SMACKDOWN GENERAL MANAGER LEAKED? (WWE Raw Recap and Results 7/11/16 w/ Steve and Larson)

Posted by

Steve and Larson discuss Daniel Bryan’s possible return to the WWE and recap the ups and downs of the July 11, 2016 edition of WWE Raw.

Photos courtesy of WWE.com
Sources:

PHOTO: Major Name Revealed to Be the WWE Smackdown Live General Manager? *Possible Spoiler*

STEVE AND LARSON ON YOUTUBE: http://www.youtube.com/steveandlarson

STEVE AND LARSON ON TWITTER: https://twitter.com/steveandlarson

STEVE AND LARSON ON REDDIT: http://www.reddit.com/r/SteveAndLarson/

STEVE AND LARSON ON FACEBOOK: https://www.facebook.com/steveandlarson

Is Pokemon Go Accessing Your Google Account? – Inside Gaming Daily

Posted by

Is Pokemon GO reading all your emails and looking at your nude pics? Cyber sleuths Chloe and Phil find out for you.

Sources: http://fortune.com/2016/07/11/pokemon-go-security/

Update: download the new Pokemon Go app – it fixes all of this. Download it, and reauth, and you should be set. The grant scopes and prompt are correct and visible now too! Now if only I could actually find a pikachu…

Pokemon tokens are requested with these understandable scopes:

Shrinking the below, however it’s still somewhat relevant

Here is the actual URL that loads in the webview on iOS: https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://accounts.google.com/o/oauth2/programmatic_auth?scope%3Dopenid%2Bemail%2Bhttps://www.google.com/accounts/OAuthLogin%2Bhttps://www.googleapis.com/auth/userinfo.email%26client_id%3D848232511240-73ri3t7plvk96pj4f85uj8otdat2alem.apps.googleusercontent.com%26from_login%3D1%26as%3D-….&ltmpl=embedded&oauth=1&sarp=1&scc=1

Pokemon Google App Info:

  • Client ID: 848232511240-73ri3t7plvk96pj4f85uj8otdat2alem.apps.googleusercontent.com
  • Client Secret: NCjF1TLi………….

Going through the auth process on the device yields a bearer token at the end of the exchange with access to: (according to google, google’s oauth playground, and token info)

// API callback
{
 "issued_to": "848232511240-73ri3t7plvk96pj4f85uj8otdat2alem.apps.googleusercontent.com",
 "audience": "848232511240-73ri3t7plvk96pj4f85uj8otdat2alem.apps.googleusercontent.com",
 "scope": "https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/userinfo.email https://www.google.com/accounts/OAuthLogin",
 "expires_in": 3472,
 "email": "itme@gmail.com",
 "verified_email": true,
 "access_type": "offline"
}

List of all services that this can be used by according to google

Google Apps Script Execution API v1

  • Run Scripts Runs a function in an Apps Script project that has been deployed for use with the Apps Script Execution API. This method requires authorization with an OAuth 2.0 token that includes at least one of the scopes listed in the Authentication section; script projects that do not require authorization cannot be executed through this API. To find the correct scopes to include in the authentication token, open the project in the script editor, then select File > Project properties and click the Scopes tab.

Google Dataflow API v1b3

  • Jobs Projects Creates a dataflow job.
  • Jobs Projects Gets the state of the specified dataflow job.
  • Jobs Projects Request the job status.
  • Jobs Projects List the jobs of a project
  • Jobs Projects Request the job status.
  • Jobs Projects Updates the state of an existing dataflow job.
  • Jobs Projects Leases a dataflow WorkItem to run.
  • Jobs Projects Reports the status of dataflow WorkItems leased by a worker.
  • WorkerMessages ProjectsSend a worker_message to the service.

Google People API v1

  • Get People Provides information about a person resource for a resource name. Use people/me to indicate the authenticated user.
  • GetBatch Get People Provides information about a list of specific people by specifying a list of requested resource names. Use people/me to indicate the authenticated user.

Google+ Domains API v1

  • Get Activities Get an activity.
  • Insert Activities Create a new activity for the authenticated user.
  • List Activities List all of the activities in the specified collection for a particular user.
  • List Audiences List all of the audiences to which a user can share.
  • Insert Circles Create a new circle for the authenticated user.
  • List Circles List all of the circles for a user.
  • Insert Media Add a new media item to an album. The current upload size limitations are 36MB for a photo and 1GB for a video. Uploads do not count against quota if photos are less than 2048 pixels on their longest side or videos are less than 15 minutes in length.
  • Get People Get a person’s profile.
  • List People List all of the people in the specified collection.

