The Cross-Site-Scripting Edition Saturday, April 9, 2016

iMessage Bug Exposed Target's Chat History After One Click, by Russell Brandom, The Verge

Apple has patched a major vulnerability in iMessage that allowed attackers to pull a target's message history through a bogus link. [...] The attack primarily targeted the OS X version of iMessage, but could also recover messages from iPhones if the target enabled SMS forwarding.

If You Can’t Break Crypto, Break The Client: Recovery Of Plaintext iMessage Data, by Joe DeMesy, Shubham Shah, and Matthew Bryant, Bishop Fox

Messages (iMessage) for OS X from Apple implements its user interface via an embedded version of WebKit. Additionally, Messages on OS X will render any URI as a clickable HTML <a href=”URI”> link. An attacker can create a simple JavaScript URI (e.g.,javascript:) that when clicked, allows the attacker’s code to gain initial execution (cross-site scripting) in the context of the application DOM.

Brain Extension

My Brain, Apple And The Transfer Of Fragility, by Łukasz Langa

The original promise of a smart phone for me was that I could have a personal assistant that would remember everything. The iPhone solved some of this for me, including calendar appointments, reminders, contacts, turn-by-turn navigation, checking Wikipedia, IMDb or simply googling things I need to know.

But the biggest thing I had in mind, a repository of my thoughts and ideas, was still scattered across e-mails, voice memos, to do lists of all sorts, documents written in Vim, TextEdit, Word (the oldest) and a bunch of analog calendars and notebooks.

Encrypted Me

Spying On iPhones A Cinch With 'Su-A-Cyder' Homegrown Malware Kit, by Teri Robinson, SC Magazine

If you've got a hankering for spying on Apple iPhones and the Federal Bureau of Investigation (FBI) isn't around to apply its newly found way of cracking the devices, Mi3Security Chief Architect for R&D Chilik Tamir recently demonstrated at Black Hat Asia how his homegrown malware kit called Su-A-Cyder could do just that.

Apple's Fight With U.S. Over Privacy Enters A New Round, by Christie Smythe and Chris Strohm, Bloomberg

The U.S. said it will keep fighting to get the company’s help in getting data off a phone in Brooklyn, New York, that belonged to a drug dealer because Apple provided assistance in accessing such devices earlier. In a court filing Friday, the government said it’s going ahead with an appeal of a judge’s order denying its request for Apple’s help.

Apple Won't Sue FBI To Reveal Hack Used To Unlock Seized iPhone, by Zack Whittaker, ZDNet

Apple attorneys said that the company is "confident" that the security weakness that the government alleges to have found will have a "short shelf life." The attorneys were keen to stress that they had no evidence what the flaw was, but argued that the normal product development would see that a fix for the flaw would be implemented down the line.


DO Button By IFTTT (For iPhone), by Eric Griffiths, PC Magazine

As mentioned, IFTTT lets you create automated actions between services. For example, "If I receive an email from a new contact, add that contact to a spreadsheet in Google Sheets." All the recipes in DO Button are driven by the same command: pressing a virtual button. So, instead of waiting for a trigger from another app or service, the trigger is you opening DO Button and pressing the button.

Turn Your iPad Into A Control Center For Your Mac With Quadro, by Rob Lefebvre, Cult of Mac

The whole idea here is to streamline your workflow, so Quadro’s developers have taken time to create a framework for controlling your computer with various commands, groups of tasks, and a swipe-able keyboard that lets you pretty much replace the keyboard and mouse on your Mac.

Catalog Your Collections With Collectarium For iPad, by Sandy Stachowiak, AppAdvice


Comparing Reactive And Traditional, by Brent Simmons, Inessential

Part of me does not want to encourage people to use RxSwift for the reasons I’ve outlined. But part of me very much wants to encourage people to use RxSwift — because change comes, in part, from the community pushing the state of the art.

The Next Hot Job In Silicon Valley Is For Poets, by Elizabeth Dwoskin, Washington Post

As tech behemoths and a wave of start-ups double down on virtual assistants that can chat with human beings, writing for AI is becoming a hot job in Silicon Valley. Behind Apple’s Siri, Amazon’s Alexa and Microsoft’s Cortana are not just software engineers. Increasingly, there are poets, comedians, fiction writers, and other artistic types charged with engineering the personalities for a fast-growing crop of artificial intelligence tools.


How To Win Friends And Influence People, by The Economist

Facebook has become more like a holding company for popular communications platforms than a social network. But even that description understates Mr Zuckerberg’s ambitions. He is making big bets on the future of communication, mainly messaging services, artificial intelligence and virtual reality. Speaking to The Economist Mr Zuckerberg says that he sees his company as “a mission-focused technology company”. That puts it in direct competition with other tech-industry titans, especially Google.

Investigating The Potential For Miscommunication Using Emoji, by Hannah Miller, Grouplens

To your smartphone, an emoji is just like any other character (e.g., lower-case ‘a’, upper-case ‘B’) and needs to be rendered with a font. Since each smartphone platform (e.g., Apple, Google) has its own emoji font, the same emoji character can look quite different on different smartphone platforms.

Bottom of the Page

I hope Apple is working hard to allow Macs to be as secured as iOS devices.


And I hope Apple is working on something that allows us to build things faster and easier. Not Swift. Think Hypercard, or the early days of the web.


Thanks for reading.