Twitter Goes To Good Morning America To Confirm Twitter #Music, Aiming Straight For The Mainstream

The link to the full story is here

Word of a standalone music service out of Twitter has been floating around for a week or so, but today the company took to the Good Morning America show to officially announcethe service, comprised of both a web platform and an iOS app.

Twitter Music, as it were, is the brainchild ofWe Are Hunted, a startup quietly acquired by Twitter just last year. The app pulls in music from Rdio, Spotify and iTunes, while using data from your Twitter follower graph to deliver the best possible music for you.

If you have an Rdio or Spotify account, you can sign into them within the app and stream full tracks for your listening pleasure. If not, you’ll still have access to an iTunes preview to discover great new music.

What’s interesting is that Twitter is aiming straight for the mainstream with this launch, as opposed to targeting its usual early-adopter crowd. GMA reaches a huge audience every morning, and Rdio and Spotify have some of the biggest followings in the music streaming world.

By pulling in their offerings, not only does Twitter get a mainstream launch for its new mainstream media (music discovery) app, but Spotify and Rdio get to expand their audiences within the Twitter ecosystem.

Twitter Music seems to feel like a lot of other music apps while still being slightly unique from all of them. It’s broken down into four tabs: Suggested, #NowPlaying, Popular, and Emerging. The latter two simply pull in info from We Are Hunted’s platform to determine what’s trending and display up-and-coming artists.

Where’s Twitter Music For Android? Why Today’s Tech Companies Are Still Going iOS First

The link to the full story is here


Where is Twitter Music for Android? Withtoday’s launch of Twitter’s new music discovery platform, the company has again made a move to sideline the install base of around half of the U.S.’s smartphone audience by failing to deliver a native application for users of non-Apple devices. It’s a strategy that still remains prevalent among tech companies today, both large and small. The companies’ reasons vary: for many smaller startups, there simply aren’t enough developers to build for iOS and Android simultaneously. Meanwhile for others, the iOS-first decision is more of a strategic play.

Twitter Music is now the second major new mobile application that Twitter has brought to Apple device owners first. The company previously launched its Vine video-sharing application as iOS-only in January, and it still remains exclusive to that platform today.

The interesting thing about Music’s launch – a move announced on ABC’s “Good Morning America” –  is that Twitter is attempting to reach a mainstream audience with the app. In the U.S., that audience is just as likely to be on Android as iOS – if not more so, in fact. Google’s Android platform now accounts for 51.7 percent of U.S. mobile subscribers, while Apple’s iOS reaches 38.9 percent.(Source: comScore.) 

The Android platform is also now surging past iOS in terms of smartphone sales. This month, Kantar reported that in the first quarter of the year, Android’s percentage of U.S. smartphone sales was 51.2 percent to iOS’s 43.5 percent.

BBC America & Twitter Announce Content-Sharing Partnership

The link to the full story is here

BBC America has announced via a tweet that it will partner with Twitter to offer the “first in-Tweet branded video synced to entertainment TV series.” News of the deal comes after a few days after a report that Twitter is in talks with Viacom and NBCUniversal to host TV clips and sell advertising on the site.

BBC America’s tweet didn’t offer any specific information about the deal or which of its TV shows would be involved, but it did namecheck hit series Doctor Who and Top Gear.

This has been a busy week for Twitter as it seeks to move beyond being a microblogging platform.In addition to the TV network tie-ups, the company also just launched Twitter Music on Good Morning America.

As Jordan Crook notes, the decision to debut the standalone app on network television is a sign that Twitter is aiming directly for a mainstream audience, instead of seeking to first build an audience of early-adopters.

The company has been building out its site as a multimedia platform with a series of acquisition: Twitter Music was built by startup We Are Hunted, while video-sharing service Vine was launched in January after Twitter bought it in a low-profile buy out.

Facebook Launches Open Graph Mobile, Updated iOS SDK With Improved Login And Sharing

The link to the full story is here

Facebook today unveiled three new products at its Mobile Developer Conference in NYC that will put the company on an even faster track to becoming a mobile-first platform.

The company announced Open Graph mobile, which takes Facebook’s social graphing product to the mobile platform for the first time. Facebook is also improving Login via mobile, and releasing a new Facebook SDK 3.5 for iOS.

