web 2.0

Wednesday, May 12, 2010

The Latest from TechCrunch

The Latest from TechCrunch

Link to TechCrunch

Sibblingz Launches Multi-Platform Social Game Engine To The Masses

Posted: 12 May 2010 08:57 AM PDT

Today, Sibblingz is launching its social game engine built for the multi-device world to the public.

Sibblingz, which has been in private beta since December, allows developers create games on Facebook's PC site as well as Apple's iDevices and Google Android devices, allowing players to continue the same social game as they switch between devices. Sibblingz will also soon provide the ability to monetize free-to-play games with virtual goods.

Developers already using Sibblingz include social games company, CrowdStar, and game development studio, SiXiTS. CrowdStar's Happy Island, which has 12 million monthly average users, was built off of the Sibblingz platform

Sibblingz maintains that because it allows for the creation of multi-platform device, its engine saves developers money and time spend on creating games for each device.

Sibblingz has received seed funding from YouWeb, which has also invested in Aurora Feint and Crowdstar.

AMD’s Vision: The Chip Race Is Finally Over

Posted: 12 May 2010 08:49 AM PDT

Remember back in the day when you could go into a store and compare two clock speeds and come out with the right machine for you? Everything else was immaterial. Hard drives could be upgraded, memory could be added, but clock speed was the number you lived or died by. 1.8GHz was better than 1.5GHz every day of the week, right?

Those days are over. Moore’s Law, the idea that “the number of transistors that can be placed inexpensively on an integrated circuit doubles every two years” is nearly over, which is why multiple cores are now appearing in consumer PCs. When you have multiple cores, clock speed doesn’t make any sense. A 2.5GHz quad-core machine, to the average Joe or Jane, seems to mean that the PC has four cores running at 2.5GHz each. That means it’s 10GHz, right? Right?

Read more…

How To Use Facebook Ads For Social Recruiting

Posted: 12 May 2010 07:56 AM PDT

Social recruiting is all the rage right now when it comes to finding new employees to hire. Citysearch CEO Jay Herratti recently told me about a simple but effective way his company is using Facebook ads to hire people. Facebook ads are highly targetable. Citysearch puts up an ad with a picture of the hiring manager and shows those ads only to that manager’s Facebook friends. For instance, the image of the ad at right is the one seen by friends of Citysearch senior VP Kara Nortman, who is introducing social features such as business Tweets into Citysearch.

Since each ad can be “liked,” and thus shared across the social network via the news feed, the ads become implicit referrals. If you know Kara and you see the ad, whether or not you are looking for a job, you might feel inclined to like it and share it with your friends. Or maybe you are looking for a job and since you know Kara or at least are connected to her on Facebook, you feel like you’ve got an in. The ads seem to be working. Kara’s inbox was flooded after the ad ran.

Repeat that across all hiring managers, and companies can create their own homegrown social recruiting campaign. If you try it out, let us know the results.

Six Apart Rolls Out Sponsored “TypePad Conversations,” Your Comments Are Now Ads

Posted: 12 May 2010 07:06 AM PDT

Ever since this whole blog thing started to take off, marketers have been trying to horn their way into the conversation. It started out as crude pay-per-post schemes, and then evolved into more subtle “sponsored conversations”. Once Twitter and Facebook took off, some of those conversations also were for sale. It got so bad, the FTC had to get involved.

Now Six Apart is launching its version of sponsored conversations, which it calls TypePad Conversations. The trick to this type of marketing is to strike a balance between creating authentic online conversations and creating advertorials. The way Six Apart is trying to strike this balance is by getting bloggers to put up posts asking their readers general questions about a topic related to the advertiser’s interests. So Sprint, which is the launch advertiser, is advertising an upcoming HTC 4G phone by getting bloggers to write posts asking questions such as: “Do your kids respond better and faster when you text or call them?”, “If you could connect up to 5 devices at a time using just your mobile phone, how would that change how and when you access the internet?”, and “Is technology making us better or worse at communicating with each other? How so?” I fear the answer to the last question is “worse.”

The bloggers don’t get paid directly for the posts, but below each one is an ad unit showing a display image of the Sprint phone next to a stream of comments from across Six Apart’s blog network from people answering the same question. For some reason, Six Apart calles this ad unit the “Awesome Bar,” even though it is a square, not a bar. And it is not particularly awesome. It reads like an ad, and people will block it out just like they do most other ads online. It is wallpaper. Bloggers get a revenue share from the ad unit.

