Archive for August 23, 2019

Friday, August 23, 2019

Amazon Has Ceded Control of Its Site

The Wall Street Journal (via Christopher Mims):

In practice, Amazon has increasingly evolved like a flea market. It exercises limited oversight over items listed by millions of third-party sellers, many of them anonymous, many in China, some offering scant information.

A Wall Street Journal investigation found 4,152 items for sale on Inc.’s site that have been declared unsafe by federal agencies, are deceptively labeled or are banned by federal regulators—items that big-box retailers’ policies would bar from their shelves. Among those items, at least 2,000 listings for toys and medications lacked warnings about health risks to children.


Amazon’s struggle to police its site adds to the mounting evidence that America’s tech giants have lost control of their massive platforms—or decline to control them. This is emerging as among the companies’ biggest challenges.

See also: Passive Guy.


Update (2019-08-30): Josh Dzieza:

Under the surface, Amazon is a scene of constant warfare. A growing share of goods on the platform are sold by third parties, who compete viciously for limited real estate. Some hop onto fast-selling listings with counterfeit goods, or frame their competitors with fake reviews. One common tactic is to find a once popular, but now abandoned product and hijack its listing, using the page’s old reviews to make whatever you’re selling appear trustworthy.

Amazon’s marketplace is so chaotic that not even Amazon itself is safe from getting hijacked.


Take this listing, formerly for an AmazonBasics HDMI cable. Amazon removed it and other listings after being contacted by The Verge, but before it was taken down, it was being used to sell two completely different alarm clocks: a “Warmhoming 2019 Updated Wooden Digital Alarm Clock with 7 Levels Adjustable Brightness, Display Time Date Week Temperature for Bedroom Office Home,” and a white wake-up light clock, which was out of stock. Strangely, that clock was listed as a second variety, color “Blackadaafgew,” yet the listing’s copy referred to binoculars that “can help you see a clear face from more than 650 feet away.” Many of the Amazon listings appear to undergo multiple hijackings.

Update (2019-09-13): Ashley Bischoff:

I just bought a product that was listed as “Amazon’s Choice” and “Fulfilled by Amazon”—and it still ended up being counterfeit. Ughh. (The top review details how one can spot counterfeits.)

Update (2019-10-13): See also: Accidental Tech Podcast.

Some Obscure C Features

bymultun (via Hacker News):

The current most used version of the language, c99, brought a bunch of new features, many of which are completely unknown to most C programmers (Older specifications obviously also have some dark corners).

Here are the ones I know about[…]

iMessage, NSKeyedArchiver, and _NSDataFileBackedFuture

Natalie Silvanovich:

CVE-2019-8646 is a somewhat unusual vulnerability I reported in iMessage. It has a number of consequences, including information leakage and the ability to remotely read files on a device. This blog post discusses the ways that an attacker could use this bug. It is a good example of how the large number of classes available for NSKeyedArchiver deserialization can make a bug more versatile. It’s also a good example of how minor functional bugs can make a vulnerability more useful.

Please note that this blog post assumes some familiarity with NSKeyedArchiver deserialization. If you haven’t read our general post on iMessage, I’d recommend reading that first.


There are two immediate problems with being able to deserialize this class in an untrusted context. One is that it has the potential to allow a process to access a file that it is not authorized to access, because the process doing the deserialization is the one that loads the file. When I reported this bug, I thought that this was more likely to be a concern for deserialization that occurs locally via IPC as opposed to deserialization that occurs on a remote target like iMessage. The second is that this class violates one of the guarantees that the NSData class makes, that the length property will always return the length of the bytes property. This is because the length of the buffer returned by [_NSDataFileBackedFuture bytes] is the length of the loaded file, and has no relationship to the deserialized length returned by [_NSDataFileBackedFuture length].


Putting this all together allowed for a file to be read remotely from an iPhone.

Update (2019-09-13): Samuel Groß:

After looking at iOS 12.4.1 I’m happy to say that Apple has hardened iMessage by no longer allowing child classes during its NSUnarchiving. This prevents almost all of the vulnerabilities @natashenka and I found from being remotely exploited :)

GitUp 1.1

GitUp 1.1 adds support for Dark Mode, Catalina, drag-and-dropping files out of the app, and DiffMerge tool support.


The Problems With HomePod

Kirk McElhearn:

Apple released the HomePod in February, 2018, and the device has never seemed to catch on. There have been strong rumors recently about a HomePod 2 coming next year. But there are lots of problems with the HomePod, which Apple needs to address.


In any case, the market decides for products like this. The HomePod just seems like it wasn’t thought out for real-world usage. It has powerful technology, which is wasted, and its price is way above what people want to pay.

This is probably the most comprehensive take I’ve seen.

Update (2019-08-29): Kirk McElhearn:

I’m correcting a statement that Daniel Eran Dilger on AppleInsider posted in a rebuttal to my recent article about the HomePod. While I’m happy to disagree on some points, he makes the statement below about the HomePod not being a mono speaker, which is simply incorrect.


Listen to that song on a single HomePod and you’ll quickly understand that it’s not stereo. The two channels are in a single stream, and you don’t hear the voice on one side and the guitar and drums on the other.

Nick Heer:

But I wonder if some of this advanced speaker technology is being prototyped for a wider rollout in the company’s more mainstream products. Perhaps this is a test bed for getting impossibly good sound out of the speakers in a MacBook or an iMac, for example.