javascript
Latest
New Android exploit can hack any handset in one shot
Hackers have discovered a critical exploit in Chrome for Android reportedly capable of compromising virtually every version of Android running the latest Chrome. Quihoo 360 researcher Guang Gong demonstrated the vulnerability to the PSN2OWN panel at the PacSec conference in Tokyo yesterday. While the inner workings of the exploit are still largely under wraps, we do know that it leverages JavaScript v8 to gain full administrative access to the victim's phone.
Firefox has a new security hole, but you can already patch it
Yesterday, someone noticed that an ad from a Russian news site was exploiting a serious vulnerability in the Firefox browser. According to a Mozilla security post, the attacker was able to bypass the browser's "origin policy" (its front line of security), inject a malicious javascript script and download sensitive local files to a server in the Ukraine. Mozilla said the attack was "surprisingly developer-focused for an exploit launched a general audience news site," because it hunted browser and FTP configuration files. It added that the "exploit leaves no trace that it has run on the local machine."
Internet pictures can hide code that leaves you open to hacks (update: criticism)
You might want to be more cautious the next time you click on an internet image link sent by a stranger -- much like the pirate cat photo you see above, that adorable picture could be hiding something sinister. Security researcher Saumil Shah has developed a security exploit that uses steganography to slip malicious JavaScript code into an image file. If you happen to view the picture in a vulnerable web browser, it opens the door to installing malware or directly hijacking your computer. And this sort of attack is definitely usable in the real world, as Motherboard found out first-hand.
New web privacy system prevents your data from leaking to other sites
One of the biggest threats to your online privacy is the mixture of code that you'll find on some websites. It's all too easy for a legit-looking page to hide data-stealing code, or for innocent sites to accidentally expose your info. If Google, Mozilla and researchers have their way, though, you won't have to worry quite so much about where that info is going. Their new COWL (Confinement with Origin Web Labels) system prevents JavaScript from sharing data with outside websites that aren't explicitly approved; even when the data gets the all-clear, it won't necessarily spread anywhere else. In theory, it should be harder for ne'er-do-wells to hijack a page and grab sensitive content without your knowledge, or simply for you to lose control of where that content goes.
'Minecraft' add-on helps you learn programming while you play
Programming languages can be daunting to learn, especially if you're a kid who'd rather be playing games than creating them. Thankfully, ThoughtSTEM has found a way to make coding both accessible and entertaining in one shot. Its upcoming LearnToMod software teaches you how to write JavaScript code by producing Minecraft mods that are appropriate to your skill level. If you're just starting out, you can use building blocks of code that produce simple-yet-fun features, such as a bow that shoots teleporters. Advanced students, meanwhile, can write in raw JavaScript and produce content that you wouldn't think was possible in Minecraft's cuboid universe, such as a Tetris mini-game.
How well do Uber drivers rate you? (update)
Uber's car service lets you rate your drivers, but it also lets them rate you. The customer might always be right, but some customers are simply jerks -- and the system lets drivers know what they might be in for. Until now, there's been no way to draw out your customer rating from the app, but with a little Javascript magic, courtesy of Aaron Landy, you can cajole Uber's mobile site into spitting out your rating, out of 5. Log into Uber's mobile site, then open the console (for Chrome: View -> Developer -> Javascript Console from the drop-down menu), and paste some javascript code in. The browser will reload, and you'll need to paste the code again. Another reload, and a popup will offer up your user details and your passenger rating. The hack might even the odds a little: drivers have been able to see how passengers have ranked their rides for a while. It's like leaving feedback on eBay all over again. Update: It appears Uber noticed the sudden influx to its mobile site and has now patched the JavaScript 'hack.'
New plugin-free web games run (almost) as well as their desktop counterparts
So far, sophisticated 3D web games have typically required either a plugin (think Quake Live) or a special environment where they can run native code. While those are just dandy, they aren't really web games, are they? That's going to change shortly, as Trendy Entertainment has revealed plans to launch truly web-based versions of both Dungeon Defenders Eternity and the upcoming Dungeon Defenders II. Both Unreal Engine-based titles use a mix of open standards like WebGL, Web Audio and Mozilla's heavily tuned JavaScript web code (asm.js) to handle desktop-level 3D and sound in your browser at "near native" speeds. You may not notice the difference at all, provided you're on a reasonably quick PC.
Breach is a completely modular, hackable and open source web browser
When it comes to surfing the web, our options are limited: the market is dominated by three or four mainstream web browsers, all of which share major similarities in design and function. Unless you want to build your own browsing program, you're stuck with their modern browsing paradigms. For San Francisco programmer Stanislas Polu, that wasn't good enough, so, he created Breach -- an open source modular web browser designed to allow anybody to tweak and modify it on a whim.