The program was announced in May, but it looks like it just rolled out today, at least according to a press release. Blogs such as Betty Confidential, GeekWeek, and Jessica Gottlieb are participating. The advertising program is open to bloggers on other platforms as well, such as WordPress.

Thankfully, Six Apart isn’t trying to get bloggers to spark conversations about the advertised products themselves, at least not with this first campaign. As forced as they tend to be, sponsored conversations are not going away as long as marketers think they can somehow capture some of that social media buzz.

Billing Startup Zuora Signs Over $1 Billion In Subscription Revenue In Q1

Posted: 12 May 2010 07:00 AM PDT

We've written about Zuora, a SaaS startup that offers online services to manage and automate customer subscriptions and payments, and its impressive backing. Today the company has reached a new milestone; Zuora has signed over $1 billion in contracted subscription revenue in the first quarter of its new fiscal year, which ended April 30. Zuora's cloud-based billings platform aims to alleviate the need for online businesses to develop their own billing systems, especially to handle recurring payments like those associated with subscriptions. The company says that its growth in revenue, bookings and cashflow is thanks to the shift to the "Subscription Economy" in both the consumer and enterprise world.

Zoodles Raises $2.6 Million For Kid-Friendly Browser

Posted: 12 May 2010 06:55 AM PDT

Zoodles, a browser designed for kids, has raised $2.6 million in seed financing led by Harrison Metal Capital. The company is also officially launching its browser product today.

The brainchild of Mark Williamson, Zoodles aims to allows children to play and interact with the web through games, puzzles and videos. The inspiration for Zoodles came from Harrison’s four year old daughter, who was having trouble interacting with a mainstream browser. Zoodles is free for all but also offers a premium membership that allows parents the ability to customize and restrict their child's online learning experience based on their age, interests, educational needs and skills.

The Zoodles interface is a personal playground for kids, which is series of games, puzzles and videos that are broken down by type on a page. And the interface is customized to a user’s age, so a 5-year-old may get a different screen as a 3-year-old. Content is aggregated from kid-friendly sites across the web. The browser also includes large tabs, mouse controls adapted to small hands and an interface that doesn't require reading skills.

Through a Premium Membership, Zoodles allows parents to customize the browser by shaping the content and subjects (i.e. focusing games on up the math and science), setting play time limits, blocking specific branded characters or sites, and setting other preferences. The Premium Membership also includes ad blocking functionality. And Zoodles keeps parents up-to-date on their child's activities
through frequent email progress reports.

Of course, Zoodles isn’t the first kid-friendly browser on the market. KidZui has a similar product and has scored a number of high-profile partnerships with corporations like Best Buy, Comcast and DreamWorks.

Amazon Launches Its Third iPad App, Shopaholics Rejoice

Posted: 12 May 2010 06:14 AM PDT

We’ll keep this short and sweet: if you shop on Amazon and own an iPad, you can now download an app that lets you do just that from the tablet computer. The app is free of charge and available on the App Store as of now (iTunes link).

The app is custom-built for the tablet device and lets users search and browse products offered by Amazon and thousands of other retailers.

It includes features customers will be familiar with, including bestsellers, daily deals, product information, recommendations and customer reviews.

Amazon promises users a “unique, interactive experience that takes full advantage of the visual and tactile nature of the iPad”. Key features include the ability to purchase items using 1-Click ordering and Amazon Prime, check out personalized recommendations, view editorial and customer reviews, watch movie trailers and listen to song samples, and so forth.

Amazon.com had earlier introduced a Kindle app for iPad, and on April 4 announced the second one it had added to the stable: an app for IMDb (Internet Movie Database).

Slate, Time, WashPo And Other Big-Name Publishers Add The Echo Comment Platform

Posted: 12 May 2010 06:00 AM PDT

Back in December, we covered the rebranding of the startup previously known as JS-Kit, which has now assumed the name of its flagship product, Echo. Echo is a real-time commenting platform that allows users to log in using a variety of accounts, including Facebook, Yahoo, Twitter, Google, and OpenID. After launching last July, by winter the company had signed on partners including CBS/Cnet, Discovery Channel, Dow Jones Local Media Group, and Hearst Digital News. Today, the company has announced the latest batch of publishers to implement the comment system, and there some big names: Newsweek, The Washington Post, Slate, Time, Forbes, AMC, Morningstar, and Sports Illustrated.

