Google's rap sheet when it comes to goofy exploits gives us pause to wonder if the company might be spending too much time concentrating on Cloud computing and not enough on security fundamentals. Back in July of last year, a SecurTeam blog exposed a Google Calendar flaw which made it possible to expose any Gmail user's real name with minimal effort. More recently, an exploit in Gmail allowing hackers to redirect your email was discovered. Now someone has stumbled onto an interesting vulnerability in Google's Chrome browser.
When you visit a site with an http password protected directory -- or try logging into your router, such as 192.168.1.1 for Linksys owners -- an Authentication Required pop-up appears asking for your for your login credentials. Your password should look something like ••••••••, but according to NeoBlog user tekmosis, if you let Chrome save your credentials to auto-fill the form, the next time you log in, copying and pasting the hidden password into a plain text application will reveal the actual ASCII characters.
We put tekmosis' discovered exploit to the test and as it turns out, you don't even need to have Chrome save anything. We tried logging into our router, typed our password, and it was immediately revealed when we copied/pasted it into Notepad.
While it might take a little work on the part of a hacker to take advantage of this vulnerability, it's one that should never have existed in the first place. You could make an argument that all exploits should never have existed, but this one just seems like a particularly glaring oversight.
The next version of Microsoft's Internet Explorer takes one step closer to completion as the Redmond software giant released a near final Release Candidate (RC) of IE8 today. Microsoft will have more details regarding Internet Explorer 8 RC1 as the day goes on, CNet reports, but you can already download it from Microsoft's download center here.
Internet Explorer 8 RC1 should offer more than just a glimpse of what the final product will look like.
"The ecosystem should espect the final candidate to behave like the release candidate," IE General Manager Dean Hachamovitch said during an interview.
What Hachamovitch didn't say is when exactly the final version will be released.
You can already get hitched online, so why not webcast your funeral when you're dead and gone? More and more funeral homes have started offering such a service, making it possible for out-of-towners unable to make the trip to still attend a loved one's funeral, while simultaneously checking the latest sports scores in another tab (just the way Firefox envisioned it).
One such funeral home offering live (dead?) webcasts is Schoedinger Funeral and Cremation Service. The company first started streaming funeral services to families with relatives serving in the military, and now anyone can sign up at the any of the company's 11 locations. To prevent just anyone from watching the service, viewers must enter a password 15 minutes before it starts.
The Schoedinger funeral home says its webcasts have been popular and expects other funeral homes to follow suit. The practice has also attracted the attention of webcasting companies, who offer packages to funeral homes consisting of tripods, cameras with microphones, cables, and other webcasting necessities.
Hawaii residents can now visit their physician without ever leaving their home. It's not that house calls are making a comeback, but the 50th state becomes the first one to offer online physician visits. Available 24/7, ailing patients and hypochondriacs alike can spend one-on-one time with a doctor over IE7 or Firefox 2 and above, and even load up a webcam to show exactly what that nasty infection looks like.
Hawaiians insured through HMSA (Hawaii Medical Service Association, the state's largest insurer) are charged a flat $10 fee for a 10 minute online visit, while non-members pay $45. In return, doctors are instructed to apply the same standards of care and to address only issues that can adequately be handled over the phone or web. Prescriptions can also be written, if there's a definitive diagnosis during the 10-minute visit. But while this new practice will cut down the number of people cluttering emergency rooms, proponents warn that it's not a replacement for real emergencies.
"I don't think this situation can completely replace one-on-one doctor's visits," said Michelle Shimizu, a family practice doctor who has been helping test the system. "It's an adjunct to that."
For the most part, doctors receive $25 for each session, an amount which "has been received tremendously," according to HMSA marketing VP Michael Stollar.
Would you feel comfortable visiting your doctor online? Hit the jump and post your thoughts.
Here at Maximum PC, our goal is to bring you – our tear-jerkingly loyal readers – the world’s finest technology-based news. As you can imagine, this takes a tremendous amount of concentration and, well, you’ve seen the headline. After all, it’s kind of difficult to concentrate on news stories and other such frippery when – one screen away -- a Tank’s attempting to knock our head’s round peg into our torso’s square hole. Convergence, ain’t it grand?
