Posobiec and Loomer.
Posobiec had a strong hand in spreading the PizzaGate conspiracy theory as did Cernovich. Cernovich also pushed lies about the First Baptist Church of Sutherland Springs shooter being linked to antifa, Hillary Clinton hiding a serious illness and date rape not existing. Laura Loomer, who was banned from both Lyft and Uber last year following a string of anti-Muslim tweets, sometimes writes for Alex Jones’ conspiracy-focused Infowars and is currently under a temporary Twitter ban due to her tweets about the recent Florida school shooting. According to its rules, Medium can suspend accounts based on the writer’s non-Medium content, and in that regard, these suspensions make sense.
Additionally, Medium also expanded its section on hate speech adding, “We do not allow posts or accounts that glorify, celebrate, downplay, or trivialize violence, suffering, abuse, or deaths of individuals or groups. This includes the use of scientific or pseudoscientific claims to pathologize, dehumanize, or disempower others. We do not allow calls for intolerance, exclusion, or segregation based on protected characteristics, nor do we allow the glorification of groups which do any of the above.” It also now specifically states that it doesn’t allow hateful images and symbols in usernames, profiles or bios.
While these accounts are rather prominent and, therefore, their suspensions easily spotted, there could be more suspensions already dished out as well as more to come. Cernovich now claims he’s suing Medium for violating his civil rights and says the platform is discriminating against him based on his race and gender. We’ve reached out to Medium and we’ll update this post if we hear anything more.
Via: The Outline
T-Mobile Announces $200 Rebate Offer for iPhones and BOGO Deal for Apple Watch Series 3
T-Mobile today announced a new iPhone offer for customers thinking about purchasing one of Apple’s latest smartphones. Following a BOGO deal from January, T-Mobile is now offering customers the chance to get a $200 rebate when purchasing the iPhone X, 8, 8 Plus, 7, or 7 Plus on a 24-month Equipment Installment Plan, received in the form of a prepaid MasterCard card. That’s in addition to the value of an eligible smartphone that users can trade in to T-Mobile.
Note: MacRumors is an affiliate partner with T-Mobile. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running.
The company said that customers can combine this deal with its current free line offer from Valentine’s Day, letting them add a line to any T-Mobile ONE family plan and get another for free. T-Mobile’s new offer will go live this Friday, February 23, and customers who purchase an eligible iPhone should see their rebate card arrive in the mail within eight weeks. Full details on the new deal can be found on T-Mobile’s website, and the carrier is still running its BOGO iPhone sale as well.
Additionally, another deal is launching this Friday at T-Mobile, this one focusing on the Apple Watch Series 3. Anyone who purchases a model of Apple’s latest smartwatch will be able to get another one for 50 percent off (up to $215, according to T-Mobile). The company didn’t release any more details about the Apple Watch sale yet, so it’s unclear which models and collections will be available for the BOGO deal. Once the sale goes live this Friday, we’ll update this post with more information.
Head over to our full Deals Roundup for more on the latest deals happening right now, today including an Amazon sale on certified refurbished 12-inch MacBooks from early 2015.
Related Roundup: Apple DealsTag: T-Mobile
Discuss this article in our forums
Netgear’s ‘Arlo Baby’ Smart Cameras Now Offer HomeKit Support
Starting today, all of Netgear’s existing Arlo Baby smart monitoring cameras are compatible with Apple HomeKit following the release of a HomeKit update for the Arlo app.
To connect the Arlo Baby camera to a HomeKit setup, Arlo Baby owners will need to download the update and then toggle on the HomeKit option in the Settings section of the Arlo app.
With HomeKit compatibility, Arlo Baby cameras can be viewed in the Home app on iOS devices right alongside other HomeKit-compatible cameras.
Using the Home app, parents can also view a live stream, access two-way audio controls, view the most recent screenshot recorded by the Arlo Baby, open up the camera live stream via Siri, and access live video remotely with an iPad, Apple TV, or HomePod as a home hub.