Consumer Surveys API v2

  • Get Mobileapppanels Retrieves a MobileAppPanel that is available to the authenticated user.
  • List Mobileapppanels Lists the MobileAppPanels available to the authenticated user.
  • Update Mobileapppanels Updates a MobileAppPanel. Currently the only property that can be updated is the owners property.
  • Get Results Retrieves any survey results that have been produced so far. Results are formatted as an Excel file.
  • Get Surveys Retrieves information about the specified survey.
  • Insert Surveys Creates a survey.
  • List Surveys Lists the surveys owned by the authenticated user.
  • Start Surveys Begins running a survey.
  • Stop Surveys Stops a running survey.
  • Update Surveys Updates a survey. Currently the only property that can be updated is the owners property.

Google+ API v1

  • Get Activities Get an activity.
  • List Activities List all of the activities in the specified collection for a particular user.
  • Search Activities Search public activities.
  • Get Comments Get a comment.
  • List Comments List all of the comments for an activity.
  • Get People Get a person’s profile. If your app uses scope https://www.googleapis.com/auth/plus.login, this method is guaranteed to return ageRange and language.
  • List People List all of the people in the specified collection.
  • ListByActivity People List all of the people in the specified collection for a particular activity.
  • Search People Search all public profiles.

Google OAuth2 API v2

  • Get Userinfo
  • V2 Userinfo

Conclusion

There is an undocumented flow of being able to exchange a token with the https://www.google.com/accounts/OAuthLogin scope for a session token for google properties. I believe this is a mistake on Google and Niantic’s part, and isn’t being used maliciously in the way that was originally suggested. It appears that using this token in the way that was initially suggested would still be difficult with this grant as the type of use for it is not programmatic (unless there is another hidden api somewhere to grant api tokens). Omitting this scope seemed to make the auth known as “Basic user information” instead of “Full account access”, and is likely what Niantic will do to update the client. The auth flow is confusing, and google should reflect that logging in with this scope can yield a token that can be exchanged for sessions on google properties. IMO, Google shouldn’t be giving out this scope to non-google apps.

Given that Google is going to be retroactivelly re-scoping tokens to remove this possibility, Pokemon Go should be safe to play in the next couple of days on iOS, or even now. Go have fun and play a game 🙂

An update and info about https://www.google.com/accounts/OAuthLogin

I spent the night digging to understand why this specific grant is “more permed” than the others, and uncovered some very interesting and undocumented information. There is very little documented about this uberauth mechanism, however it can be used to access more than the initial scope for the oauth grant. It’s the mechanism that chrome uses to auto-log you into google properties.

It appears that only specific projects (including this one by Pokemon Go) can request this specific type of auth.

It IS possible to exchange an accesstoken with https://www.google.com/accounts/OAuthLogin for a specific token called an uberauth. This token can then be used to open a web session with any google property, leading to the “Full Account Access”.

The token that gets generated must be exchanged for one of these “more powerful” tokens to be useful, and the article below by Duo covers how this process can work. While monitoring the app, I did not see any activity from the app’s side to exchange a token for this, and it appears that this level of access is not designed to be used programmatically (via apis), but rather via a web browser. Making use of this access programmatically seems difficult, however there may be additional undocumented APIs that would allow an exchange for an api token of sorts.

The app uses binary blobs to communicate with Niantic’s servers, so I can’t speak as to whether or not they are storing or even seeing these tokens. Given Niantic’s response, it appears that they are most likely going to remove this scope from a new version of the Pokemon Go app.

In summary:

  • The direct token that Niantic gets can’t access the gmail api / gcal api
  • However, the token could potentially be exchanged through the undocumented mechanism /MergeSession to create a web session logged in as you on any google property
  • I haven’t seen the app try to exchange this token for an ubertoken while poking at it
  • The app communicates with Niantic with binary blobs and theoretically could send this token to them
  • This lines up with Niantic and Google’s statement
  • Undocumented parts of auth flow are bad, and can lead to problems like this ambiguity
  • This token is overpermed, due to the https://www.google.com/accounts/OAuthLogin scope
  • This oauth flow is special, and doesn’t prompt you for confirmation on additional auths. Given that the secret is in the app, this is worrisome

