A Facebook developer named Yvo Schaap has uncovered a massive security flaw present on both Facebook and MySpace that would give hackers the ability to steal all of your account data, including your photos, personal messages, and basically everything else you’ve ever put on the social networks, without you ever realizing it.

Schaap stumbled upon the exploit and contacted both Facebook and MySpace. According to his blog MySpace has since fixed the bug, and while his blog indicates that Facebook is still working on it we’ve confirmed that they’ve fixed it as well (we’re waiting on a statement from MySpace). So what exactly could the exploit do? From Schaap’s blog:

You don’t need much time to think of all the ways this could be exploited. All what has to happen is a active session, or a “auto login”-cookie and a URL which hosts a exploiting Flash file. For example when accessed, a automatic “post update” could be made, that would lure friends of the user to access the exploit URL, and the exploit would spread virally. An more invasive and hidden exploit could harvest all the users personal photo’s, data and messages to a central server without any trace, and there is no reason why this wouldn’t be happening already with both Facebook and MySpace data.

More expansion news from Adeo Ressi’s Founder Institute. The startup incubator is steadily expanding. It recently opened up an outpost in Seattle, and now is expanding to New York. “New York City needs a kick in the pants,” says Ressi.

The Winter New York City Semester will be led by Razorfish co-founder Craig Kanarick. Mentors for the program will include Munjal Shah, Patrick Keane, Max Hoat and others. You can apply here.

It wasn’t all that long ago that Digg captured our collective imagination. In fact, even last year Google thought it was important enough to seriously consider buying Digg, only to back out at the last minute. Digg was the future of news. It was crowdsourced, democratic editorial. The masses decided what was news, not some 50 year old guy in a skyscraper in New York, who secretly hated the Internet.

a lot of the shine has come off Digg. And while it still drives a tremendous amount of traffic, it’s amazing to see just how completely it has been eclipsed by Twitter, which in turn is still just a drop in the Facebook bucket.

Comscore worldwide data says Digg, Twitter and Facebook have 32 million, 58 million and 411 million unique monthly visitors (September 2009), respectively. Google Trends says much the same thing, but the growth over time is fascinating visually. We started with Digg, then added Twitter, and then added Facebook. In the end, Digg and Twitter are just footnote blips in the chart.

About a third of all Internet users worldwide visited Facebook in September 2009, says Comscore. A year ago it was 17%. And what about Digg? They grew from 15 million worldwide unique visitors a year ago to 32 million today. And they tripled page views to 171 million. So it’s not really about Digg doing anything wrong. They just pale in comparison to the guys currently in the spotlight – Twitter and Facebook.

If you could only use one service, which one would you choose? I’d be unhappy about the forced decision, but I’d go with Twitter, even with all its flaws.

Charts below:

First, there was Google Voice. And all was good, and not so good. But it showed that there is a better way to manage voicemails than to listen to 15 in a row just to get to the one you care about.

Now, there is an alternative to Google Voice called Ribbit Mobile. And it too is very good. Ribbit Mobile is in private beta, but the first 500 people to sign up with the invite code “techcrunch” will jump to the front of the line.

Searching retail sites can be frustrating at times. While many retailers try to present product search in a visually appealing way, search can often be slow or difficult to refine. Tonight, Google is making a huge play in retail space with the launch of Commerce Search, a hosted enterprise search product to power online retail stores and e-commerce websites.

Google offers a general hosted search product that is used by organizations that want to add customized Google search functionality to their websites. Google is now entering the vertical space, by the first tailor-made enterprise product, with retail optimized space. There are four key components to thew new search offering for retailers:

As more games on the web begin to embrace virtual currency, users often run into the same problem: they’ve racked up mountains of whatever currency they’ve been playing with, but then don’t have a way to actually do anything with it outside of that game. Sure, they can always buy the latest tractor or weapon to arrive in their game, but at some point that gets old and they’re ready to cash out and move on to something new. Enter Bodega, a new platform that’s looking to help users swap virtual goods and currencies across different games, and even across different social networks.

Bodega lets users sell their virtual goods at auction in return for for Bodega’s own currency, the Bodega Bill. When you go to sell your virtual goods, you can either put it up as a ‘buy it now’ style purchase or an auction, with a minimum reserve if you want. Users looking to purchase virtual goods can obtain Bodega Bills by completing offers, buying them with their credit cards, or by selling their own virtual goods in the marketplace. You can also earn Bodega Bills by completing actions on the site, like adding another user as a friend or listing an item for sale.

On Monday, ngmoco released worldwide its latest game for the iPhone and iPod Touch: Eliminate Pro. It’s been downloaded 500,000 times so far at a rate of about 25,000 an hour, currently making it the top free app in iTunes. The top paid app, Skeeball, also happens to be affiliated with ngmoco through its Plus+ social game network. ngmoco has had it’s own top paid apps as well, like Rolando, but CEO Neil Young says that Eliminate Pro is more “representive of where we have been moving our business—free applications, that we monetize with in-app purchases.”