Netgear first announced HomeKit compatibility for Arlo Baby at CES in 2018, launching a new line of HomeKit-compatible Arlo Baby cameras. At the time, Netgear also promised to bring HomeKit to existing cameras, a promise that was fulfilled with today’s update.
The Arlo Baby cameras will also continue to work with the Arlo app, which can be used for specific features like accessing footage stored in the cloud, tweaking settings, controlling the light, and more.
If you’re unfamiliar with the Arlo Baby line, it’s a camera that’s designed to be used in an infant’s room. It offers 1080p video recording and seven days of free cloud storage, along with infrared recording at night, ambient air quality sensors, a music player, and a built-in dimmable night light that can be set to one of several colors.
Netgear sells several Arlo Baby accessories to personalize the camera to fit into a child’s room, such as bunny, kitten, and puppy suits. Arlo Baby can be purchased from Amazon.com for $200.
Tags: HomeKit, NETGEAR
Discuss this article in our forums
What to look for when buying USB-C cables and adapters
Buying a cable shouldn’t be difficult. It doesn’t have to be if you follow these simple tips.
USB standards have a long history, and they’ve gone through plenty of changes since first implemented in 1996. The premise behind them is providing a way to standardize cables, connectors, communication, and power transfer between electronic devices. Those are some pretty high goals to reach, but the specifications do just that and the rest is up to the manufacturers of all the products that use them.
Some of the first equipment to use USB was the really old, brightly colored iMac G3 (I had a Tangerine Rev. 3 model) and, oddly enough, speakers. Trust me when I say things were not even close to plug-and-play, and really, it stayed that way for a few years until operating systems caught up. But, those speakers and that orange iMac would still be able to communicate with any device made today provided it didn’t do something to break legacy USB support. USB was designed to be the one standard that does it all, and that’s pretty much how it all worked out.
You can think of USB-C as a set of rules to make smarter USB plugs, cables, and connectors.
The USB-C specification is one of those USB standards. Released in August 2014, it’s a set of rules for a small 24-pin reversible plug connector to use with existing USB systems. Some of the connections inside are used to tell which way a cable is plugged in; others are used to transfer data or power, and some are used as a dedicated connection to allow both sides to talk to each other. There are also connections and software rules that make sure the right amount of electrical current is being sent to safely charge or power one device from the other using the Power Delivery specifications. Though it was released in tandem with the USB 3.1 specification, USB Type-C rules are only for the physical connections — data speeds are covered by other rules. You can think of USB-C as a set of rules that only exist to make smarter USB plugs, cables, and connectors.
More: Getting to know USB-C infographic
Power Delivery is one of the best features of the USB specification and also the part that makes buying the right cable or adapter important. Technically, Power Delivery 2.0 is a separate standard and applies to USB Type-A, USB Type-C, and Micro-USB but when you’re dealing with normal consumer-grade devices you will only see it through USB-C. That’s great for safety reasons; if you thought finding the right USB-C cable was a mess, try to find a “USB Type-A to Micro-USB PD 5A” cable.
With USB-C and Power Delivery, all connected devices can send power out as well as receive power in. You can charge a phone or set of headphones or anything else that uses the USB-C spec with another phone that uses the USB-C specs (I do it all the time because the Galaxy S8+ has a decently-sized battery). You could also rig up cables that can pull power from several phones and charge the battery in a MacBook if you wanted to. We tried that once, too.
Buying the right cable is a must or you risk damaging the things you’re plugging in, or even starting a fire.
USB-C with Power Delivery (PD) also includes a native way to “fast-charge” one USB-C PD-certified device safely from another using that dedicated connection channel mentioned above. While the previous version of USB power standards allowed for five volts and 2.5 watts (USB 2.0) or 4.5 watts (USB 3.0), the new PD specs allow using up to 20 volts and 100 watts. The tiniest bit of current could potentially cause a fire or harm you under the right circumstances, but 100 watts of power is dangerous even in the best situation. We’re talking amounts of electricity that can cause serious damage if not used the right way.
It’s also an open specification that anyone can use and alter to better suit their needs. This means not everything using USB-C is the same and buying the right cable is a must or you can risk damaging the things you’re plugging in or even starting a fire.