Twitter turns off Tweetdeck to 'assess' JavaScript security breach (update: it's back)
If you're a Tweetdeck user and can't login right now -- there's a reason. The service's webapp contained a vulnerability that let it run scripts embedded in tweets; just reading a tweet could cause a popup to appear on your screen, redirect you to another website, hijack your account or even cause you to retweet something without knowing. Since Tweetdeck is used by many of the social media managers for widely-followed accounts, a flaw that spreads itself could quickly replicate across the service.The official Tweetdeck account claimed the vulnerability was fixed earlier, but that doesn't appear to have worked, and as a result, Twitter has taken the service down "to assess today's earlier security issue." Even though you can't login right now, it would probably be a good idea to revoke the service's access to your account entirely until things are resolved. Update: Tweetdeck says it's verified a security fix and turned the service back on -- who wants to be the first to confirm if it's actually safe? [Image credit: Simon Dawson/Bloomberg via Getty Images]
Google's new Chrome experiment lets you remix the Rubik's Cube
Sure, you could spend a while trying to solve the Rubik's Cube in Google's new Doodle, but that may get a little dry. Google was clearly prepared for that eventuality, though: it has just launched the Cube Lab, a Chrome experiment that lets you build your own internet-based puzzle. So long as you're good with modern web code, you can produce a unique Rubik's Cube with its own artwork, effects and even logic. The 808 Cube is all about music-making, for instance. Even if you're not a programmer, it's worth checking out the ready-made Lab examples to have some fun. We just wish we'd had this when we were kids -- it would have kept us playing with Rubik's Cubes long after the original got buried in the closet.
Windows Phone 8.1 leak reveals new messaging and storage settings, and more
Up until now, the most we'd heard about the next rumored update to Microsoft's Windows Phone OS centered on two features: Cortana, the company's Siri-like digital assistant, and Action Center, its native notification center. Today, however, we have a clearer idea of where Windows Phone 8.1 could be headed thanks to a Reddit user who's allegedly gained access to the new SDK as part of Microsoft's developer preview program.
Dungeon Defenders dev announces cross-platform shooter Monster Madness Online
Dungeon Defenders developer Trendy Entertainment and its new indie subsidiary Nom Nom Games announced a new cross-platform, RPG-like shooter called Monster Madness Online today. The free-to-play game places combatants in the shoes of one of four minors in Suburbia City, which has been overrun by invading Martians whose powerful Monster Tokens apparently don't affect the kids of the town. Monster Madness Online is billed as the first 3D action game to use Mozilla's asm.js technology, which enables Nom Nom Games to take advantage of a higher level of JavaScript development. This offers developers the ability to insert physics, 3D graphics, multiplayer networking, advanced animation and other beefier game elements into their browser-based projects without the use of a proprietary plugin. Trendy Entertainment Co-Founder and CTO Jeremy Stieglitz explained the developer's use of asm.js in a separate trailer, found after the break. The game is expected to fully launch in May 2014 for PC, Mac, Linux, Android, iOS and any web browser of choice. An online, pre-alpha PvP version of Monster Madness Online is available to try out now on the game's website.
Internet Archive brings bygone games and programs to the browser
One of the inherent downsides of technology's rapid advancement is how much of its history gets left behind with each new plateau we reach. However, the great minds at the Internet Archive (IA) have come up with a way to not only preserve our past, but make it accessible via the Javascript MESS emulator that can run a slew of classic games and programs in your browser. Next time you have a hankering to futz with WordStar or play E.T. The Extraterrestrial at work, you won't have to go blow the cobwebs off the relics sitting in the office supply closet, you can just check out the IA's Historical Software Collection. From there, you're but a few clicks away from reliving a curated swath of computing's best (and worst) moments. Now if you'll excuse us, we're going to be playing The Hobbit for the the foreseeable future. [Image credit: wizzer2801/Flickr]
Arcade Fire's 'Just a Reflektor' music video takes cues from your smartphone
Arcade Fire already knows how to immerse its fans in a web music video. For its new "Just a Reflektor" video, though, it's also bringing smartphones into the action. The band's Chrome-based project links a PC to a mobile device through a webcam, turning the handheld into a visual effects controller -- halos, reflections and wireframes in the video adapt to every movement. As the experiment is open source, viewers can even tinker with the web code (primarily JavaScript and WebGL) to build their own masterworks. Whether or not you're a fan of Arcade Fire's indie rock, you'll likely want to give "Reflektor" a look for curiosity's sake; just don't be surprised when the video looks back.
