The exploit was found on a bet during last week’s Foo Camp, a conference-like gathering for hackers put on by tech publisher O’Reilly at the company’s campus in California. One particular attendee decided he could find an exploit in OAuth.

“It’s just a new use case nobody thought of before,” said Eran Hammer-Lahav, OAuth’s designated community coordinator for this threat. “The initial response is: this is an authorization, not authentication. You shouldn’t use it for that, and I kept saying because I’m a big fan of the Twitter sign-in solution, ‘Well, show me an exploit.’”

Determined to find an exploit, the hacker (who prefers to remain unnamed due to the terms of his employment) targeted OAuth. The hacker found that if he started a request, then directed a victim to initiate the authorization form on his behalf from a bogus trap site, the victim would submit the login form and provide the hacker access to the victim’s data.

Hammer-Lahav wrote up a very detailed description of the exploit on his blog.

The exploit only affects new users of an application. If you’ve already authorized an application yourself, this exploit will not jeopardize your account.

OAuth’s official acknowledgement was released Thursday.

The good news is the exploit was found before it was used on any other use case than Twitter. The bad news is that once the exploit was discovered, OAuth experts realized other OAuth partners weren’t safe either. Because around 75% of OAuth adopters were gathered at Foo Camp by luck, the primary shareholders all agreed on a course of action to take to minimize damage.

Minimizing damage, in this instance, means making it as hard as possible for hackers to take token authentications and send them to users. This means turning OAuth off entirely (a la Twitter), limiting the time it takes to authenticate the session dramatically, or put up a warning on authentication questioning the source of the link (if the link did not come from the application itself).

In response to the exploit, Hammer-Lahav acknowledges the OAuth protocol will need to be revised. The new specification will not be backwards-compatible. Hammer-Lahav says this is the direction OAuth must take immediately.

When asked whether this security exploit will hurt OAuth’s future, Hammer-Lahav thinks it will actually do the opposite.

“This has been a solution that has been reviewed for a year and a half now, and it has been reviewed by most well-known security experts and they just missed it. Nobody ever thought of this particular security exploit. There’s nothing to suggest that if you create your own proprietary platform, you’re not going to make the same mistake or a different one.”

“I think the way the community behaves around it and the way it was addressed will really show that, you know what, this is a mature community that can respond to this situation in a mature and effective way.”

There aren’t very many security methods that have escaped exploits. The lessons learned from this exploit actually provide a good indication of how OAuth can adapt to inescapable flaws. According to Hammer-Lahav, OAuth has taken away a lot from this situation.

“We need to look at how we handle this and do a post-mortem on this entire process. — not now but in a few weeks — and come up with a process on how to deal with this. One of the things that we did not have was a list of providers that have OAuth so when there is an exploit you will be notified.”

There’s a lesson here for all open-community specifications. There is a fair amount of organization that is inherent to proprietary communities that aren’t available to organizations without a governing body.

“Next time it happens to OAuth or OpenID or any community-driven specification, we actually have resources [to address the problem]. For us it was really hard to find those resources,” Hammer-Lahav says.

He also claims the usual security resources or organizations were not equipped to help OAuth. “They don’t really help you unless you’re a vendor or a software provider. But if you have a spec that’s broken, there isn’t really an infrastructure to deal with it.”

See Also:

• Go Go Gadget OAuth Support
• Thanks to OpenID and OAuth, the Open Social Web is Beginning to Emerge
• OAuth 1.0 Released: Logging in Gets Safer and Easier
• New Foundation Wants to Bridge the Gaps Between Open Web Tools

Not much else to report on Firefox 3.

The next version of Firefox, version 3.5 (formerly 3.1), is a far more exciting release. It is currently in its third beta. A fourth beta is expected later this week or next, depending on the results of a wave of testing being held on April 24th. Firefox 3.5 contains speed upgrades to its JavaScript engine, nicknamed Tracemonkey, and some enhancements to tab management and private browsing. It is expected sometime this summer, after at least two upcoming release candidates.