Alongside unveiling the latest initiatives toward a mobile-focused Facebook, the social network also released its latest figures for mobile, which include over 680 million mobile users and the fact that over 81 percent of iOS apps and 70 percent of top 100 grossing Android apps integrate with Facebook.

In terms of Open Graph mobile, Facebook simply wants to make it easier for developers to integrate the Open Graph into their mobile apps, a feat that has proved difficult in the past. But with a newObject API, Facebook is cutting out the web server.

“With the Object API, you can directly create Open Graph objects and no longer need to host webpages with Open Graph tags. This API is available for both mobile and web apps,” reads the press release. Facebook has also released an Object Browser, which is a visual interface that lets developers interact with their published object data. Alongside the Object Browser, you’ll also notice that Facebook has introduced a new object privacy model that improves sharing of user generated content within native apps.

Past that, the company also released native Share Dialog, a tool that lets users share experiences from native mobile apps without needing to log in to Facebook first. It also has built-in support for publishing Open Graph actions, so it makes sharing within developers’ apps much better “with just one line of code.”

Why is this important? Two things really.

For one, more apps using Open Graph lets Facebook pull more content into the news feed that it can monetize with ads showing alongside it. Plus, Facebook will receive more structured data about user activities, which again, brings us back around to targeting ads.

Where log-in is concerned, Facebook is launching a faster login dialog (20 percent faster, to be exact) that gives users more control over their permissions and privacy. Facebook realized a few months ago that their newest permission model on the FB platform was seeing a 5 percent increase in mobile conversions, and so they decided to bring that feature to their developers as well. Starting today, the new login dialog will automatically be applied to mobile and non-game web apps with no change required to the code.

Last, but certainly not least, Facebook is launching the Facebook Technology Partners programto help developers leverage these new products across all the potential platforms out there. According to the release, “these partners offer technical solutions that include SDKs, plugins, tools and services to help developers build great social apps.”

Hello Social Launches Platform And API For Building And Monitoring Every Aspect Of Social Marketing Campaigns

The link to the full story is here

Hello Social is a new Toronto-based startup launching today, with the aim of improving the amount of useful data captured from online social media marketing campaigns. The startup, co-founded by design professional Dominik Dryja and technical lead Bartek Nowotarski, provides tools for companies looking to run campaigns like contests on platforms like Facebook, or via their own web properties, and provides intelligent metrics around those contests to help identify trends and opportunities to drive greater engagement and higher conversion rates.

At launch, Hello Social offers the ability to create one kind of social promotion campaign from its web-based platform, a Photo Contest for Facebook. Creating the contest is simple: you first name it, choose from a range of settings, including setting the number of entries allowed per participant, how many entries can win, whether users have to Like your page to participate, and when the contest closes, among others. You assign a brief description, contact details and terms and regulations/privacy policy (supplied by your own legal department) to make sure everything is on the up-and-up.

Then you set an age gate, and are able to specify what kind of data you want to collect. Contests are in all cases a way for brands to generate leads, so this is the crucial step. Contest creators can enter as many fields as they like, including things like name and email, as well as custom fields for gathering any kind of data. Then once you select a design and set the broadcast message for Open Graph and friend invites, you’re good to set it live.

“We’re giving the tools for Internet companies to track very simply whether he’s actually an engaged user, whether he’s actually recommended something, whether he’s a paid user, all coming soon in future releases” Dryja explained in an interview, talking about the range of possible options in terms of data you can gather. “There’s no system right now that delivers this kind of solution, and we’d like to continue in the future developing things in that area.”

Stored XSS In Facebook Chat, Check In, Facebook Messenger - Break Security

The link to the full story is here

This is a GREAT article by Nir Goldshlager

Today, I’m going to share a few of my favorite Stored XSS Findings in Facebook (Facebook Chat, Facebook Check In, Facebook Messenger. These findings are almost always interesting if you happen to find them in the right location.

For instance, what would occur if the Malicious Stored XSS Payload ran on the victim every time they checked in? You could also inject the Payload into the Facebook Chat Screen, which could be really interesting.

There are essentially two different ways to exploit Stored XSS issues.

1.