According to Echo CEO Khris Loux and Chris Saad, VP of Strategy, the service’s main draw to publishers is that it is multiplatform. Facebook Connect has recently gotten quite a bit of buzz as Facebook spreads across the web, but Echo has found that on its partner sites, Facebook accounts only represent around 25% of logins (Yahoo accounts for 34%). These proportions are probably different for the web at large, but it’s clear that there are plenty of users who aren’t using Facebook as their login standard. Saad and Loux also note that Echo lets publishers keep control over their content, whereas with a Facebook login system the content is housed on Facebook.

Echo’s main competitors are Disqus and Intense Debate, which we recently integrated on TechCrunch.

LinkedIn Upgrades ‘People You May Know’ Feature With Search Filters

Posted: 12 May 2010 05:57 AM PDT

LinkedIn has been making its platform much more social recently, adding a following feature, integrating with Twitter, launching a URL shortener and adding additional sharing features. Today, LinkedIn is making its ‘People You May Know” feature a little more social. Sort of.

LinkedIn has essentially blended filtered search with the People You May Know Now feature. This makes it much easier to filter the list of people you may know by companies and schools. The end result is that it makes it a whole lot more easier to quickly determine who you want to connect with and how they are connected to you.

While the feature is simple, the intention behind it is more significant. LinkedIn is making it easier for you to find connections without actually having to do the hard work. With 65 million members, LinkedIn is steadily growing in terms of users but clearly wants to make the platform more of a social destination. Part of that strategy means providing users with features that make it simpler to connect with friends and colleagues.

MerchantCircle Expands Hyperlocal Business Directory To The UK, Canada And Australia

Posted: 12 May 2010 05:55 AM PDT

Hyperlocal business directory MerchantCircle has been steadily growing its business directory for merchants in smaller towns. MerchantCircle has long targeted its site's features towards merchants in small locales versus catering towards the consumers, as sites like Yelp and CitySearch do. Today, MerchantCircle is expanded its online marketing platform and business directory to Canada, the United Kingdom and Australia.

The startup provides small businesses with a web page listing, blogging and email newsletter application, and a local business social network that focuses on connecting local businesses with each other. Since launching in 2007, the startup has gained traction in small towns where the larger sites don't have reach. MerchantCircle has also added features to make the site attractive with consumers, launching a question feature that allows consumers to enter a question to merchants about any topic on the platform. MerchantCircle also aims to be a mini-social network, where consumers can "follow" local businesses for information on promotions, coupons and announcements.

MerchantCircle says that the large number of small businesses in the UK, Canada and Australia make the potential growth of its platform in these countries significant. Of course, competitors Yelp and Citysearch both have already expanded internationally.

Of course, this international expansion may support the belief that MerchantCircle could be on track to IPO in the coming year.

Money Dashboard Bids To Become The Mint.com For The UK

Posted: 12 May 2010 05:44 AM PDT

Money Dashboard, which is shooting to become the Mint.com for the UK, launched its open beta today, coming out of a period in closed Beta which, they say, was "massively over-subscribed" after its appearance in October. The site recently completed a funding round, securing £1 million of investment via a consortium of investors. It also has a lot less competition now that main competitor, Kublax, deadpooled this February.

Another iPhone 4G Prototype Shows Up, Bares All Including Apple’s Own A4 Chip

Posted: 12 May 2010 05:34 AM PDT

This is just silly now. Another iPhone has leaked onto the Internet. What kind of ship does Steve Jobs run over there at Apple? This time around they aren't going to be able to bust down the owner/seller/stealer's door seeing as it all went down in Vietnam. Then again, anything is possible with the Apple gestapo. But somehow a Vietnamese website got a hold of the device. The back story really doesn't matter right now. They got and posted pics and video -- good for them. The site went a bit farther than Gizmodo, though. They actually tore it apart, revealing a nice little surprise.

Another Day, Another Patent Infringement Lawsuit Against Apple

Posted: 12 May 2010 05:10 AM PDT

Nokia is not the only company taking Apple to court over infringement of its patents. The latest mobile technology company to make that move is SoftView, a small startup based in Washington.

