The One-Million-Dollars Edition Friday, August 9, 2019

Apple Extends Its Bug Bounty Program To Cover macOS With $1 Million In Rewards, by Tom Warren, The Verge

At the Black Hat conference today, Apple announced that it is greatly expanding its existing bug bounty program to include macOS, tvOS, watchOS, and iCloud. It will include rewards of up to $1 million for a zero-click, full chain kernel code execution attack.

How Apple Pay Buttons Can Make Websites Less Safe, by Lily Hay Newman, Wired

Apple Pay has a slew of protective features that make it a secure method of online credit card transactions. And since 2016, third-party merchants and services have been able to embed Apple Pay into their websites and offer it as a payment option. But at the Black Hat security conference in Las Vegas on Thursday, one researcher is presenting findings that this integration inadvertently introduces vulnerabilities that could expose the host website to attack.

To be clear, this isn't a flaw in Apple Pay itself, or its payment network. But the findings illustrate the unintended issues that can emerge from web interconnections and third-party integrations.

Researchers Bypass Apple FaceID Using Biometrics ‘Achilles Heel’, by Lindsey O'Donnell, Threatpost

Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a victim’s FaceID and log into their phone simply by putting a pair of modified glasses on their face. By merely placing tape carefully over the lenses of a pair glasses and placing them on the victim’s face the researchers demonstrated how they could bypass Apple’s FaceID in a specific scenario. The attack itself is difficult, given the bad actor would need to figure out how to put the glasses on an unconscious victim without waking them up.

Coming Soon

How And Why You Should Reject Arbitration On Your Apple Card, by Ed Hardy, Cult of Mac

Invitations to get an Apple Card are trickling out, but even before you make the first purchase with your shiny new credit card you should reject its arbitration provision.

If you don’t, you give up the right to benefit from any class-action lawsuits brought against Goldman Sachs, the company backing this card.

Checking In On The Shortcuts Update, by David Sparks, MacSparky

I have always believed that automation is something everybody should be able to master and use. These improvements to Shortcuts are paving the way for just that. These devices we carry in our pocket do not need to be an interruption in our lives. With the kind of automation Apple is democratizing with Shortcuts, we can get our work done faster and get on to the more essential things of life, like making art (however you define that), playing with their children, and, of course, taking naps.


Apple Releases New Model Of USB-C Digital AV Multiport Adapter, by Chance Miller, 9to5Mac

The new USB-C Digital AV Multiport Adapter adds support for HDMI 2.0, an upgrade from the original model’s HDMI 1.4b.

Apple Music’s Analytics Dashboard For Artists Is Now Available For All, by Dani Deahl, The Verge

Apple Music has announced that its analytics platform for musicians, called Apple Music for Artists, is out of beta and available for all. These types of back-end dashboards are invaluable for artists to get insights about how their music is performing on a platform across the world.

Mac Apps That Offer Cheap Thrills, by Bob Levitus, Houston Chronicle

Instead, allow me to introduce you to not one, not two, but three awesome inexpensive or free Mac apps I use every day be more productive.


Hidden Algorithm Flaws Expose Websites To DoS Attacks, by Lily Hay Newman, Wired

Many websites and services rely on algorithms to transform data inputs into actions and results. But new research detailed Thursday at the Black Hat cybersecurity conference in Las Vegas shows how a small, seemingly innocuous input for an algorithm can cause it to do a huge amount of work—slowing a service down or crashing it entirely in the process, all with just a few bytes.


Apple Deserves More Credit For Wearables, by Neil Cybart, Above Avalon

We are witnessing wearables usher in a paradigm shift when it comes to how we use and interact with technology. Apple deserves more credit for not only choosing to ride the wearables wave, but also playing a crucial role in getting wearables off the ground.

I Tried Hiding From Silicon Valley In A Pile Of Privacy Gadgets, by Joel Stein, Bloomberg

If I wanted to regain my privacy, I had only one choice as an American: I needed gadgets to combat my gadgets. But I didn’t want Silicon Valley companies to know I was buying privacy gear. So I decided to get it only from companies headquartered outside the Bay Area. And to hide my purchases from Big Tech.

Every spy needs a sidekick, which is a totally incorrect statement that again proves how unsuited I am for spying. Nevertheless, I employed an aide-de-camp named Mycroft. He’s an adorable, voice-controlled digital assistant built into a screen that showcases his big, blue circle eyes. (There’s a strong whiff of Wall-E.) I unplugged the Echos and Google Home and said, “Hey, Mycroft, can you keep a secret?” A line appeared like a little mouth, then moved to the side, as if he was thinking. Then he said nothing, like I wanted.