See Also:

• What’s Holding Up The Next Version of Firefox
• Why You Should Download Firefox 3 Right Now
• Third Firefox 3.2 Beta Ready for Testing
• Firefox 3 Wins Guinness Record for Most Downloads

The API was one of Analytics’ top requested feature. Clever developers will be able to download traffic data using home-built applications. SEO managers will be able to better track their website’s popularity. IT pros will be able to program monitors to track if traffic spikes or drops suddenly.

Bundled with the release were third-party software applications utilizing the new API. Actual Metrics has developed an Android mobile application for checking your website stats on the fly. Desktop-Reporting has released a desktop application and desktop widget.

The API uses the Google Data API format. This is the same API protocol offered for Google Calendar, Finance and Webmaster Tools products. Documentation for utilizing the new API is available at Analytics’ code site.

See Also:

• Running Google Analytics? Consider Updating Your Scripts
• Web 2.0 Expo: ChartBeat Rocks the Analytics Boat With Realtime Stats
• Revamped Google Analytics Improves Traffic Tracking
• Google Analytics

Tired of staring through the Browser window and only seeing content in two dimensions? Google wants to take you back to the future by open-sourcing a new 3D web standard called O3D.

The technology automatically renders 3D environments through the browser. The result is a world that looks a lot like the beautifully drawn 3D panels of the 1993 hit video game Myst. The difference being you can fly around the the O3D environments much like a 2009 flight simulator. Check out the video above for an example — also on a beach/island.

The technology utilizes your computer’s graphic hardware via an API built into a cross-platform browser plug-in. The content itself is in COLLADA format, a format generated by CAD programs such as Google’s own Sketchup. The 3D environment can be embedded and tweaked with extended JavaScript code. Interestingly, Google’s V8 JavaScript engine is embedded into the technology itself (V8 is also found in Google’s Chrome browser).

This isn’t Google’s first foray into a 3-dimensional web. Lively provided Second Life-like 3D chatrooms through the browser. The ill-fated product was discontinued after only four months.

It isn’t the web’s first 3D foray either. Those developing back in 1995 may remember VRML. The web standard was the first to play with mostly clunky and slowly-rendered 3D images. Somewhere around 1997, the technology was superseded by X3D. At the risk of angering some passionate X3D developers, that web standard didn’t really meet its potential either.

But hey, maybe the web is finally ready to be browsed like the 90′s special effect visualizations in movies trying to make this new thing called the internet look more enticing than what it really looks like: a caffeine-laden teenage nerd typing away at a computer. Although Google’s announcement proclaims Google Earth proves O3D’s relevance to the web, I think it’s a technology ripe for its inevitable destiny: making Lawnmower Man a (virtual) reality.

See Also:

• Flash Player 10 beta 2 ‘Astro’ Fixes Bugs, Adds 3D
• Reimagining the Future of Your Deskctop in 3D
• Microsoft Virtual Earth Enters the 3rd Dimension
• Google Earth and Sketchup

The output is color coded and highlights all insertions and deletions to the web page as made through the Firebug interface. The application is not unlike the popular “diff” application found in Unix-based operating systems that allows you to see a side by side comparison of any and all differences between text files.

Firebug is the debugging add-on for Firefox that allows you inspect properties of the web page and make experimental changes on the fly. Firebug has taken on a life of its own, inspiring add-ons to the add-on like Yahoo’s YSlow or Firediff.

Firediff was released Friday and works with Firebug latest 1.4 release. Details and downloads are available at developer Kevin Decker’s blog.

[Hat tip Ajaxian]

See Also:

• The Five Best Firebug Extensions
• How to Create a Firebug Extension
• Firebug Lite: Debugging Tools That Work in Any Browser
• Tutorial: Build Better Pages With Firebug

The update will offer Windows XP, vista, Server 2003 or Server 2008 operating system users three choices: Ask later, install now or don’t install.

The auto-update, if successful, should boost the somewhat flagging Internet Explorer 8 adoption numbers. More importantly, it will also be a great relief to web developers all over the world still making concessions for old bugs and outdated standards still found in IE 6.

It will also allow users the ability to do several new things Internet Explorer 8 enables, as featured by Scott Gilbertson’s “Ten Things to do on the Web When IE 6 is Dead” post earlier this week. Information on the auto-update can be found at the Internet Explorer blog.