Nintendo's Wii U Web Framework now allows for eShop purchases like DLC
Nintendo's Web Framework for Wii U now includes eCommerce support, manager of developer relations Martin Buchholz revealed at GDC Europe. When using the updated framework, developers can monetize their games after launch with items such as DLC. The Nintendo Web Framework allows developers to craft and prototype apps for the console using HTML5, JavaScript and CSS. The framework was announced at GDC in March, along with Unity support for Wii U.
Tor browser for Windows exploit discovered, malware may be gathering info for Uncle Sam (updated)
It was just over two years ago that the paragon of internet privacy, the Tor project, decided to build its own browser by forking Firefox. Wired reports that an exploit of that very same browser has been recently discovered that allowed a number of users' Windows computers to be infected with malware. Once installed, the code delivered infected machines' hostnames and MAC addresses to a remote web server in Reston, Virginia, a city located just outside Washington D.C. The browser exploit -- a JavaScript vulnerability inherent to Firefox version 17, the version upon which the Tor browser was built -- was enabled by a breach of Freedom Hosting servers. In this case, affected Freedom Hosting servers delivered web pages to users with the JavaScript exploit embedded in them. There's no direct evidence that the malware comes from the government, but the malware's command and control IP address is registered to a governmental defense contractor. Plus, the data pulled from infected machines indicates it could be an example of the FBI's computer and internet protocol address verifier (CIPAV) software first identified by Wired in 2007. CIPAV has been used by the FBI to help identify and catch terrorists, hackers and criminals since 2002, but the exact nature of the software has never been revealed. Regardless, the vulnerability in the browser has been identified and fixed, so users need only update to the newest version of the Tor browser to keep their web traffic away from prying eyes... for now, at least. Update: To be clear, the Firefox exploit in question was fixed, along with the Tor browser well over a month ago, and any users who have updated since June 26th were not affected.
Firefox updated to support 3D games, video calls and more
The latest version of Firefox (22) is full of big new features. Most notably, the latest update adds support for 3D gaming (care of Epic Games), for video and voice calls as well as file sharing "without the need to install additional software or use third-party plugins," and for a new version of JavaScript that Mozilla's calling, "supercharged." Mozilla's even got a 3D game for you to play called BananaBread, so you may put the company's claims through the wringer. Should that not be enough for you diehard Firefox devotees, there's also a thrilling update that'll show download progress on OS X directly in the Dock icon. Take a breath and a seat, and maybe download the latest Firefox build right here when you've cooled down.
Google's Dart SDK and Editor arrive as beta with focus on performance
Dart isn't conquering the world wide web just yet, but that doesn't mean Google is giving up on its darling programming language. The internet giant has just released the first beta of the SDK and Editor, and the update's focus is obvious: speed. The analysis engine, which is responsible for altering you to errors in your code, has been revamped and is now 20 percent faster, according to Google. There are a whole bunch of new features designed to simplify development too, such as the ability to import or rename libraries. And the Editor's autocomplete engine is now "camelcase aware," meaning when you type "iE" the editor tracks down "isEmpty." Dart code compiled to JavaScript now results in significantly smaller file sizes and Dart VM performance has supposedly been boosted by between 33 and 40 percent. Oh, and there's much, much more... this is just the SparkNotes, folks. For the full change log hit up the source.
DevJuice: Apple's ObjC-JavaScript Bridge
In a new post at his Steamclock Software blog, Nigel Brooke writes how Apple has added new Objective-C-to-Javascript bridging to WebKit: "This new API supports straightforward embedding of the JavaScriptCore interpreter into native Objective-C projects, including reading and writing variables and object members with appropriate type coercion, calling methods on JavaScript objects, and directly binding Objective-C objects into JavaScript." The API performs its bridging using Objective-C protocols, enabling you to bind JavaScript calls to Objective-C implementations. If you'd like to give the tech a test, Brooke has posted a working sample project at github. Hat tip iOS Dev Weekly
Google unveils 'Save to Drive' button for websites, streamlines content delivery to cloud storage
Google Drive may be playing catch-up to its competitors in some ways, but the cloud storage team in Mountain View is forging ahead in others. Today, Big G announced a 'Save to Drive' button that allow users to save content directly from websites to Google-fied cloud lockers. Adding the button's easy, as it only requires a few lines of HTML, and a JavaScript API allows web admins to control their behavior. Folks looking to take advantage of the new button can learn more about it on the Google Developers portal, and as for the rest of us, we'll just enjoy the fruits of your labor.