Links:

Code:

Requesting an uberauth from the bearer token:

GET /OAuthLogin?source=ChromiumBrowser&issueuberauth=1 HTTP/1.1
Host: accounts.google.com
Authorization: OAuth the.token

Redeeming an uberauth session to a gmail session

https://accounts.google.com/MergeSession?source=chrome&uberauth=APh-3….&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F

view raw

pokemon_tokens.md

hosted with ❤ by GitHub

https://www.theguardian.com/technology/2016/jul/11/pokemon-go-privacy-security-full-access-google-account

Hosts: Chloe Dykstra and Phil Jasicki
Written by: Phil Jasicki

Follow us:
Brandon: https://twitter.com/bwinfrey
Chloe: https://twitter.com/skydart
Shibby: https://twitter.com/Shane
Phil: https://twitter.com/ThePhilJasicki
Twitter: https://twitter.com/InsideGaming
Facebook: https://www.facebook.com/InsideGaming
Reddit: http://www.reddit.com/r/InsideGaming/

Live Q&A with Superfan Builds!

Posted by

Watch on go90 ►► http://www.go90.com/a/g6TbSR78mpA
Get AWE me Gear! ►► http://brrk.co/AWEmeMerch
Subscribe! ►►http://brrk.co/AWEsub

Email superfan@superfanbuilds.org with your suggestions!

We’re super excited for the return of Superfan Builds and to celebrate our host Sandeep Parikh will be interviewing Fon Davis of Fonco and Shane Hammond of Set Masters. Send in your questions now!

More AWEme on Facebook: http://facebook.com/awemechannel
Follow us on Twitter: http://twitter.com/awemechannel
Don’t forget to check us out on Instagram: http://instagram.com/awemechannel

Sandeep Parikh: https://www.facebook.com/sandeepparikhofficial/
Fon Davis: https://www.facebook.com/foncocreative/?fref=ts
Shane Hammond: https://www.facebook.com/thesetmasters/?fref=ts

أشهر 5 مقابر مفقودة فى العالم

Posted by

شاهد المزيد من الفيديوهات فى قسم ( وثائقى مميز ) :

……………………………………………………………
( متع عقلك ) | قناة تمنحك رحلة مسلية فى عالم المعرفة والعلم
أشترك معنا الأن – بالضغط على زر أشتراك ليصلك كل ما هو جديد
قناة متع عقلك | شخصيات ◄ https://goo.gl/QqcMkz
تابعوني علي تويتر ◄ https://twitter.com/mata3_3a2lak
تابعو صفحة الفيسبوك ◄ https://www.facebook.com/mata33a2lak

أشهر 5 مقابر مفقودة فى العالم

Posted by

شاهد المزيد من الفيديوهات فى قسم ( وثائقى مميز ) :

……………………………………………………………
( متع عقلك ) | قناة تمنحك رحلة مسلية فى عالم المعرفة والعلم
أشترك معنا الأن – بالضغط على زر أشتراك ليصلك كل ما هو جديد
قناة متع عقلك | شخصيات ◄ https://goo.gl/QqcMkz
تابعوني علي تويتر ◄ https://twitter.com/mata3_3a2lak
تابعو صفحة الفيسبوك ◄ https://www.facebook.com/mata33a2lak

I NEED MY FANS! (Charity)

Posted by

GAMES► https://www.humblebundle.com/revelmode-bundle
INFO ► http://www.crisistextline.org/revelmode/ #Revel4good
DONATE► https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=SHHQJF49KCML2

#1: Wednesday, July 13th – 9am-11am PDT
Channel: https://www.twitch.tv/jacksepticeye

#2: Friday, July 15th – 9am-11am PDT (PewDiePie)
Channel: https://www.twitch.tv/pewdiepie

#3: Sunday, July 17th – 9am-11am PDT (PewDiePie)
#4: Wednesday, July 20th – 9am-11am PDT
#5: Friday, July 22nd – 9am-11am PDT
#6 : Sunday, July 24th – 9am-11am PDT (PewDiePie)

MERCHANDISE:
PewDiePie Clothing:
http://bit.ly/ShopBro

My Game:
PewDiePie: Legend Of The Brofist
Apple: http://apple.co/1Kxi8rQ
Android: http://bit.ly/1Pxt8Xw

My Book:
This Book Loves You
http://www.pewdiepie.com/go/book

My App:
Apple: http://bit.ly/AppleBro
Android: http://bit.ly/AndroidBro

SOCIALS:
Twitter ► https://twitter.com/pewdiepie
Facebook ► http://facebook.com/pewdiepie
Instagram ► http://instagram.com/pewdiepie

………..
……………….__
…………./´¯/’…’/´¯¯`·¸
………./’/…/…./……./¨¯
……..(‘(…´…´…. ¯~/’…’)
……………………..’…../
……….”…………. _.·´
……………………..(
BROFIST ………..