More: This USB-C problem isn’t going away anytime soon
But don’t fret. You don’t need to know all the rules in the USB specs or how it can tell which way it’s plugged in or any of the other geeky details to make the right choice if you follow a few easy tips when you’re buying a cable or connector. These three tips will help you get exactly what you need.
Know what you need
Remember when we said the USB-C spec was an open standard that companies can change to better suit their needs? Phone manufacturers are doing that, and sometimes the cables and chargers they sell and use aren’t compatible with all the rules. Qualcomm’s Quick Charge is really popular, and phone makers can use a USB-C connector that isn’t fully compatible with the USB-C PD standards. Other companies have their own proprietary fast charging methods, and you’ll need a cable that’s compliant with their equipment, too.
Not everyone is using USB-C in a standards compliant way, so be mindful of “quick charge” methods.
If your phone has a USB-C port you can look at the papers it came with or online to see if it uses the port in a way that’s not “standards compliant.” Terms like “Quick Charge” or “Turbo Charge” or any other trademarked fast charging method are a dead giveaway. The list of devices doing this is always changing but we’ve seen phones from every manufacturer that aren’t fully standards compliant. That means you shouldn’t use the charger, cable, or any adapter that came with them for any other piece of equipment without making sure they are compatible.
A third-party high-quality cable that follows the USB-C PD specifications can be safely used with phones that use other quick charging methods, but don’t go the other way and use cables designed for Qualcomm Quick Charge or any other fast charging method without checking to see if they are standards compliant.
The best thing to do is use the cable, charger and any adapters that came with your phone and order direct from the manufacturer if you need a spare or replacement. We know that’s not feasible for most of us so make sure you check before you plug anything in.
Buy a reputable brand
We’ve all seen ultra-cheap USB cables online or at the drug store and were tempted to buy them. While still not the best idea in the world, most of the time that was fine with the older USB Type-B micro standard used on most phones and other gadgets. Low voltage and low current were sent on the same pins every time, and the cable only connected in one direction. That’s changed, even for the older Micro-USB “standards” because of the need for faster charging.
Don’t buy a USB-C cable just because it’s cheap.
When you’re buying a USB-C cable or a connector, be leery of companies you’ve never heard of and stick with names that are generally trusted. This is the best way to make sure the cable is using the appropriate size wires inside, the connector is properly constructed and the right resistance is being used. All three of these things are important when you’re sending more current over tiny wires, and cheaply-made cables that aren’t using the right components can be dangerous.
Don’t blindly buy a cable because it’s a “name-brand” though, as we’ve seen some that aren’t built correctly. That’s where the next tip comes in …
Make use of reviews or forum posts
There are still a lot of cables that have a USB-C plug on one end and a “regular” USB plug on the other that are non-compliant in a dangerous way.
Besides using the appropriately sized wire and properly shielding the cable and connector ends, a “regular” USB to USB-C cable requires a 56k Ohm resistor to act as what’s called a “pullup” on the VBUS (pins 2 and 17 if you’re curious) power channel. This is one of the things you need so a USB-C device can let a power source know how much current to send and when to stop sending it. Using a cable with the wrong size wire will damage the wire. Using a cable with the wrong size resistor can damage the things plugged into each end or start a fire. If one of those things plugged in is your phone you certainly don’t want it to be damaged and nobody likes a house fire.
You can test the resistance of a cable yourself, or you can see what someone who already did has to say.
This isn’t just a problem with bargain-bin cables, either. Some very high-profile companies have had (or still have) issues with their cables. If you’re the type who has fun doing things like testing continuity and resistance of USB cables, that’s awesome and you should test everything you buy then share your results. If you’re not, you can do a quick google search of the brand or part number and see what those people have to say.
I’ll do my part here since I do like to do things like test cables. These Anker brand 6-foot cables are advertised as being compliant, and I’ve cut one open to make sure. They will work to fast charge every device that uses the USB-C PD standards, as well as work with Qualcomm’s Quick Charge 3 and Motorola’s Turbo Charge. I am unable to test them with Dash Charge but see no reason why they wouldn’t work as advertised. The best part is that they’re inexpensive and you can buy a handful of them right now and not have to worry about cables until you change phones.