Softview, formerly called ClearView, has also included AT&T in the suit, which was filed on Monday.

The company offers a vector graphic display system and web browser for PDAs, cell phones, and other Internet devices. According to its website, its design and development team has been developing Vector Graphics Display systems and Internet standards since 1982 (!).

The patent SoftView claims AT&T and Apple are infringing carries number 7461353 (PDF) and was filed in January 2005, back when the iPhone was but a dream. The patent is titled “Scalable Display Of Internet Content On Mobile Devices” and lists two inventors: Gary Rohrabaugh and Scott Sherman.

The abstract reads:

Mobile devices enabled to support resolution-independent scalable display of Internet (Web) content to allow Web pages to be scaled (zoomed) and panned for better viewing on smaller screen sizes. The mobile devices employ software-based processing of original Web content, including HTML-based content, XML, cascade style sheets, etc. to generate scalable content.

The scalable content and/or data derived therefrom are then employed to enable the Web content to be rapidly rendered, zoomed, and panned. Moreover, the rendered displays provide substantially the same or identical layout as the original Web page, enabling users to easily navigate to selected content and features on familiar Web pages.

Display lists may also be employed to provide further enhancements in rendering speed. Additionally, hardware-based programmed logic may be employed to facilitate various operations.

Expect Apple to vigorously defend itself against the patent infringement claims, and perhaps even resort to counter-suing (again).

We’ve asked Cupertino for comment but don’t expect to hear back.

Report: The iPad Won’t Go Mass Market Anytime Soon

Posted: 12 May 2010 04:22 AM PDT

As magical as Apple's iPad maybe, it's unlikely to go mass market anytime soon. That's according to research carried out in the UK, which concludes that consumers struggle to see how the device could fit into their lives. Simpson Carpenter's qualitative research drew comments from participants such as: "It's just a big iPod Touch ... a big iPhone without the phone" and "everything it does I can do on my PC or my phone right now." All of the iPad's perceived advantages were seen to be filling a niche or too use-case specific, such as reading eBooks, consuming content on the train, or making presentations. And while the majority of those interviewed thought that the iPad had the wow factor, they couldn't justify a purchase.

Come As You Are: Tapulous Debuts Tap Tap Revenge App Featuring Nirvana

Posted: 12 May 2010 04:18 AM PDT

Mobile app developer Tapulous has released a brand new Tap Tap Revenge app for iPhone and iPod touch (iTunes link), this time featuring well-known rock band Nirvana.

This special edition game, available from the App Store for $4.99, features thirteen of the iconic band’s massive hits, including “All Apologies,” “Smells Like Teen Spirit,” and “Come As You Are.”

Players can enjoy special Nirvana content, including a history section that tracks the course of the band and the Seattle music scene.

In addition, a first for the Tap Tap Revenge franchise, players will be treated to narrative vignettes for each track, which offer back-stories related to the songs and comments about the band and their music.

Rock on!

(Other special editions include Tap Tap Revenge for Dave Matthews Band, Justin Bieber, Kings of Leon, Coldplay, Lady Gaga and Metallica)

$1.5 Million In Series A Funding For Online Pawnshop

Posted: 12 May 2010 02:15 AM PDT

Online pawnbroker Internet Pawn, self-reportedly the first of its kind in the United States, this morning announced that it has completed a $1.5 million Series A equity financing.

New investors Daylight Partners and Access Ventures have joined the company’s founders in the financing.

The best part of the announcement is the name of the Daylight Partners partner that has joined the company’s board as part of the deal: Rocky Mountain (a Dell veteran).

Internet Pawn was established in 2009 by people who’ve actually owned and operated a chain of brick-and-mortar pawn shops in different states, so this is actually not a poor investment at first glance.

The startup essentially offers short-term loans based on the collateral of customers’ personal valuables (like that PlayStation 2 or early Zune you still have lying around somewhere).

Internet Pawn says it offers cash quickly, doesn’t require payment of interest for six months, and lets people do it from the security and privacy of their homes. More info on loan rates is available here.

The company adds that it will loan on “just about anything legitimate and of value” but specializes in providing loans for Rolex, Omega, Tag Heuer, and Breitling watches.

