Archive for July 11, 2019

Thursday, July 11, 2019

Why Do Web Browsers Allow Access to the Local Network?

Jeff Johnson:

Since constantly requiring confirmation is obviously incredibly annoying, Apple has conveniently exempted some of its own apps from the requirement. For example, macappstore and macappstores URLs will automatically open App Store app without your confirmation.

But, curiously, Safari does prompt for opening the News app.

Zoom is certainly deserving of criticism. But I’ve seen very few people stop to ask, how was Zoom’s little trick even possible in the first place? Why does Safari allow a web page,, to make requests to a localhost server? Is this possibility not surprising to you? It was surprising to me! The problem is actually worse than this. The major browsers I’ve tested — Safari, Chrome, Firefox — all allow web pages to send requests not only to localhost but also to any IP address on your Local Area Network! Can you believe that? I’m both astonished and horrified.


Moreover, a web page can even scan your network to find the addresses of your devices. I found a recent paper by Forcepoint that discusses in detail these kinds of attacks on your LAN from the web. So security researchers are aware of this possibility, but it seems that the browser vendors are doing nothing to plug the holes in their web browsers!

It seems strange that browsers prohibit access to local files but not the local network.

Bob Burrough:

Run some Javascript to scan common local router IP’s and save the results to the server. It would even map to your WAN IP so they could start hitting your router externally. The web is an absolute mess.


Update (2019-07-15): See also: Hacker News.

Update (2019-07-17): Maxwell Swadling:

re web browsers, use LuLu or Little Snitch. They are great for lots of reasons, not just web browsers.

Agreed, but unfortunately most people don’t even know about such utilities—hence the argument for browsers providing some security here.

iCloud Data Loss With macOS 10.15 and iOS 13 Betas

Max Seelemann:

Whereas in recent years, it was pretty safe to install preview versions early on, this year that’s definitely not the case (see for example this report on Cult of Mac).

Most impactful for us, however, is that the (great, great) updates done to iCloud are also leading to severe problems with the service. As iCloud is Apple’s sync service, it’s beyond our power to solve them, of course. Some public beta users reported synchronization outages and data loss that propagated to devices that did not even run the beta but were just connected via iCloud.

Craig Hockenberry:

If you have an iOS or macOS beta installed, disable iCloud on that device NOW.

If you don’t you’ll end up with data loss on your production devices. Also, these problems are not app-specific, things are fucked up at the framework level.

Judging from the release notes, Apple knew about many of the issues prior to releasing the betas, so it’s surprising that they chose to release the public betas earlier this year.

John Gruber (tweet):

Right now iCloud is dangerous on the beta OSes. That’s not a complaint in and of itself; if there weren’t bugs they wouldn’t be betas. But I think it was a bad idea for Apple to release public betas at this stage.

Craig Hockenberry:

Apple talks a lot about services being the future of the company, but then they pull shit like this and it makes me wonder if they have any clue that the most important part of a data service is protecting its contents.

Wil Shipley:

The real BS part of this is that there’s really no good way for us to restore iCloud data, which is becoming increasingly more of our data.

Max Seelemann:

I know what a beta is and what that means. But in times where everything is a beta, people tend to to forget.

imo, a company giving betas to millions of people is responsible for doing this in a responsible manner. As a minimum it’s to make sure to at least not delete data.

Colin Weir:

There’s also an implied level of stability in a public beta that’s not in a developer beta. We know they’re basically the same builds, but to normal users “public beta” means “safe, but some stuff might work weird"

So by putting out unstable developer betas and calling them public betas, they’re doing a big disservice

Steve Troughton-Smith:

iBooks is unusable in iOS 13 thanks to iCloud issues. It took three weeks (!) for it to re-index my iCloud library before it would let me open a book, and it deletes it and requires a redownload, citing space issues, constantly (I have 180GB free space). Local cache is whack

It’s definitely not the worst beta process by a long shot, but it’s definitely way too rough for public seeding on iPad. I’m losing touches constantly, which makes the software keyboard as bad as the MacBook Pro for reliability At least they’re consistent…

Craig Hockenberry:

We submitted a detailed DTS incident about corrupted/deleted iCloud documents in the iOS 13 beta. But guess what? DTS doesn’t support beta releases.

So it’s a public release, but not.

Steve Troughton-Smith:

from what I’ve seen, a lot of the time I run into ‘data loss’ is where some migration/indexing process has got stuck, making it look like I’ve got no/wrong data, and instead of waiting it out I try and fix it myself while the system is still broken

It’s very easy to panic and do a lot of damage when the OS makes it look like your data is screwed up, even when underlying data is totally fine and it’s actually some intermediary daemon process hanging in the bg. Sometimes you really do need to chill & wait for the next beta


Apple News+ Revenue

Juli Clover:

Apple News+ seems to be floundering just months after its launch, according to new details from participating magazine publishers shared by Business Insider.

Multiple publishers have been unimpressed with the revenue generated from Apple News+. One told Business Insider that revenue was one twentieth of what Apple promised, while another said that it was on par with what was earned from Texture, which isn’t much.

Nilay Patel:

This implies Apple News publishers are making half of what they did with Texture, which is impressively bad. (10x/20 = .5x)

Oluseyi Sonaiya:

Apple made a big deal about WSJ, for example, being part of News+, but if I understand correctly the index of articles is not included, so you can’t browse the content listing. You’re left with inbound links and whatever they push into the News+ feed.

Gotta pony up for the feed.

Chance Miller:

Last month, Eddy Cue said that Apple had “hundreds” of people working to make Apple News+ better. Apple News+ is currently available in the United States and Canada, but it’s expected to launch in the UK this year as well.

Rob Griffiths:

You know what what would make Apple News better? This…

• Let me delete my downloaded mags.
• Show new issues in sidebar list of my subscribed mags.
• Give the Mac version support for multiple windows or tabs—no more of this one-window iOS bullcrap.

Mitchel Broussard:

Jumping to the topic of Apple News+, Cue stated that one of Apple’s big goals right now is to convince younger people to subscribe to the service.


Update (2019-07-15): Josh Centers:

The best bet for Apple News+ isn’t legacy publishers, but small, platform-oriented ones like @GlennF and @jdalrymple. Too bad Apple already burned people like that with Newsstand.

These big dinosaurs have a hard time adapting to these new formats. Smaller outlets can and will do it if given the proper support. Look at what @MacSparky does with Apple Books.

“Hey, read a month-old Macworld article for just $10 a month” isn’t a great sales pitch.

Update (2019-08-07): Lucinda Southern (via Eric Young):

Publishers including Vice Media and The Stylist Group say they’ve gotten traffic and, more importantly, revenue lifts from Apple News in the last three months. While this is from a small base, for some publishers it signifies that patience with publishing to the platform, which has been widely accepted as good for brand awareness but lagging revenue, is starting to pay off.