Superman (1978) – After Credits

Posted by

Lois discovers Superman reversed time to save her life.
For more After Credits go to ►► http://www.howitshouldhaveended.com/aftercreditsID

How It Should Have Ended and Screen Junkies have been working together to make “After Credits”, an animated show for screenjunkies.com, where we imagine what would happen in your favorite movies if they were given an after credits scene. We will get to post occasional episodes here over time but the entire After Credits library will live at screenjunkies.com so go there if you want more! They will launch 4 episodes every month for Plus Memberships.

Thanks for Watching!

Watch More HISHEs: https://bit.ly/HISHEPlaylist
Subscribe to HISHE: https://bit.ly/HISHEsubscribe

FOLLOW HISHE!
Twitter @theHISHEdotcom
http://bit.ly/HISHETwitter
Instagram @HISHEgram
https://instagram.com/hishegram/
Facebook: http://bit.ly/HISHE-FB
HISHE Swag:
How It Should Have Ended

Credits for After Credits:
Director: Dan Murrell
Animation Director: Mike Parker
Doctor: Daniel Baxter
Shia: Clint Gage
Indy: Jon Bailey

————-Previous Episodes——————–
Batman V Superman HISHE

How Deadpool Should Have Ended

Hero Swap – Gladiator Starring Iron Man

Star Wars – Revenge of the Sith HISHE

Jungle Book HISHE

BAT BLOOD – A Batman V Superman AND Bad Blood Parody ft. Batman:
http://bit.ly/BatBlood

Villain Pub – The New Smile:
http://bit.ly/VPNewSmile

How Jurassic World Should Have Ended:
http://bit.ly/JurassicWorldHISHE

How Inside Out Should Have Ended:
http://bit.ly/InsideOutHISHE

How The Avengers: Age of Ultron Should Have Ended – Part Two:
http://bit.ly/UltronPartTwo

How The Avengers: Age of Ultron Should Have Ended – Part One:
http://bit.ly/UltronPart1

Super Cafe: Batman v Superman – It’s On!
http://bit.ly/SuperCafeItsOn

How The Battle of the Five Armies Should Have Ended:
http://bit.ly/Battleof5ArmiesHISHE

How X-Men: Days of Future Past Should Have Ended:
http://bit.ly/X-MenDOFPHISHE

Jurrassic World – Raptor Training:
http://bit.ly/RaptorTraining

How Guardians of the Galaxy Should Have Ended:
http://bit.ly/GuardiansHISHE

How The Avengers: Age of Ultron Should Have Ended:
http://bit.ly/UltronTeaserHISHE

How The Maze Runner Should Have Ended:
http://bit.ly/MazeRunnerHISHE

How The Amazing Spider-Man 2 Should Have Ended:
http://bit.ly/ASM2HISHE

Villain Pub- To The Tailor:
http://bit.ly/VP-ToTheTailorHISHE

How the Batman v Superman SDCC Teaser Should Have Ended:
http://bit.ly/BatmanVSupermanHISHE

How Captain America: The Winter Soldier Should Have Ended:
http://bit.ly/CaptainAmericaWSHISHE

How Godzilla Should Have Ended:
http://bit.ly/GodzillaHISHE

Villain Pub- To Battle!:
http://bit.ly/VP-ToBattleHISHE

How Frozen Should Have Ended:
http://bit.ly/FrozenHISHE

The Lego HISHE:
http://bit.ly/TheLegoHISHE

How The Batman Begins Should Have Ended:
http://bit.ly/BatmanBeginsHISHE

How The Desolation of Smaug Should Have Ended:
http://bit.ly/SmaugHISHE

How Thor The Dark World Should Have Ended:
http://bit.ly/ThorDarkWorldHISHE

How Star Trek Into Darkness Should Have Ended:
http://bit.ly/StarTrekDarknessHISHE

How Pacific Rim Should Have Ended:
http://bit.ly/PacificRimHISHE