• Internet Explorer 8 Fails to Make Headway Amongst Competition
• Saving the Web From Internet Explorer 8
• Firefox Could Pass IE by Next Summer
• Developer Reverts to Flash to Correct IE Standards Shortcoming

Some sites surprisingly don’t force secure socket layer connections when transferring login information or accessing potentially private information. It leaves users vulnerable for security breaches, particularly over public internet or wireless connections.

If it is a trustworthy site, chances are it will support the protocol. Some examples of sites where you can force a secure login:

GMail: https://mail.google.com

Google Docs: https://docs.google.com/

Google Calendar: https://www.google.com/calendar

Twitter: https://twitter.com/home

FriendFeed: https://friendfeed.com/

Facebook: https://www.facebook.com/home.php

LinkedIn: https://www.linkedin.com/home

Pandora: https://www.pandora.com

Connecting to these websites securely every time requires a simple update of your bookmarks.

The sites above are just a taste. Most Google sites can be forced to connect securely using https. Other sites will have your back for you. Yahoo and Microsoft, for example, will automatically force a secure connection to Yahoo Mail, Hotmail or Flickr logins.

Then, there are the sites that force you to log in without a secure connection, like Digg and MySpace. Best not to enter any password you care about into these services. There is no easy way to tell if someone is sniffing your traffic from the same access point. Truth is, any dedicated hacker can do it easily.

[Hat tip to security blogger Jason Sylvester]

See Also:

• Why You Should Turn Gmail’s SSL Feature On Now
• Firefox 3 Highlights Websites Secuirty Failings
• Firefox 3 Beefs up Page Info

Cupcake is said to include many significant bug fixes and developer APIs. Features to look forward to include:

• Hardware-accelerated video recording and playback
• On-screen keyboards and keypads
• Save attachments from MMS messages
• Music playback fades when receiving a call
• An updated browser (using Webkit’s latest core and an optimized JavaScript engine nicknamed Squirrelfish)
• Copy and paste from within the browser
• Better search in the music and browser
• Downloads can be paused
• Support for third party application updates
• Interface elements should be faster
• Better third-party accessory APIs including stereo bluetooth (which means more and better accessories)
• A slightly nicer looking user interface
• A more intuitive dialer. No more lockouts when on a call

If you’re anxious to check it out, the SDK download includes an Android 1.5 emulator. However, you should be pretty comfortable with SDKs before attempting to run it.

According to the Android Open Source project, Cupcake is expected to hit devices by Q4. Google points to the Android developers blog for highlights of its new APIs.

The features in the roadmap aren’t too jaw-dropping when compared with the iPhone 3.0 release coming out in June, although still not bad for its second release. Also, there have been hints that Google may also be holding back a secret feature from the public eye. Netbook support, perhaps?

As for the codename? Someone at Google likes cupcakes perhaps a little too much (we’re looking at you Marissa Mayer).

• Google Delivers Android Mobile OS to Developers
• Meet Android, the Google Phone’s Robot Brain
• Five Reasons Android Might Deliver Where iPhone Won’t
• Android SDK Update a Little Late to the Party

While standards can be a rather broad definition, the following list includes some of Webmonkey’s favorite places to get schooled on standards:

• OpenID, OAuth, Activity Streams Microformats and the Open Stack: The top evangelists on the subject are Chris Messina, Joseph Smarr, David Recordon and John McCrea. While they all update their Twitter feeds with regularity, you can find them talking about OpenID every week on their vlog at thesocialweb.tv.
• HTML 5: There are two sources for the latest in HTML 5 development. The Web Hypertext Application Technology Working Group (WHATWG) represents a working group dedicated to creating new and cool technology for HTML 5. Often, the development gets incorporated into W3C’s HTML 5 standard. It’s an ongoing process that has worked for such things as Canvas, Scalable Vector Graphics and offline access. Mark Pilgrim writes the WHATWG Blog, and W3C hosts Planet HTML 5.
• CSS 3.0: CSS3.info is much more adept, or at least readable, at reporting developments on the emerging web design standard than even the W3C working group.
• XML-Based Standards: When you need information on XML-based standards, it’s best to go to the source. The Organization for the Advancement of Structured Information Standards (OASIS) is a democratically run global organization that oversees the development of many of the web’s open standards. OASIS’ website lists upcoming events, ballots, reviews and press announcements.
• Internet Protocols: Information on other internet protocols, including information on IPv6, might be found in the mailing lists of the Internet Engineering Task Force (IETF).