If a customer decides not to repay the pawn loan amount and any unpaid pawn service charges (“redeem” the loan) after the 180 loan period, the customer “forfeits” the property to Internet Pawn in full payment of any and all amounts owed to them.

Internet Pawn will then sell the item.

The company promises compliance with various Federal laws, including: USA Patriot Act; the privacy provisions of Gramm-Leach-Bliley Financial Services Modernization Act; Truth in Lending Act; Bank Secrecy Act; and certain IRS regulations.

Digg’s Biggest Problem Is Its Users And Their Constant Opinions On Things

Posted: 12 May 2010 01:03 AM PDT

There’s a saying I love: “a camel is a horse designed by committee.” A variation is “a volvo is a porsche designed by committee.” Some of the best product advice I’ve ever heard goes something like “damn what the users want, charge towards your dream.” All of these statements are, of course, saying the same thing. When there are too many cooks in the kitchen all you get is a mess. And when too many people have product input, you’ve got lots of features but no soul.

Product should be a dictatorship. Not consensus driven. There are casualties. Hurt feelings. Angry users. But all of those things are necessary if you’re going to create something unique. The iPhone is clearly a vision of a single core team, or maybe even one man. It happened to be a good dream, and that device now dominates mobile culture. But it’s extremely unlikely Apple would have ever built it if they conducted lots of focus groups and customer outreach first. No keyboard? Please.

Digg is sort of on the opposite end of the spectrum The company has been standing still now for years as Facebook, Twitter and others have run laps around it. But the company is famous for listening to its hard core fanatical users. In 2007, for example, Kevin Rose surrendered to a mob of Digg users who were upset that Digg was blocking stories publishing the decryption key for HD DVDs. He wrote:

But now, after seeing hundreds of stories and reading thousands of comments, you've made it clear. You'd rather see Digg go down fighting than bow down to a bigger company. We hear you, and effective immediately we won't delete stories or comments containing the code and will deal with whatever the consequences might be.

If we lose, then what the hell, at least we died trying.

Compare his statement to how Facebook routinely handles user revolts – by absolutely ignoring them. Once or twice a year Facebookers get upset that the font changed on the home page, and set up mass protests demanding that things go back to the way they were. Back in 2006 users were angry about the new News Feed and how it affected their privacy (how quaint). Hundreds of thousands of users joined organized protest groups to demand the product be killed.” CEO Mark Zuckerberg’s level headed response: “Calm down. Breathe. We hear you." and "We didn't take away any privacy options."

I’m calling this the Eddie Murphy defensive tactic, and it works really, really well.

User outrage over Holocaust denial? Not a budge. Beacon? Well, that’s the exception that proves the rule. Eventually Facebook did cave on Beacon, but later they just repackaged it and called it Open Graph. What do you think the final outcome of this week’s privacy explosion will be? Yep, you may go pound sand.

The point is Facebook knows what you want and is willing to street fight you in order to give it to you. They may go to jail, or to Hell, for all this (they won’t). But there’s a reason that half of the population of the Internet hits their site every month. This is the Age of Facebook. They know where this train is heading and they are clearing out every obstacle in their path to get there. Angry users are the obstacles. They aren’t cuddled and hugged. They either get out of the way or get run over by the train.

But anyway, back to Digg. They’re the opposite of Facebook because they really like getting the community’s input on things before they roll out. Or after they roll things out and then pull them back in when users get upset.

The HD DVD encryption key is just one example. Digg users also get to veto ads on the site, and are doing so with increasing frequency (oh, the power!). Digg’s most active users form a sort of shadow board of directors that guides the company. The end result is a very nice place to hang out for those 250,000 or so hard core Digg users. But for the rest of the Internet, not so much.

Digg has never had a mainstream crowd on their site, and they never will as long as they even listen to their users, let alone actually take action based on what they say.

Rose’s nature is to be an affable and loquacious guy. People love him, and Kevin loves to be loved. That’s great if you’re thinking of starting a religion or putting on self help seminars. But as soon as you start being a product dictator all those adoring fans start to think you’re a jerk who’s lost his way and never listens. The guy who goes to Las Vegas with Ashton Kutcher to put on a Diggnation show for thousands of people isn’t the guy who has a product vision and drives it home no matter what.

