Node.js 8.5.0 released

Brand new version of Node.js available now, with new cool features
13 September 2017   2777

New version of popular JavaScript framework had been released.

Let's see what's inside!

  • build
    • Snapshots are now re-enabled in V8 
  • console
    • Implement minimal console.group().
  • deps
    • upgrade libuv to 1.14.1 
    • update nghttp2 to v1.25.0 
  • dns
    • Add verbatim option to dns.lookup(). When true, results from the DNS resolver are passed on as-is, without the reshuffling that Node.js otherwise does that puts IPv4 addresses before IPv6 addresses. 
  • fs
    • add fs.copyFile and fs.copyFileSync which allows for more efficient copying of files.
  • inspector
    • Enable async stack traces #13870
  • module
    • Add support for ESM. This is currently behind the --experimental-modules flag and requires the .mjs extension. node --experimental-modules index.mjs 
  • napi
    • implement promise 
  • os
    • Add support for CIDR notation to the output of the networkInterfaces() method.
  • perf_hooks
    • An initial implementation of the Performance Timing API for Node.js. This is the same Performance Timing API implemented by modern browsers with a number of Node.js specific properties. The User Timing mark() and measure() APIs are implemented.
  • tls
    • multiple PFX in createSecureContext 
  • Added new collaborators
    • BridgeAR – Ruben Bridgewater

Learn more and download at official website

Third Party Apps Could Read Twitter Messaging

According to the company, no one used this vulnerability and the issues is now solved
18 December 2018   575

Until the beginning of December, third-party applications could access Twitter private messages. According to the company, no one took advantage of this vulnerability. Terence Eden, who found it, was paid almost $ 3,000 under the Bug Bounty program.

In 2013, there was a leak of keys to the Twitter API - so applications could access the interface bypassing the social network. To protect users, Twitter implemented an application authorization mechanism through predefined addresses (Callback URL), but it didn’t suit everyone.

Applications that do not support Callback URLs could authenticate using PIN codes. With this authorization, a window pops up that lists which data the user opens to access. The window did not request access to private messages, but in fact the application received it.

On December 6, Twitter reported that it had solved the problem. Judging by the statement of the company on the HackerOne website, no one had time to take advantage of this vulnerability.

This is not the first social network security error related to the API. In September, Twitter discovered a bug in AAAPI (Account Activity API): the system sent a copy of the user's personal message to a random recipient.