[Laxman] is back again with another hack related to Facebook photos. This hack revolves around the Facebook mobile application’s “sync photos” function. This feature automatically uploads every photo taken on your mobile device to your Facebook account. These photos are automatically marked as private so that only the user can see them. The user would have to manually update the privacy settings on each photo later in order to make them available to friends or the public.
[Laxman] wanted to put these privacy restrictions to the test, so he started poking around the Facebook mobile application. He found that the Facebook app would make an HTTP GET request to a specific URL in order to retrieve the synced photos. This request was performed using a top-level access token. The Facebook server checked this token before sending down the private images. It sounds secure, but [Laxman] found a fatal flaw.
The Facebook server only checked the owner of the token. It did not bother to check which Facebook application was making the request. As long as the app had the “user_photos” permission, it was able to pull down the private photos. This permission is required by many applications as it allows the apps to access the user’s public photos. This vulnerability could have allowed an attacker access to the victim’s private photos by building a malicious application and then tricking victims into installing the app.
At least, that could have been the case if Facebook wasn’t so good about fixing their vulnerabilities. [Laxman] disclosed his finding to Facebook. They had patched the vulnerability less than an hour after acknowledging the disclosure. They also found this vulnerability severe enough to warrant a $10,000 bounty payout to [Laxman]. This is in addition to the $12,500 [Laxman] received last month for a different Facebook photo-related vulnerability.
The travel meta-search website Kayak apparently used to have a public API which is no longer available. We can’t say we mourn the loss of the interface we’d never known about. If you are someone who was automating their searches for that perfect vacation getaway deal, there’s still hope. But either way you’ll like this one. [Shubhro Saha] figured out how to access the API used by the Kayak mobile app. We like that he details how to sniff the traffic between an app and the internet and make sense of what is found.
His tool of choice is the Python package Mitmproxy. We haven’t heard of it but we have heard of Wireshark and [Shabhro] makes the case that Mitmproxy is superior for this application. As the name suggests, you set it up on your computer and use that box’s IP as the proxy connection for your phone. After using the app for a bit, there is enough data to start deconstructing what’s going on between the app and remote server which which it communicates. We could have a lot of fun with this, like seeing what info those free apps are sending home, or looking for security flaws in your own creations.
[Thanks Juan via Twitter]
A few years ago, [Michele] built a mobile device with a touch screen, a relatively powerful processor, and a whole bunch of sensors. To be honest, the question of why he built this was never asked because it’s an impressive display of electronic design and fabrication. [Michele] calles it the iGruppio. Although it’s not a feature-packed cell phone, it’s still an impressive project that stands on its own merits.
Inside the iGruppio is a Pic32mx microcontroller, a 240×320 TFT touchscreen, and enough sensors to implement a 10 DOF IMU. The software written for the iGruppio is heavily inspired by the iPhone and a completely homebrew project – all the software was written by [Michele] himself. While the first version of the iGruppio was a little clunky, the second revision (seen in the pic above) uses an old iPhone case to turn a bunch of boards and plugs into a surprisingly compact device.
No, there’s no cellular modem inside the latest version, but [Michele] has put all the sources up on Github, and anyone wanting to build a homebrew cell phone could do worse than to take a look at his work. Video demo below.
Continue reading “Building A Home Made iPhone”
For a newborn, everything is magical; a lack of object permanence means everything is new, wonderful, and novel. What then, could be better than a projected star field circling an infant’s room, gently sending them to sleep?
[Pete] was inspired by this earlier starlight projector that projects a rotating star field onto the walls and ceiling of a nursery. Instead of a rather loud servo, [Pete] used a quiet 12 Volt gear motor that spins the star field at 5 RPM. Like the previous build, a LED was used but [Pete] found a color-changing RGB LED that automatically shifts colors.
The shaft of [Pete]’s gear motor is tiny, and unlike the servo, there’s constant rotation. This meant a slip ring was needed to pass electricity into the spinning sphere. A piece of copper foil and a pair of improvised brushes served just fine. While [Pete]’s project, like its predecessor, doesn’t seem to have any recognized constellations drilled into the sphere, the foil slip ring opens up the possibility for a small microcontroller being fitted inside the globe with blinking lights.
Check out the video of [Pete]’s build in action after the break.
Continue reading “Baby’s first star light projector and a foil slip ring”
If you’re a frequent traveler, or if you don’t have a garage or basement and find your kitchen table is doomed to serve most of its life as an electronics bench this hack is for you. [Robovergne] came up with a mobile electronics lab (translated) in order to help preserve the Wife Acceptance Factor for his hobby.
The project comes in two parts. On the right you see the pair of component storage cabinets. These are high-quality examples that fully enclose each drawer (cheaper cabinets are open at the back). This way, [Robovergne] was able to connect two of them together with a piano hinge, and add some carrying handles to the top.
The second half of the project is the bench itself. It features a lab supply, soldering iron transformer and holder, and some breadboards for good measure. The base of the unit houses a drawer which carries the bulk of his tools. Now he can pack up and clear out the living room in one single trip.
[Adam Outler] has been pretty heavy into mobile device hacking lately. The biggest problem with that field is recovering from back flashes or development firmware glitches. In many cases you can use a JTAG programmer to reflash stock firmware to resurrect a handset. Unfortunately you’ll be hard pressed to find a phone that comes with a JTAG header, and soldering to the microelectronic boards is not for the faint of heart.
But a solution is here, [Adam] pulled together a wide set of resources to create a package to unbrick Samsung phones. Now we’re sure that there’s more than a handful of people who would argue that a bad firmware flash that can be fixed this way means that the phone wasn’t actually “bricked” in the first place. But what we see is one more barrier torn down between being a hardware user and becoming a hardware hacker. You’re much more likely to get in there and get your hands dirty if you know that you’ll be able to undo your mistakes and reclaim you precious pocket hardware. See just how easy it is in the video after the break.
Continue reading “One-click unbrick for Samsung phones”
Today we received two very interesting hacks utilizing old cellphones within a matter of minutes of each other – Of course, this means war!
In the left corner we have the Mobile Mobile, a 50 cell phone collection dangling high above our heads by [James]. Loyal readers will remember his last match, a physical realization of the Spinning Wheel of Death. But today, Mobile Mobile tries to keep his title with the use of Twitter and live video.
In the right corner we have competition and newcomer [Timo] and his Cellphone Symphony. With a combined amount of 150 cell phones including sim cards, he is going to be one tough cookie. It’s all down to this folks.
Both utilize MIDI to try and lift spirits this holiday season by playing music and sounds. Servers and custom software are of course both necessities… but who will be the winner? Check out after the break!
Continue reading “Cellphone hack-off”