Ever since Apple opened up in-app purchases for free apps two weeks ago, it’s been catching on. In general, free apps are downloaded 10 to 20 times as much as comparable paid apps. Now, says Young, the payments can be “built into the compulsion loop of the game.” In other words, developers will get consumers to try their apps and then ask them to pay only once they are hooked.

Twitter has a problem: A number of users tweet, then lose interest. It needs a way to reengage them in the site. And tonight it’s starting to test one way: Notifications.

The test is currently only rolled out to a “limited” number of users right now, according to this update. But those who have it should notice an indicator similar to what Twitter does to let you know there are new search results on a query (see a capture above and below). There’s another service that does these types of notifications for new messages also: Facebook. Yes, Twitter for once is taking a playbook from its rival rather than the other way around.

Offerpal Media, the central character in the Scamville drama, is changing CEOs. Anu Shukla is no longer the CEO of the company she cofounded. Veteran executive George Garrick, most recently the CEO of Mochi Media, is now the CEO of the company.

From the press release quietly announcing the change:

Offerpal Media, the leader in virtual currency monetization for online games, virtual worlds and social networks, announced today that George Garrick has been named chief executive officer.

Garrick brings more than 25 years of experience in technology, advertising and consumer businesses to Offerpal Media. His track record of accelerating revenue growth and brokering strategic relationships with customers and partners will be critical assets in leading Offerpal Media.

I had an…interesting public exchange with Shukla last week at the Virtual Goods Summit in San Francisco (see video at end of this post). I’ve also embedded it below.

She vehemently denied that her company’s offers ever scammed users. Despite her defense of the industry, MySpace, Zynga, RockYou and others have since made significant policy changes to protect consumers from the types of offers Offerpal peddles.

Brad Garlinghouse, a former SVP at Yahoo, joined AOL as President of Internet and Mobile Communications two months ago. And he’s clearly doing a little housekeeping, and forming his own exec team. His first major hire? Kiersten Hollars, a Digg PR exec.

Hollars is part of Garlinghouse’s old team at Yahoo, and left the company shortly after Garlinghouse did to take over PR and communications at Digg. She joins AOL later this month.

“This is more about working with Brad again, and nothing about Digg,” she told us in a phone interview this morning, adding that she’s excited about the turnaround opportunity at AOL. She joins AOL as senior director of corporate communications, reporting to both Garlinghouse and EVP Corporate Communications Tricia Primrose.

Digg’s looking for Hollars’ replacement immediately. So if you want be the person to handle all corporate communications and Kevin Rose babysitting duties at Digg, let them know.

Google News has just launched a pretty cool new feature: Create your own news section. As you can probably guess, this allows you to create a new area of your Google News personalized page (you have to be signed-in) for anything you want. You simply fill-out a section title, put in any search terms you want it to look for, select a country, and you’re set.

Previously, you could make customized sections for Google News, but it was limited to single queries about topics. With multiple queries, this is much more comprehensive. And the pages look a lot nicer with images automatically pulled in. You can also now filter by source locations, restricting items to a single country or even state.

I hold in my hand the new Apple Remote. In case you missed it, Apple quietly launched it alongside the new iMacs, Mac minis, Magic Mice, and MacBooks a couple weeks ago. Simply put: I don’t get it.

That’s not to say it’s not a nice looking product — it is, but there have been some changes that make me confused as to what Apple exactly is trying to do with this thing. From a design perspective, it makes sense. The new remote now has the brushed aluminum and black button exterior that graces both Apple’s MacBook Pro line and the iMac line these days. The original Apple Remote was all white plastic (aside from the top sensor), that matched the older iMacs that it originally launched with.

Credit Karma, a site that looks to help consumers understand, track, and improve their credit scores, has raised a $2.5 million Series A funding round led by QED Investors, with participation from SV Angel, Aydin Senkut, and Founders Fund, via FF Angel.

Credit Karma is a site that features free credit checks, educational guides, and tools for analyzing your credit score’s current status (presented as a ‘report card’) and for optimizing your credit over time (you can check in on your score on a daily basis if you want to). The are also reviews of various credit cards, as well as sponsored offers based on your current credit rating.

Credt Karma says that its services are all free, and that the company makes money by selling advertising.

Popular online event site Eventbrite has raised $6.5 million in funding, according to an SEC filing. The company has confirmed the funding, and says Sequoia Capital is the new investor. Sequoia partner Roelof Botha joins the board of directors. Both Roelof and Sequoia backed Eventbrite CEO Kevin Hartz’s previous startup, Xoom.

This brings the event site’s total funding to over $8 million. Previous big-name investors include Bebo co-founder Michael Birch, Jeff Clavier, YouTube co-founder Jawed Karim, and Flixster co-founder Saran Chari.