See at Amazon
USB-C isn’t dangerous. It’s capable of safely delivering relatively high current as long as the proper equipment is used, and offers a lot of benefits because of the way it can communicate with other compliant devices. What started out by powering small speakers in the late twentieth century is now robust enough to talk with the instruments used to make the music that comes through them or even the bus the band drives to concerts. What’s important is that you’re using the proper cables and adapters, though.
Just follow these tips, and you’ll be fine.
Updated February 2018: Updated with new information and new tips on buy USB-C cables and adapters for the latest devices.
This AmazonBasics 50-mile indoor HDTV antenna is only $21
Stop paying so much for TV.
This AmazonBasics 50-mile indoor HDTV antenna is down to $21.39, its lowest price ever. it regularly sells for $28 and has only dropped from that price once before, but even that previous drop didn’t go as low as this one.
The 50-mile range is helpful particularly for people who don’t live in urban centers. You want to make sure your antenna can reach the signals coming from the nearest broadcast tower. This antenna lets you pickup channels like ABC, NBC, PBS, Fox, and more. It has black and white sides, and it can be painted over if you would like it to be a different color. The coaxial cable is 16 feet long. It comes with a one-year warranty.
Use this map of DTV signals from the FCC to make sure this antenna works for you.
Pair this antenna with the $79 HDHomeRun Connect Duo and not only can you keep up cable TV without a subscription, you can then transmit it to your mobile devices like your phone or tablet.
If you want an HDTV antenna for your RV or to use outdoors, you can grab this one with a 50-mile range that’s down to $4.99 with code WLFU9XNJ. It has 4.3 stars based on 41 user reviews.
See on Amazon
Android Enterprise Recommended highlights the best phones for businesses
Recommendations include the Pixel 2, BlackBerry Motion, and others.
As a regular consumer, deciding which Android phone is best for you can often be a real struggle. When you’re in charge of a company and trying to find the best phone for your employees and co-workers, this struggle is exacerbated even more. To help alleviate some of the headaches that can come with this, Google is launching the Android Enterprise Recommended program.
Android Enterprise Recommended will highlight phones that Google deems to be the best fit for businesses/enterprises, and devices that are part of the program must be running Android 7.0 Nougat or later, offer zero-touch enrollment with bulk deployment to employees, run the latest Android security patches within 90 days of their release, and more.
These guidelines will be updated alongside the release of each new Android version, and for OEMs that have handsets within the program, they’ll receive “an enhanced level of technical support and training from Google.”
Android Enterprise Recommended is launching with 22 phones that meet its requirements, including:
- Google Pixel, Pixel XL, Pixel 2, and Pixel 2 XL
- BlackBerry KEYone and Motion
- LG V30 and G6
- Moto X4 and Z2 Force Edition
- Huawei Mate 10, Mate 10 Pro, P10, P10 Plus, P10 Lite, and P Smart
- Nokia 8
- Sony Xperia XA2, XA2 Ultra, XZ1, XZ1 Compact, XZ Premium
More devices will be added to this list over the next few weeks and months, and Google says the framework for Android Enterprise Recommended will be expanded to other areas in 2018, including rugged and “dedicated” devices, mobile carriers, enterprise mobility management providers, and systems integrators.
Google’s Reply app is here and works surprisingly well
Improve your videos with better audio using the $40 Blue Snowball USB microphone
Talk about savings!
We haven’t shared a deal on the Blue Snowball condenser mic dropping to $40 since December. This is a regular price drop we’ve seen before, but it is $10 off the street price and a match for its lowest ever. Only the Black version of the mic is on sale, as White is still as $49.
If you need a mic for podcasts, streaming, or making any sort of online videos the Snowball is a great option on a budget. It uses easy plug-and-play features that let you connect to your Mac or PC with no drivers to install. It also ships with the stand so you don’t have to buy that separately. Users give it 4.4 stars based on more than 2,900 reviews.
See on Amazon
AIVAnet 