FB Graph API Login Security Flaw: Facebook Account Merging using identical email address cannot be trusted
Summary of steps:
- I created a new Facebook Account using an email address I didn’t have access to.
- Facebook asked me to enter my phone number to verify my account. I did.
- I successfully logged in to facebook.
- I can now log in to other websites using Facebook sign in, and most of the time, immediately gain access to existing regular accounts in that website that use the email address that I used in FB. This is because facebook provides the unconfirmed email, and yet shows my account as “verified: true”.
There was a Stackoverflow question that got me curious and led me to experiment, and my answer is at http://stackoverflow.com/a/15606442/281021
There’s also another question in Stackoverflow that outlines (with screenshots) the steps at http://stackoverflow.com/q/14280535/281021 .
Facebook can easily fix this by providing only email addresses that are actually confirmed through a confirmation link emailed to that address. They haven’t done that yet.
Meanwhile, developers should be cautious about auto-merging accounts based on identical email address (which is the recommended user registration flow of facebook at https://developers.facebook.com/docs/user_registration/flows/ ). Email addresses from facebook graph api cannot be trusted.
Please share this to developers. I hope facebook does something about this soon.
Update:
I was able to login to someone else’s stackoverflow account using the above exploit.
I was not successful in Flowdock, Hootsuite, and Bitbucket. They all ask for the user password before auto-merging accounts. GOOD. :)
Developers should ask for the user password again before auto-merging accounts for security purposes.
Why I’m so excited for Startup Weekend Cebu - Lessons from Startup Weekend Manila
I had one of the best weekends in my life last week. I met a lot of great people, worked with a great team, and accomplished something great in just one weekend.
I’m so excited for Startup Weekend Cebu! I even invited some people I met in Manila to join the Cebu event, and some of them have confirmed to come! Even one of my teammates is coming over! Woohoo!!
Alright! Here are some of the key insights I got out of Startup Weekend Manila.
1. I need others - and I’m not just talking about a team.
Startups are not just built by teams. They are also built by ecosystems. I totally agree with the statement from Startup Weekend that goes…
It takes a village to raise a startup
That’s very true. The network of people, mentors, and companies present during Startup Weekend gives you a great boost! A boost that we all need.
2. Feedback from anyone is great, but feedback from those who know better is awesome!
Mentors - you can’t have enough of them. They question your ideas. They question your direction. They question everything. They even make you question yourself. Hahaha! But that’s all good, because it makes you realize even further what your idea really is all about, where you are really headed, and if you really are committed to pursuing it.
But what separates mentors from almost everyone else is because they know what kind of questions to ask - usually the questions that you don’t know the answer to or unsure of. Mentors usually ask the important questions, and that makes all the difference.
3. Less Talk, More Action. Talk and decide on what your MVP is and get started on it right away.
I know Startup Weekend is all about “No Talk, All Action”, but in reality, you have to talk a bit. Haha! The trick is to try to limit all your “talk” on that Friday night right after you form your team.
It’s also important to establish from the very beginning what is your Minimum Viable Product (MVP), and create an action plan on how to accomplish it during the weekend.
4. Practice makes perfect
After going through my first Startup Weekend, I quickly realized how much better it would have been for me to have joined something like it before I ventured into doing my own startup. It could have taught me several key lessons, and saved me from a lot of pain.
Startup Weekend is the startup life squeezed into one weekend. That being said, I’d like to do it again and again and again. Practice makes perfect, they say.
See you in Startup Weekend Cebu!
Startup Asia Singapore 2012
We joined Startup Asia Singapore.
It’s my first time out of the country alone. Well, technically, I wasn’t really alone. I was with my partner, Nicole, and I loved every bit of it. In fact, I’m still loving it here! If I were to pick one thing that I love the most about Singapore, it would be the fact that despite them being very technologically advanced, the air is very breathable! I could even compare the air here to the fresh “bukid” air of Steven’s farm in Bonbon. :)
I learned so much here. :)
Day One
We attended the pitching rehearsals at Singapore Management University.
We arrived a bit late for the rehearsals so we were not able to take that much pictures. But the school was very cool!!! We rehearsed in one of their classrooms that looked exactly like the picture below.
After hearing a few pitches from the other teams, we quickly realized that we were in the same room with founders of companies with also very interesting and innovative ideas. This was going to be a very exciting week!
Day Two
We headed for the final rehearsals at the event venue, Singpost Centre. We pitched on stage, and we were coached by Sir Jeffrey Paine of Founders Institute Singapore and Battle Ventures.
Here are his notes.
We knew we had a lot more to work on. :)
Day Three
This was quite a relaxing day for us. We were pitching on the second day of the event, so we were able to go around and talk with really cool people - founders, media people, investors, and geeks. :)
This was right before the event started. People were at the back checking out the booths. If you notice, the staircase on the upper left of the pic has the word “FAITH” on it. Yup, our venue was in a church. :)
The first set of startups (there were 19 of us in total) pitched today. We quickly realized that the panel of judges were VERY TOUGH. They asked very tough questions, and challenged the ideas of the founders in a very straightforward way. For example, one judge said something like, “I used something similar to your service before, and its just very annoying.” Oooooh…. How would you answer something like that? Oh well. Just smile and wave. :)
After the first day, I was able to talk again with Sir Jeffrey Paine (the one who coached us), and I asked him a few questions on how to raise funds from investors. His answers were just brilliant! Among many other great tips, he told me that the easiest way to get funding is to get users first. So many of his advises made so much sense. I wish I talked to him a long time ago. I even felt that all my expenses for the trip were already worth it after talking with him for about 15 minutes. :)
Day Four
Today is PITCH DAY for us. And we are so glad that we did well. Thank you, Lord! :)
Link to the Startup Asia Article of SpellDial
Teamie won first place. :)
Shivanu from Teamie, Me, Min Ku of Waffle, and Kwangmin of Waffle.
