Archive for July 29, 2015

Wednesday, July 29, 2015

App Store Invoice JavaScript Injection

Darren Pauli (via Ole Begemann):

“After we received no serious reply, we released the data,” Mejri told El Reg in an email. Apple did not respond to a request for comment, and it’s not clear if the vulnerability has been addressed.

In a nuthsell, the bug works like this: you change the name of your iThing to include JavaScript code, then download or purchase an app from either the Mac or iTunes stores. Apple's systems generate an invoice, and email it to you and make a copy available online from your store account.

That JavaScript code stashed in your device name will be embedded in the invoice, so opening it in a browser will execute it, allowing it to attempt to do bad things like hijack your Apple account. Sellers and Apple staff viewing a copy of the invoice will also get attacked.

Google Cloud Storage Nearline Graduates to General Availability

Avtandil Garakanidze (via @arqbackup):

We’re introducing on-demand I/O to allow you to increase I/O in situations where you need to retrieve data from a Google Cloud Storage Nearline bucket faster than the provisioned 4 MB/s read throughput per TB of data stored. On-demand I/O delivers improved throughput when you need it and you only get charged for what you use. You now can access your data in seconds, while relying on predictable data recovery.

NSValue and Boxed Expressions

Alex Denisov (via iOS Dev Weekly):

Few hours ago I finally finished with my patch to Clang. It took a lot of time, but for me it is the most interesting and challenging OSS contribution so far.

I’m not going to dive deep into the details, but will give an overview of the new feature it brings to Objective-C.

Another approach is to use macros. Scott Morrison uses the ternary operator to swallow the @ so that you can write code like @point(1,2).

The Force Touch Trackpad

Fraser Speirs:

This thing is seriously, seriously brilliant and, in my opinion, a subtle but significant step forward in the Mac experience.


My big insight into the Force Touch trackpad is that you never need to use your thumb for clicking - ever. The reason we used the thumb was because the click was only effective in the lower quarter of the trackpad due to the hinge. As long as your tracking speed is set high enough that you can go from one side of the screen to the other in one movement, you can just use your pointing finger.

If you think about it, this really takes the Mac another step closer to more direct manipulation of objects on screen.

Coping With iTunes Features That Have Disappeared

Kirk McElhearn:

Whenever a new version of iTunes rears its head, new features are added, but also some features get cut. In this week’s column, I look at several of these features that are missing in action. In some cases—such as shuffling all music by an artist in the iOS Music app, or streaming Beats 1 radio over AirPlay—I offer a workaround. For another, I can only lament that certain useful features have been axed.

Phasing Out Google+

Bradley Horowitz:

People have told us that accessing all of their Google stuff with one account makes life a whole lot easier. But we’ve also heard that it doesn’t make sense for your Google+ profile to be your identity in all the other Google products you use.

So in the coming months, a Google Account will be all you’ll need to share content, communicate with contacts, create a YouTube channel and more, all across Google. […] As always, your underlying Google Account won’t be searchable or followable, unlike public Google+ profiles.

Update (2015-08-14): Seth Fiegerman (via Todd Ditchendorf):

“Vic was just this constant bug in Larry’s ear: ‘Facebook is going to kill us. Facebook is going to kill us,’” says a former Google executive. “I am pretty sure Vic managed to frighten Larry into action. And voila: Google+ was born.”


The slow demise of Google+ sheds light on how a large technology company tries and often fails to innovate when it feels threatened. The Google+ project did lead to inventive new services and created a more cohesive user identity that continues to benefit Google, but the social network itself never truly beat back existing rivals. Facebook is now larger than ever, with 1.4 billion users and a market capitalization more than half of Google’s. It continues to poach Google employees. Facebook and Twitter are also slowly chipping away at Google’s dominance in display ad revenue.