Month: November 2014

A few months ago, Facebook changed its default settings to enable auto-play of video content on the social network’s news feed, whether users accessed the site on a desktop browser or through its mobile app. Even though the latter has auto-play enabled by default with an “only on Wi-Fi” asterisk, the change has swept through millions of news feeds, perhaps as a way to ease users into Facebook’s video advertising initiative.

Now, users are calling that default video-play toggle into question thanks to a rise in disturbing content distributed via social media. Should an ISIS beheading or similarly disturbing content find its way to someone’s Facebook news feed while that user hasn’t opted out of the site’s video feature—a process possibly more complicated than it needs to be—they’re in for a rude awakening.

It’s tough to catalog exactly how many gore-filled videos have been successfully circulated via Facebook without the site intervening or taking them down. Publicly, Facebook representatives have argued that such content isn’t subject to removal. And as an example of video auto-play gone wrong, Ars readers directed us to a gory video posted to Facebook that had yet to receive any form of takedown in over a week. Its opening moment features the mass execution of children, all shot by a machine gun, and we chose not to watch the entire video (nor link to it) to see how much worse it got.

Around 5:00pm PST on November 23, the Domain Name Service records for at least some of the sites hosted by the online classified ad and discussion service Craigslist were hijacked. At least some Craigslist visitors found their Web requests redirected toward an underground Web forum previously associated with selling stolen celebrity photos and other malicious activities.

In a blog post, Craigslist CEO Jim Buckmaster said that the DNS records for Craigslist sites were altered to direct incoming traffic to what he characterized as “various non-craigslist sites.” The account was restored, and while the DNS records have been corrected at the registrar, some DNS servers were still redirecting traffic to other servers as late as this afternoon.

Craigslist’s domain registrar is Network Solutions, which is owned by Web.com. [Update, 5:32 PM EST November 24: John Herbkersman, a spokesperson for Web.com, told Ars,“The issue has been resolved. At this time we are continuing to investigate the incident.”]

The Federal Aviation Administration (FAA) is expected to impose strict limits on the commercial use of drones, requiring flights to occur within daylight hours, rise no higher than 400 feet above the ground, and to remain within the sight of the person controlling the drone, The Wall Street Journal reported last night. Commercial drone operators would be required to have a license and be trained to fly manned aircraft, even though drones are operated remotely.

The Journal reported that people familiar with the matter suggested that, “While the FAA wants to open the skies to unmanned commercial flights, the expected rules are more restrictive than drone supporters sought and wouldn’t address privacy concerns over the use of drones.”

FAA policies currently allow hobbyist or recreational use of drones, but not commercial use. A federal judge’s ruling in March this year said the FAA issued its ban on commercial drone use illegally because it did not seek public input before adopting them; this forced the agency to begin a new rulemaking process. The proposal described in yesterday’s report could rule out the use of these devices by companies such as Amazon, which wants to eventually deliver packages via drones. Drones could also find uses in the farming, filmmaking, and construction industries.

A Finnish IT company has uncovered a bug in WordPress 3 sites that could be used to launch a wide variety of malicious script-based attacks on site visitors’ browsers. Based on current WordPress usage statistics, the vulnerability could affect up to 86 percent of existing WordPress-powered sites.

The vulnerability, discovered by Jouko Pynnonen of Klikki Oy, allows an attacker to craft a comment on a blog post that includes malicious JavaScript code. On sites that allow comments without authentication—the default setting for WordPress—this could allow anyone to post malicious scripts within comments that could target site visitors or administrators. A proof of concept attack developed by Klikky Oy was able to hijack a WordPress site administrator’s session and create a new WordPress administrative account with a known password, change the current administrative password, and launch malicious PHP code on the server. That means an attacker could essentially lock the existing site administrator out and hijack the WordPress installation for malicious purposes.

“For instance, our [proof of concept] exploits first clean up traces of the injected script from the database,” the Klikki Oy team wrote in a blog post on the vulnerability, “then perform other administrative tasks such as changing the current user’s password, adding a new administrator account, or using the plugin editor to write attacker-supplied PHP code on the server (this impact applies to any WordPress XSS if triggered by an administrator). These operations happen in the background without the user seeing anything out of the ordinary. If the attacker writes new PHP code on the server via the plugin editor, another AJAX request can be used to execute it instantaneously, whereby the attacker gains operating system level access on the server.”