Though we didn’t win any prize, the lessons we learned, the people we met, and the experience we had fully outweighed all the investment we put in for this trip.
To all our friends and family who supported us, thank you so much!
Special shout outs to Willis Wee and the Penn Olson Team, David Cua, Jen Sarmiento, Tito Em and Tita Lollette, Sir Rod, Ate Ana, Pastor Doug and Jonina, our parents, my brothers and sisters, Chuck, and everyone who prayed for us!
We thank you very much!!!
Above all, we thank God for answering our prayers. :)
Now this, is just too awesome… :)
(via uraniaproject)
"Of course it sucks. It's made of software.": The Unofficial Google App Engine Price Change FAQ
I don’t work for Google, but I read the mailing lists and pay attention. Also, I show up at places where Google buys beer. Here’s what I’ve learned:
What is changing?
Google is changing the way it charges for App Engine. Previously, you were charged for three things:
- Bandwidth in/out
- Data…
Google AppEngine Workshop 1 - the Aftermath
Last July 9, 2011 we held the first ever (I think) Google App Engine Workshop in Cebu City. Everyone was so excited about it that slot reservations even ran out less than 24 hours after they were released. We held it at Exist’s TechBar at IT Park.
Our really cool venue! Many thanks to Exist who lent us the venue, and Ida Ortiz who made this happen!
The participants! Most were graduating students!
And some were professionals already, as well as teachers in some colleges (Cool!)…
And some of the participants who preferred to stay in the couch (because we ran out of table space)…
That’s my attempt at teaching…
And coaching… :D
And of course, we had snacks! Well, those are just the cups for the participants that our team laboriously labeled by hand… Thanks to the SpellDial Team who supported and helped out! :D
Thank you also all my friends who supported us to make this event a reality!
So how did it go? Well, I heard some of the participants say, “Wow! And I thought 6 hours was going to be pretty long… In fact, I learned so many things that I didn’t notice that the time was flying by so fast…” Cool! I’m happy that you guys learned a lot!
Towards the end of the workshop, we held a mini-hackathon so that they can create their own apps using what they just had learned.
Lo and behold! They created so many awesome apps (for the short time that was allotted), and one even made an app gallery to showcase some of the apps! Not all of them added their apps there… Boo… Nevertheless, I’m proud of all of you guys! Enjoy! :D
Application Gallery: http://application-gallery.appspot.com
Link to Workshop Slides (It’s really only useful when I’m talking alongside it). :D
Special thanks also to DevCon for supporting us! If you notice, I’m wearing the DevCon shirt. :D
Oh, and one more thing! The cool people from Exist are currently hiring. So if you want to join their team, go ahead and click below!
SpellDial: SpellDial at the ON3 Pitching Competition
Author: Paola Galan (Business Development)
Manila, July 26-30, 2011
Five of us flew to Manila for the final round of the ON3 pitching competition. Aside from myself, the others who went were Albert Padin (Founder and CEO of SpellDial), and others from the Business Development team: Nicole…
SpellDial: SpellDial shirts - woohoo! :D
Hallooooo friends! To those who inquired for the prices of the T-shirt, it is P300.00. To those who will buy, you are actually supporting SpellDial raise funds to go to Manila to participate in the final round of the On3 Pitching Competition. Winners of that competition will go to Silicon…
Here’s to the crazy ones. The misfits. The rebels. The troublemakers. The round pegs in the square holes. The ones who see things differently. They’re not fond of rules. And they have no respect for the status quo. You can quote them, disagree with them, glorify or vilify them. About the only thing you can’t do is ignore them. Because they change things. They push the human race forward. And while some may see them as the crazy ones, we see genius. Because the people who are crazy enough to think they can change the world, are the ones who do.
Round 2!! Another Google AppEngine Workshop
If you wanted to join the Google AppEngine Workshop, but weren’t able to successfully reserve a slot, don’t worry! There’s no need to sulk. We’re holding another one just for you the Saturday right after the first one.
Topic: Google AppEngine Workshop - A Crash Course
Speaker/Facilitator: Albert Padin, Founder of SpellDial.com
Venue: CEDF-IT Training Room (CEDF-IT is in the North Part of the “E-Office One Bldg” in this Map, Corner of W. Geonzon and Inez Villa Streets, Asiatown I.T. Park)
Date: July 16, 2011 (Saturday)
Time: 2pm - 8pm *Participants are required to arrive on time, and stay until 8pm. If unable, please share to your friends who have sooo much free time. Thanks! :D
Requirements:
- Bring your own laptop (and charger) with GAE SDK for Python installed. If you don’t have the GAE SDK for Python installed yet, you can get it thru the GAE Website. Please verify that it is installed properly. We don’t want to waste time in troubleshooting installation issues.
- If you have an Internet USB Stick (Smart Bro, Globe Tattoo, and the like), please bring it along so that we won’t congest the internet connection.
- Get a Ticket/Register thru our Online Event Registration Page. 25 slots only. (NO NEED TO PRINT THE TICKET. JUST BRING AN ID ON THE EVENT)
- Bring some snacks to munch on, and share!! Share some snacks, win a friend! :D
Many thanks to sir Jun Sa-a of CEDF-IT for lending us their Training Room, and Ate Tins and her team from TechTalks.ph for sponsoring the air-conditioning costs, as well as helping us put this together (again. Ate Tins, you are amazing! Thank you!). :D
