Archive for April 17, 2019

Wednesday, April 17, 2019 [Tweets] [Favorites]

Safari Auto-Submitting AutoFilled Passwords

Steve Troughton-Smith:

Safari’s new ‘submit form as soon as you choose from the autocomplete list’ is the quickest way to get locked out of your bank ever. As a universal default, that seems like such a bad idea

[…]

(I think the key part is that it doesn’t consider what happens if the autosaved password is wrong, and so will blind-fire at the site before giving somebody a chance to change it)

This has bitten me several times.

Kyle Howells:

That same sort of ‘presume we are always right’ problem happens with the new password autosuggestion, which covers over the password field and doesn’t let you edit the suggested password anymore.

If it guessed the password requirements wrong you can’t fix it.

Update (2019-04-18): Colin Cornaby:

I hate the way this bypasses the “Remember Me” checkboxes if you didn’t check them before autofill. From Apple’s end I’d guess the lack of cookies and cached logins is probably considered more secure though.

Andrew Abernathy:

As pointed out here, this behavior makes me much more worried about getting locked out of an account.

But beyond that, I dislike the interaction: there’s a “sign in” button on the page, and this preempts me from clicking on that in a way that doesn’t feel “right” to me.

Update (2019-05-01): Dave DeLong:

I generally really really like Safari and have very few complaints about it.

However.

rdar://problem/50369660 “Safari: STOP AUTOSUBMITTING PASSWORD FORMS”

Update (2019-08-20): Andrew Abernathy:

Oh, that’s why I’ve been having to sign in to this web site every time: Safari’s autofill prompt covers the “remember me” checkbox, and Safari’s new behavior of auto-submitting credentials meant it signed in without giving me a chance to notice & check that box.

Update (2020-04-23): Jeff Johnson:

The good news is that StopTheMadness 8.0 can stop Safari from automatically submitting login forms. There’s a new website protection called “Stop autosubmit of autofilled forms”. This is disabled by default, so you’ll need to enable it manually in the StopTheMadness Website Protections. You can selectively enable the protection for individual sites, or you can enable it in the Default Website Protections for all sites. With the new protection enabled, Safari will no longer automatically submit forms. Instead, StopTheMadness will display a confirmation that asks whether you want to submit the form or cancel. If you cancel, then you can make changes to the AutoFilled form and submit manually. Note that when the confirmation is displayed, you can press the return key to submit or press the escape key to cancel if you want to avoiding clicking a button.

Introducing CalZones

David Smith:

CalZones is a calendaring app built from the ground up to be smart about managing timezones. It starts by letting you choose a list of the zones that are relevant to you and then all aspects of the app tailor themselves into making it easy to coordinate between those timezones.

[…]

Tap on any time shown to quickly create an event at the shown time and in the selected timezone.

[…]

The event creation view makes working out the time for a call super easy by giving you a time picker that is timezone aware and displays the chosen time across all your selected timezones.

Rosemary Orchard:

Along with specifying your time zones you can also control which calendars you see, your preferred theme and icon, work day times, week start, and how event times should be displayed. The latter is very useful allowing you to see that the event you’re looking at starts at 7pm local time, but 10am in the organisers time.

See also: Under the Radar.

The Time Tim Cook Stood His Ground Against the FBI

Leander Kahney (Hacker News):

Cook was very concerned about how Apple would be perceived throughout this media firestorm. He wanted very much to use it as an opportunity to educate the public about personal security, privacy, and encryption. “I think a lot of reporters saw a new version, a new face of Apple,” said the PR person, who asked to remain anonymous. “And it was Tim’s decision to act in this fashion. Very different from what we have done in the past. We were sometimes sending out emails to reporters three times a day on keeping them updated.”

[…]

Privacy advocates celebrated the end of the case and Apple’s apparent victory. “The FBI’s credibility just hit a new low,” said Evan Greer, campaign director for Fight for the Future, an activist group that promotes online privacy. “They repeatedly lied to the court and the public in pursuit of a dangerous precedent that would have made all of us less safe. Fortunately, internet users mobilized quickly and powerfully to educate the public about the dangers of backdoors, and together we forced the government to back down.”

But Cook was personally disappointed that the case didn’t come to trial. Even though Apple had “won” and wouldn’t be forced to create the backdoor, nothing had really been resolved. “Tim was a little disappointed that we didn’t get a resolution,” said Sewell. He “really felt it would have been fair and it would have been appropriate for us to have tested these theories in court. . . . [Though] the situation that was left at the end of that was not a bad one for us, he would have preferred to go ahead and try the case.”

I still think this story has been mostly misreported in that Apple already had a backdoor to access Syed Farook’s iPhone 5c. Commenter lern_too_spel:

What really happened is that Apple loudly proclaimed that they had made it impossible to comply with government data requests and even had a marketing page masquerading as a privacy page explaining that. The FBI asked Apple to put a build on a phone that would allow them to brute force the passcode, leaving the device and the build on Apple’s premises the entire time. This showed that Apple’s claim was false in practice. Apple quickly removed that marketing page in the wake of the news.

[…]

At the time Apple made the false marketing claims, no passcode was required to install a signed build. Hence, the FBI’s request.

The FBI was asking for no more than what Apple could already do, and it was letting Apple control the whole process. The problem was that what Apple could already do disagreed with what Apple told its customers that it could do.

Previously:

Hackers Abused Support Portal to Read Microsoft E-mails

Joseph Cox (via Jason Koebler):

On Saturday, Microsoft confirmed to TechCrunch that some users of the company’s email service had been targeted by hackers. A hacker or group of hackers had first broken into a customer support account for Microsoft, and then used that to gain access to information related to customers’ email accounts such as the subject lines of their emails and who they’ve communicated with.

But the issue is much worse than previously reported, with the hackers able to access email content from a large number of Outlook, MSN, and Hotmail email accounts, according to a source who witnessed the attack in action and described it before Microsoft’s statement, as well as screenshots provided to Motherboard.

[…]

Motherboard’s source, however, said that the technique allowed full access to email content.