Eventbrite provides online event management and ticketing services for any type of event. Eventbrite is free if your event is free. If you sell tickets to your event, Eventbrite collects 2.5% of the ticket price plus $0.99 per ticket sold.

Anyone who doesn’t know how dirty the domain name business is just doesn’t know the domain name business. People pay exorbitant sums to acquire domain names, put Google or Yahoo ads on the parked pages, and collect the advertising fees. They often buy and sell individual domains and portfolios with other domain squatters. But the real feeding frenzy is around deleting domains – the domain names that people let expire and that go back into general inventory.

The process for expired domains to get back into the system is complicated, but every day 20,000 or more previously owned domain names become available. Domain squatters know the list in advance, and spend time looking at Alexa/Compete rankings and lots of other data sources to try to figure out which ones are valuable. If they can just eek out $10 or so per year on a domain via ads, it’s profitable. And at scale, large amounts of money is made.

There are a variety of companies that grab as many of the domains every day that they can and then auction them off to the highest bidder. I once ran a Canadian-based company called Pool.com that invented the practice of auctioning expired domain names, and our company was making over $1 million in profit every month from these auctions – there’s lots of money in this business.

Today the largest company conducting these auctions is SnapNames, which was acquired by Oversee.net in 2007 for $25 million or more.

Today SnapNames admitted that one of its executives was shill bidding on auctions. 5% of auctions from 2005 – 2007 were affected, the company says, and a lesser number since then.

Stealth search engine Blekko, which we’ve been tracking since early 2008, has closed another $2.5 million in funding, bringing the total raised to $20 million. This most recent round, says CEO Rich Skrenta, was a inside round led from existing investors USVP and CMEA Ventures.

Blekko is taking their own sweet time to launch, so don’t expect much more from them until they are good and ready.

Among the 800 or so employees laid off by Microsoft today: Don Dodge, Microsoft’s Director of Business Development for the Emerging Business Team, reporting to VP Dan’l Lewin. Don writes about the change on his personal blog.

All layoffs suck, but letting Don go is a huge mistake for Microsoft. He nearly singlehandedly defends the Microsoft brand in a fairly anti-Microsoft developer and user community. For many people in the startup community, Don is the face of Microsoft. He travels constantly, speaking at events whenever he’s asked, and makes a big effort to give young startups the attention they deserve. This is a guy who gives a heck of a lot more to the community than he ever takes back.

Don has been an expert panelist at all three TechCrunch50 conferences. He has also written guest posts for us covering startup events we couldn’t attend personally.

His reaction to today’s news shows what kind of person he is. I reached him by telephone just an hour after he heard the news. And he didn’t have a bad word to say about Microsoft. He was more concerned that I not write anything negative about the company than anything else. Even after they turned their back on him, he was still on their side.

My opinion of Microsoft dropped a notch today. A big notch. Don invested years of his time making Microsoft seem more human, and there are very few people I respect more than this man. He wasted all that time, apparently.

There are plenty of companies out there that specialize in bringing websites to mobile devices by creating optimized sites, such as MoFuse, Jagag, ByteMobile, and many more. But with the fast growth of web use and apps in the mobile space, there’s definitely room for more startups. Moovweb is entering this space with its offering, which helps brands create customized mobile sites for smartphones as well as develop mobile apps.

Moovweb launched earlier this year with a $700,000 investment led by Sun Microsystems co-founder Andy Bechtolsheim, with other angel investors participating. The startup focuses on helping brands and companies determine whether to create a mobile site or an app or both. Moovweb’s technology promises to create highly optimized sites and retain as much functionality of a brand’s site as possible. And where browsers are more limited, Moovweb will downgrade the experience.

While the Nintendo Wii continues to have a stranglehold on console sales, both worldwide and in the United States, the Xbox 360 and PS3 are battling it out for the the second place position for year-to-date sales. Just a little over two months ago, Sony announced that they would be slashing the price of their game console, the PS3, to $299. Microsoft quickly followed suit, and in just ten days dropped the price of their most expensive console, the Xbox 360 Elite, to $299. Nintendo, who has sold nearly double the number of consoles worldwide as these two, decided to lower the price of the Wii on September 27th to $199: this was the first time since its inception that the Wii has had a price cut. All three console manufacturers hoped that the decrease in price would help them to increase sales and finish the year on a strong note. The results have been mixed: while all three consoles have seen an increase in sales, the PS3 has seen astonishing growth in the US and abroad, and has wrestled the second-place position in worldwide YTD sales from the 360. As for the Xbox, even in its upgraded Elite form it has seen only minimal gains since the price drop.

While other carriers might finally be dipping their toes in the Android water this month, T-Mobile has been in this game for a long time. They got their first Android phone (the G1) out last October, and managed to launch two more (the myTouch and the CLIQ) within the year. It makes sense, then, that they’re the first to pipe up with some usage details.

T-Mobile today shared some of these details, along with announcing a number of ways they’d be increasing their support for the Android Market.