To his credit, Kevin is fighting back. He came back to the company that he essentially walked out on last year out of frustration. He’s gotten his investors to give him six months to show how he can turn Digg around. His core team, including Chas Edwards and Keval Desai, share his new vision, we’ve heard. Maybe something strong is coming soon.

But maybe not. One thing we’ve heard about the new Digg all along is that it is designed to keep the fanatics happy while bringing in the masses. That’s going to be a very difficult thing to do. Sort of like adding a bunch of airbags and cup holders to the Porsche and trying to sell it to soccer moms while maintaining your core customer base of balding, insecure middle aged men. Bringing peace to the middle east might be an easier task to take on than making a single product serve the needs of 250,000 hard core Digg….oh how do I put this…morons, as well as the billion or so relatively normal people on the Internet.

If they pull it off I’ll eat a TechCrunch Tshirt on stage at an event right after they’ve done it. But I don’t think they’ll pull it off. I think that they care too much about the hard core users and what those users want in their fantasyland Digg paradise. It’ll have lots of cup holders, that’s for sure. But it sure won’t be a porsche.

The clock is ticking. Kevin has been given six months, we’re heard, to get this ship going in the right direction. That means big user growth, particularly big U.S. user growth. Right now they’re at just under 10 million U.S. unique visitors (Comscore) per month. I imagine they think something like 50 million would be a nice goal for a year from now. For 50 million U.S. Digg users, I’ll eat that shirt and kiss Kevin Rose’s ring.

Just remember, Kevin, those fanatical users mean well, they really do. But they are nothing but distractions towards a true vision of Digg that will disrupt the way we share and consume news. That was the original promise way back in 2005. Now is your time to shine and show that you aren’t just a really nice, really fun guy. You are a hard core steel eyed product dictator who wants to kick some ass and change the world. And maybe then retire and go on TV a lot.

Fight the urge, Kevin. You want to win the war, not be the most popular startup founder who ever lived. You can be both, actually, but that comes from winning. I know you’re trying your hardest, but Sean Connery put it best when he said:

More Product Housekeeping At Digg: Kalmikoff And Howard Out The Door

Posted: 11 May 2010 11:43 PM PDT

A month ago Digg cofounder Kevin Rose took back control of his company. 13 or so employees were let go, and Rose promised some “crazy shit” product-wise to be announced sometime soon.

More heads are rolling at Digg as the company struggles to reinvent itself. Well known designer Jeffrey Kalmikoff was let go, we confirmed, just months after he moved cross-country to work at Digg. And long time Director of Product Chris Howard is gone as well.

Digg is clearly trying to form the core product team moving forward to create a more customized Digg that will appeal to a larger audience. Old baggage, no matter how talented, is being thrown out for new employees with a different way of thinking about things. Will it work? We’ll all be waiting impatiently. But we believe the biggest obstacle to Digg’s success may be Rose himself. More on that in my next post.

With A Small, Simple Feature, Gmail Continues Its Assault On Desktop Email

Posted: 11 May 2010 11:32 PM PDT

While I occasionally rag on Google Apps for downtime, the fact of the matter is that some of them are getting pretty amazing. The crown jewel is still, of course, Gmail. It’s so good that I haven’t regularly used a desktop email client in years. But despite that fact, there have still been a few things I’ve always missed, such as simple drag-and-drop to insert images into messages. Tonight, that changes.

As Google has just announced on its Gmail blog, the ability to drag images into messages has been added to Gmail. There is no Labs feature to enable, it just works — well, provided you’re using Chrome. (You see the benefit of developing your own browser?) You can simply click on any image on your computer, drag it into your browser window, drop it into the body area of your Gmail email, and it’s instantly inserted in the message.

Sure, it may seem like just a small feature (and it is), but it’s another step towards making browser email just as good as desktop email from a user experience perspective. Yes, you could get images into the bodies of emails before, but you used to have to use a button to do so (which required a few clicks — a pain). And before last year, you actually couldn’t do it at all without using a workaround.

This feature is an extension of the drag-and-drop ability to attach images to emails that Google enabled last month in Gmail.

Google says this feature will be “coming soon” to other browsers.