Along with placing a “Web” tab on Steam’s in-game overlay screen, today’s update gives Steam’s five strings a tightening – the results of which you can see here:
Updated game overlay web browser to support generic web browsing, including web sites that use flash
Fixed games list scrolling behavior with pageup/pagedown and mouse wheel
Fixed GTA4 backups not restoring correctly
Fixed several cases where matchmaking would not work in Left 4 Dead in using Cafe accounts
Changed Friends to be enabled for Cafe accounts
Removed 'view invites' dialog on startup, now clicking on a group/user invite toast will take you directly to the Community control page
Fixed guest passes not showing immediately in games list
Fixed case where a user would be told a guest pass had expired after they had bought the full game
Improved Steam Windows Service restart logic in serveral places
It took nearly the whole of last year for Opera Software to develop version 9.7 of its Device SDK. Now that the SDK is ready, Opera has decided to flaunt it blithely at CES. Among the major additions to the SDK is Opera Link, which “continuously synchronizes your bookmarks and Speed Dial between any computers, mobile phones and now devices.”
The 9.7 SDK also brings along a much smoother hardware accelerated version of Opera Zoom. The SDK is available to all device manufactures interested in offering an enhanced internet experience on their devices.
Before you drop in on the American Express website to see how much damage you did to your credit line with holiday shopping, you should know it's vulnerable to an XSS (cross-site scripting) exploit. As The Registerreports, this news comes after a bungled attempt to fix the problem. As El Reg puts it,
The cross-site scripting (XSS) error that makes it trivial for attackers to steal americanexpress.com user's authentication cookies is alive and kicking. The confusion stems from a mistake made by many application developers who incorrectly assume that the root cause of a vulnerability is closed as soon as a particular exploit no longer works.
So far, only proof-of-concept exploits have been written to show how easy it would be to pilfer login credentials, but until AmEx really eradicates this problem, keep a careful eye on your website transactions. For a list of precautions you can take to stop XSS exploits, see our 2007 article.
Have you been victimized by an XSS error? Join us after the jump and sound off.
It's never easy telling that special someone who has been by your side for so long that you feel as though you're growing apart, and it gets even harder to break the news if you've already found someone new. Unless you're Google, in which case you dump Firefox as the default browser in your Google Pack and replace it with Chrome, but make sure to let Firefox know you can still be friends.
Google's new browser matured out of the beta phase last week after just three months on the scene, and apparently Google feels it's now ready for prime time. The Google Pack, which consists of a collection of google-made and third party applications, listed Firefox as the default browser up until Chrome dropped its beta moniker. Firefox still remains on the list, but is no longer selected by default as part of the download.
It's not surprising that Google would choose to include its own browser ahead of Firefox, but it could hint of things to come. Last year, 88 percent of Mozilla's revenues came courtesy of Google, who paid $60 million to be listed as the default search engine in the open-source browser. That relationship will last at least until 2011, as the two signed a three year extension back in August.
The good just got better with the release of the Opera 10 alpha made available earlier today to showcase the new Presto 2.2 rendering engine. The company claims the new rendering engine is up to 30 percent faster than Presto 2.1, which provides the foundation for Opera 9.5, while also touting full web standard compliancy.
"Opera has fine-tuned its standards support and, as a result, Opera 10 alpha achieves an Acid3 100/100 Test score," Opera Software wrote in a press release. "This version also provides Web developers with a whole range of new technologies for building better Web sites."
By comparison, Firefox 3.0.4 scores 71/100 on the Acid3 Test, with Firefox 3.1 beta1 and Google Chrome 0.4 scoring 89/100 and 79/100 respectively, according to Cnet.
Several updates are also included in the new Opera browser, including support for the latest HTML and CSS standards, opacity modifications through RGB and HSLA for setting the opacity of any web page element, inline spell-checking, an auto-update feature, and other goodies.