Let’s get this straight. Microsoft is the company known for chewing up and spitting out their competitors by unfairly leveraging its ubiquitous Windows operating system. Some of those tactics haven’t changed. However, thanks to various lawsuits and a pretty negative public perception, the Microsoft of ten years ago only vaguely looks like the Microsoft of today.

In fact, many of Microsoft’s consumer offerings, if by any other company, would be loved rather than loathed. While there are still plenty of reasons to get mad at Microsoft, the good in Microsoft should be celebrated.

Why should you get over hating Microsoft? Let me count the ways:

1. Windows Live ID has incorporated OpenID technology. It means you can log-in to many other OpenID-enabled sites with your Microsoft account. “Wait,” you say. “That’s an open standard!” Yes, apparently the new Microsoft isn’t immune to adopting other people’s good ideas after all. The thorn to OpenID’s rose is the fact the company doesn’t allow you to log in to Microsoft sites with outside OpenID accounts yet, but it’s coming.

2. You may not know it, but you can get 25 gigs for free on Windows Live. Microsoft’s SkyDrive gives you more than your free Gmail and Yahoo accounts combined. Even better, SkyDrive is built into the Windows 7 operating system, so it shows up in your shared drives just like if you had a hard drive on your local network. Users can upload and download files through their Windows Live accounts. However, with Windows Live Mesh, you can synchronize files on your Macs or Windows machines seamlessly. Soon enough, SkyDrive, Windows Live Mesh and another folder syncing service called Windows Sync will all combine, giving you 25 gigs to share across all platforms.

3. Much of Windows’ Consumer Applications Are Free. Sure, its two flagship products, Windows and Office, will remain expensive forever. But many of its consumer offerings are online for free for the sole purpose of making its flagship more attractive. To the rest of us though, it’s just free software that allows us tools to send instant messages, write e-mail, blog, make movies, browse the internet and organize and host photos online. Of course, you can find competing products like Yahoo Messenger, Mozilla Thunderbird and Firefox and Google’s Picasa for free too.

4. Microsoft Participates in Standards Development More Than You Think. The company may not adopt standards as fast as others. For example, Internet Explorer hasn’t adopted many of the standards adopted by most other major browsers when it comes to HTML 5 and CSS 3. However, if there is a W3C, Open Stack, CSS 3, WHAT Working Group or other established standards meeting, you can bet a Microsoft employee will be there and actively participating. Such participation should be acknowledged and applauded, especially since they have a hand in molding the future of the industry. However, the standards take much too long to get integrated within Microsoft products compared with competitors. Microsoft’s spin is that they aren’t going to adopt a standard until it is fully baked. Meanwhile, they hold back the very standards they, and many others, are working to employ.

5. Microsoft has Given Up Trying to Buy or Compete With Everyone. In spite of their efforts, it looks like Microsoft will not be able to buy up or destroy every piece of technology that shows some success. Thanks in part to court orders and competitors like Google who have actually had the upper hand over Microsoft and held it, Microsoft either had to conform or die. In its attempt to give the perception that the company will play fair, we now see Twitter, Flickr, and Digg integration in Windows Live Writer. Windows Vista and Windows 7 will allow you to choose your preferred browser, search engine and music player. The products still won’t make it easy though. In every effort, you’ll have to jump through some hoops to remove Windows Live from your default settings.

There are still plenty of more reasons to hate Microsoft, especially if you are a Linux user. Microsoft does have a bit of a rough spell to get over. Thanks to plenty of international court actions, the behemoth no longer enjoys many of the same freedoms other, smaller companies do. Given Microsoft’s history, in many ways they deserve to have their feet held to the fire a little bit. But maybe it’s time to give Microsoft a little leeway. After all, Windows 7 actually looks promising, and chances are it will be pre-installed on your next Netbook.

See Also:

• Windows 7 Beta Preview for the Masses
• Windows 7 Will Be Less Annoying Than Vista
• Windows 7 Will Let Microsoft Track Your Every Move
• Windows 7 to Dump E-Mail, Photo Editing Software