Another Security Hole Found On Yelp, Facebook Data Once Again Put At Risk

Posted: 11 May 2010 10:55 PM PDT

Stop me if this sounds familiar. Last night, we reported on a security exploit discovered by web security consultant George Deglin that would allow a malicious site to quietly harvest a user’s Facebook friend list, email address, and other data. The exploit used a technique called Cross Site Scripting (XSS) to inject malicious code into Yelp, and took advantage of the fact that Yelp is one of Facebook’s partners for its controversial Instant Personalization feature to harvest the Facebook user data. The hole was quickly patched, and no user data was compromised.

Tonight, Deglin discovered a second hole in Yelp that once again allowed him to inject malicious code using XSS that could put Facebook user data at risk. Yelp has now patched this second hole, and once again the company believes that no user data was compromised. Facebook has turned off Instant Personalization on Yelp for the time being as Yelp looks to ensure there are no more vulnerabilities.

Some Background

Instant Personalization is a new feature that allows a handful of trusted third-party sites to immediately access a user’s Facebook information as soon as the user hits the site (the three launch partners are Yelp, Pandora, and Microsoft’s Docs.com). Unlike standard sites that implement Facebook Connect, these Instant Personalization sites don’t have to prompt users to log-in or hit a ‘Connect’ button before Facebook shares data with them. Unfortunately, this also means that when one of these Instant Personalization sites gets compromised, the potential for abuse is much greater than for most standard Connect sites.

Facebook has granted Yelp automatic access to a user’s name, profile photo, friend list, networks, fan pages, and other information that has been shared with ‘everyone’, which could include status updates and some photos depending on the user’s privacy settings. If a malicious site were to compromise Yelp, every time a Facebook user visited that malicious site it would be able to immediately harvest all of this data, even if the user had never actually been to Yelp before.

Why This Is A Problem

We should point out that since last night, Facebook has tightened up the amount of data shared through Instant Personalization. Before last night’s exploit, Yelp was also given automatic access to Facebook users’ email addresses. Facebook says that this was shared because of a bug, and is no longer sharing email addresses with Yelp. The fact that Facebook could have been accidentally handing out user emails isn’t comforting in the slightest, but at least it’s fixed.

With email addresses out of the picture, the only Facebook data that could potentially be accessed through this kind of exploit is information that is shared with ‘Everyone’, which is visible to the public anyway. But even though the type of information being shared is not terribly alarming, the context in which it could be shared is. There’s a reason not every site has access to Facebook’s Instant Personalization.

Using this kind of XSS hole, it would be possible for a malicious ad served by an ad network in an iFrame to surreptitiously harvest data about any Facebook user who viewed the ad. The ad could conceivably customize itself to address the user by name or show their profile photo. Likewise, unauthorized third party sites could use such an exploit to identify its users not just by IP address, but by name, current city, etc.

I don’t mean to pick on Yelp in these cases — XSS vulnerabilities are quite common on the web, and I suspect we’ll see similar exploits on Facebook partner sites in the future. All of which goes to show that no matter how much Facebook tightens its own security, it cannot ensure that its third party partners are secure.

Here’s Yelp’s statement on tonight’s issue:

“We were alerted today of a second XSS vulnerability on our site, which we immediately patched. Again, we have not found any evidence that user information was accessed. The Facebook integration has been temporarily disabled while we conduct a thorough site audit and will be re-instated upon completion.”

And Facebook’s statement:

"We've been alerted to additional vulnerabilities in Yelp's code. In the interest of all our users, we've temporarily disabled their Facebook integration. They are working quickly to resolve the issue."

Thumbs Up On The New AOL Homepage

Posted: 11 May 2010 09:28 PM PDT

Starting today AOL is testing a dramatic new homepage layout with a small percentage of users (something we’ve been expecting to happen sooner or later). This is what the new site looks like to those users – gone is the plain vanilla “portal” look with tons of columnized links to internal AOL content. The test site hits you with a row of large, colorful pictures up top along with related news item headlines. Below are lots more pictures, and all of them are much larger than the old AOL homepage.

Let us know if you see the new page or not, and link to any screenshots that look different than these. We’ve emailed AOL to ask if this is a final look, and when it will launch for everyone. The old site is below.

AOl is actually supporting three different versions of its homepage now. The new test, the current page, and a classic look that you can see by clicking at the bottom of the current one.

Is Bit.ly Awe.sm Or Just Awesome?

Posted: 11 May 2010 08:07 PM PDT

I’m not saying there’s necessarily something nefarious going on here, but judge for yourself.