Let the victim visit our stored XSS Payload (Facebook Check-In, Facebook Messenger, Facebook Chat) on their own.

2.

Exploit it with the URL plus the Stored XSS data.

I wanted to locate an interesting spot within Facebook that would run the data on the victim each time they visited one of my places. I could also just run it through Facebook Chat.

This post will talk a lot about Stored XSS in regard to Facebook Chat, Check-In, Facebook Messenger (Windows Version).

The vulnerabilities mentioned here has been confirmed patched by the Facebook Security Team

Bug 1,

Stored XSS In Facebook Chat

When a user starts a new message within Facebook that has a link inside, a preview GUI shows up for that post. The GUI is used for presenting the link post. For this action, Facebook added extra parameters for the “post message” request.

I found an interesting parameter that looked like this:

attachment[params][title],attachment[params][urlInfo][final]

I noticed that Facebook does not verify whether or not the attachment[params][urlinfo[final] parameter is a legitimate link (http, https). So, it’s relatively easy for an attacker to alter those parameters to make them a malicious request.

For instance:

attachment[params][title]=PoC Click Me&attachment[params][urlInfo][final]=javascript:alert(6)

Facebook will later take those parameters and insert them into a “href” tag.

<a href=”javascript:alert(6)”>PoC Click Me</a>

Each time the victim clicks on this malicious message in Facebook Chat, the Stored XSS will begin to run on their client.

PoC Video:

Bug 2

Stored XSS In Facebook Check In

The other major Stored XSS that I located is in the Facebook Check-In Screen. This is a cool one because the XSS runs every time they visit the places that the attacker has been.

To make use of the Stored XSS in Facebook Check-In, the attackers needs to first construct a new location within Facebook Pages (https://www.facebook.com/pages/create/).

Then, the attacker must change the settings in this new location. For instance, they can alter the address info on the place settings to something like:

<img src=”a.jpg”onerror=javascript:alert(6)>

When the victim later decides to go to the place the attacker has been, a Stored XSS will run client-side.

Bug 3

Stored XSS In Facebook Messenger (Windows)

I also noticed that an attacker is capable of injecting a Stored XSS Payload in Facebook Messenger for Windows. Any time the victim logs into their account in the Messenger, The Stored XSS will be run on his account.

But, let’s stay focused on the issue at hand. In Facebook Messenger, I noticed that Facebook does not filter the page name. Facebook won’t permit  you to make a name on Facebook with a Malicious Payload.

For instance:

Page Name:<xxxx>

For this to work, we need a user with a malicious name to be able to send a message to the victim.,

For example:

page name:<img src=”a.jpg”onerror=javascript:alert(6)>

So, how do we do this?

Facebook has an option to create a new page, correct?

https://www.facebook.com/pages/

In addition, pages are allowed to send messages directly to the users in Facebook.

So, if we change the name of our page to a JavaScript payload,

and then send a message to the victim from that page,

what would happen?

In this case, every time the victim logs into Facebook Messenger, a Stored XSS Payload would be run on their account.

PoC Video:

Twitter Reportedly In Talks With Viacom And NBCUniversal For Content-Sharing Deal

The link to the full story is here

Twitter is nearing an agreement with Viacom to host TV clips and sell advertising on the site,reports Bloomberg. It is also reportedly discussing a content partnership with Comcast’s NBCUniversal, and one or more of the deals could be reached by mid-May.

According to sources cited in the article, the partnerships would let Twitter stream videos on its site and split the resulting ad revenue with the networks. Twitter already has agreements in place with ESPN, Weather Channel LLC, and Turner Broadcasting System.

If the partnerships come to fruition, it would be the latest step in Twitter’s moves to branch out from being a microblogging platform to a multi-faceted media platform in a bid to increase user engagement and reap more advertising revenue. Engaging with television networks is a logical step for the company: a third of active Twitter users tweeted last June about something they saw on television, up from 26 percent last year, according to a Nielsen report (Twitter has also partnered with Nielsen to measure how much of the chatter on the site is prompted by television programs).

Other recent moves by Twitter to build tools allowing users to share content within the platform instead of relying on third-party providers include the launch of its music app last week after itacquired music discovery service startup We Are Hunted, and the introduction of Vine.