In their source code, Bit.ly has the word “awesome” as one of their meta keywords. This may just seem like some kooky programmer having some fun — until you remember that one of their main rivals is a another URL shortening service called Awe.sm.

Now, Bit.ly is much, much larger than Awe.sm by likely every metric. After all, they were the default URL shortener for Twitter and still are for several of the top Twitter clients use. (We also use them to manage our tcrn.ch domain.) They’re now seeing something around 300,000 Bit.ly links being created every 10 minutes and something around 150 million clicks on those links a day. They’re massive.

So it definitely seems like they wouldn’t need to resort to some silly meta keyword tactic to try and draw in web surfers searching for their rival. And yet, there’s the word in the code, clear as day. There are only three keywords Bit.ly has included in the header, “bit.ly, awesome, url shortener,” two make sense, one does not.

Wiggio Raises $2.1 Million, Prepares For Mobile Launch And Profits (Hopefully)

Posted: 11 May 2010 06:14 PM PDT

Online collaboration tool Wiggio has raised $2.1 million in Series A financing, led by New Atlantic Ventures.

Founded in late 2008, the Cambridge-based company allows users to create online work groups where members can share calendars and files, host web conferences, conduct group polls, and send texts and voice messages. According to CEO Dana Lampert, a large portion of the new funds will be used on Wiggio’s mobile initiatives: the company is on track to roll out a mobile version of its website in mid-June and native apps for the iPhone, Android and Blackberry by mid-summer of this year. The mobile options will have all the functionality of the original site with the exception of video conferencing.

Since its 2009 launch, the free service has attracted 350,000 users and 750 schools. While a variety of small businesses and non-profits are using Wiggio, the company has focused on its core demographic: the college market.

Its user base is relatively modest compared to its larger rivals, like Yammer (which has more than 600,000 users) and Basecamp, but Wiggio is on a steady growth path— in the last 6 months the user base has grown roughly 43%.  Lampert says he plans to expand and diversify the user base by increasing the company’s marketing budget and aggressively courting high school and small business groups.

That enterprise community will be critical as Wiggio shifts from a free to freemium model. Next month, the company plans to release a “pro” version that will include new features like increased customization, security upgrades, hourly back-ups and possibly a new tool that will help groups find the best time to schedule events (Lampert hints that it will be something akin to Doodle’s service).

Currently, Wiggio’s monetization scheme is a bit fuzzy— or at least fluid. The company has not set a price for the “pro” package and is still crafting a strategy for advertising on its website. Since it has a variety of groups, Wiggio hopes to created targeted ads tailored to the user’s market. The hope, says Lampert, is to be profitable by early 2011.

Is Google Getting Back Into The Gaming Business?

Posted: 11 May 2010 05:22 PM PDT

Google has tended to stay away from the gaming world for the most part. The search giant did have Lively, a browser-based virtual world that could be embedded into other websites, but that was deadpooled in 2008. According to this job posting, Google is hiring a product management leader for Games.

The posting says that Google is looking to hire an employee to develop Google’s games commerce product strategy and help “build and manage the business with a cross-functional team.”

Whether it be through hiring or acquisitions, there are a number of signs that point to Google moving into the gaming world. Google also recently hired gaming exec Mark DeLoura as “Developer Advocate” for games. And Google just acquired LabPixies, an Israeli game developer.

It makes sense for Google to get into gaming. Not only is it a huge revenue channel, but Google can publish its games easily to a variety of its platforms, including Android, TV and Chrome. This could also be a move to bolster their array of games on Android, which is a weak spot for the mobile platform.

Mozilla CEO John Lilly Stepping Down To Join Greylock Partners

Posted: 11 May 2010 04:44 PM PDT

John Lilly, CEO of the Mozilla Corporation, will be stepping down from the role to assume a position at VC firm Greylock Partners according to multiple reports. Mozilla is best known for making the Firefox web browser, as well as the Thunderbird Email client and numerous other projects. The news was first reported earlier this afternoon by AllThingsD.

Lilly has been at Mozilla since 2005, when he was VP of Business Development. He later became COO in 2006 and then CEO in 2008, taking the helm of the company from Mitchell Baker. Lilly will remain on Mozilla’s Board of Directors, and won’t be leaving the company until a suitable replacement is found.


Post a Comment