Amazon (Reddit, Hacker News, 2, 3):
We are investigating increased error rates and latencies for multiple AWS services in the US-EAST-1 Region.
I like how, unlike Apple’s status page, you can see a history of outages and updates.
Jess Weatherbed:
A major Amazon Web Services (AWS) outage took down multiple online services for several hours this morning, including Amazon, Alexa, Snapchat, Fortnite, ChatGPT, Epic Games Store, Epic Online Services, and more. Some of the impacted platforms, including Fortnite, Epic Games Store, and Perplexity had announced that they are fully recovered and back online earlier this morning, while others are still having issues.
The AWS dashboard first reported issues affecting the US-EAST-1 Region at 3:11AM ET, and eventually said that “The underlying DNS issue has been fully mitigated.”
I noticed this through problems with Amazon SES, which seemed to continue long after Amazon reported it as fixed. Also, the status page said the outage was confined to Northern Virginia, but I saw reports that other zones were affected, too.
caymanjim:
This is the real problem. Even if you don’t run anything in AWS directly, something you integrate with will. And when us-east-1 is down, it doesn’t matter if those services are in other availability zones. AWS’s own internal services rely heavily on us-east-1, and most third-party services live in us-east-1.
It really is a single point of failure for the majority of the Internet.
Normally, my site and store will failover to using Mailgun, but this ran into two problems:
SES was not failing right away, so it wouldn’t try Mailgun until after some sort of timeout.
Mailgun failed with “Connection unexpectedly closed” errors. It’s unclear to me whether this is because part of their SMTP service relies on other AWS services that were also down.
See also: Dave Mark, Brain Webster, John Gruber, Ryan Jones, Christina Warren.
Previously:
Update (2025-10-21): The cause of my Mailgun problem was, apparently, that they disable your account if you haven’t logged in in a while. After logging into the Web interface, SMTP support was automatically reactivated.
Corey Quinn (via Hacker News):
And so, a quiet suspicion starts to circulate: where have the senior AWS engineers who’ve been to this dance before gone? And the answer increasingly is that they’ve left the building — taking decades of hard-won institutional knowledge about how AWS’s systems work at scale right along with them.
[…]
Once you reach a certain point of scale, there are no simple problems left. What’s more concerning to me is the way it seems AWS has been flailing all day trying to run this one to ground. Suddenly, I’m reminded of something I had tried very hard to forget.
[…]
You can hire a bunch of very smart people who will explain how DNS works at a deep technical level (or you can hire me, who will incorrect you by explaining that it’s a database), but the one thing you can’t hire for is the person who remembers that when DNS starts getting wonky, check that seemingly unrelated system in the corner, because it has historically played a contributing role to some outages of yesteryear.
Axel Le Pennec:
Should we have a fallback to plain StoreKit in case RevenueCat, Superwall or Adapty are down? 🤔
I guess apps that are only using StoreKit weren’t affected by the AWS outage.
Calum Patterson:
A major Amazon Web Services (AWS) outage on October 20 had the unexpected side effect of causing chaos in bedrooms across the US, as owners of Eight Sleep’s $2,000+ ‘Pod’ mattress covers found their smart beds had no offline mode and were stuck at high temperatures and odd positions in the night.
Dave Polaschek:
The outage today reminded me of July 28, 1995, when almost all of Minnesota fell off the Internet.
Update (2025-10-22): See also: Ashley Belanger, Ben Thompson, Matt Stoller.
Update (2025-10-23): Gergely Orosz:
Today, we look into what caused this outage.
Update (2025-10-28): Thomas Claburn:
Signal president Meredith Whittaker called attention to this massive dependency in a thread on the Mastodon social network, explaining how the concentration of power among cloud hyperscalers limits the options of services like Signal in terms of resiliency and network control.
Whittaker said that the concentration of power among cloud hyperscalers (AWS, Google, and Microsoft) is less widely understood than she expected, which bodes poorly for efforts to craft realistic strategies to change this dynamic.
She explained, “The question isn’t ‘why does Signal use AWS?’ It’s to look at the infrastructural requirements of any global, real-time, mass comms platform and ask how it is that we got to a place where there’s no realistic alternative to AWS and the other hyperscalers.”
Amazon SES Amazon Web Services Domain Name System (DNS) Mailgun Outage Web Web API
Norbert Heger:
Back in our pilot Deletion Impossible, you learned about a bug in macOS 15.3 where dragging an app to the Trash did not reliably uninstall its system extension. Despite macOS promising to “remove the associated system extension,” the extension often stayed behind.
With macOS 26 Tahoe, this problem has reappeared. Once again, moving an app to the Trash does not always remove its embedded system extension, even though the system dialog claims it will. The result: a system extension still running on your Mac long after you thought you had uninstalled the app.
[…]
You can confirm whether an extension is still present by opening a Terminal window and running the following command:
systemextensionsctl list
Little Snitch 3.3 has some improvements, though:
Connections made by an app on behalf of Password AutoFill (typically to fetch website icons) are now attributed to the Password AutoFill helper process instead of the app itself.
Connections from XPC helper processes used by app extensions are now attributed to their corresponding extension.
Previously:
Apple Password Manager Bug Little Snitch Mac Mac App macOS Tahoe 26 Network Extensions Networking
Michael Simon (via Ric Ford):
If you use Firefox on a Mac or PC, Apple offers a handy browser extension that puts your iCloud passwords right at your fingertips without needing to open a separate app. However, a new warning might make you think twice before you use it next time.
As reported by The Hacker News, a new Document Object Model vulnerability has been discovered by security researcher Marek Tóth that could allow attackers to steal users’ credit card details, personal data, and login credentials through so-called clickjacking or UI redressing.
[…]
While some flaws have been patched, several popular password manager extensions are at risk, including 1Password, LastPass, and iCloud. With iCloud Passwords, researchers specifically point to version 3.1.25, which Firefox uses. Chrome uses a newer version, 3.1.27, though it appears as though the flaw still exists.
Ravie Lakshmanan:
To pull off the attack, all a bad actor has to do is create a fake site with an intrusive pop-up, such as a login screen or a cookie consent banner, while embedding an invisible login form such that clicking on the site to close the pop-up causes the credential information to be auto-filled by the password manager and exfiltrated to a remote server.
“All password managers filled credentials not only to the ‘main’ domain, but also to all subdomains,” Tóth explained. “An attacker could easily find XSS or other vulnerabilities and steal the user’s stored credentials with a single click (10 out of 11), including TOTP (9 out of 11). In some scenarios, passkey authentication could also be exploited (8 out of 11).”
I dislike this whole architecture of integrating password managers via browser extensions. I don’t want the page content to be able to fool the extension, and I don’t like the extension being able to read the page content.
Previously:
Update (2025-10-21): Paulo Andrade (Mastodon):
Secrets’ browser extension does not automatically drop down or insert credentials when a login or form field is detected. Instead, it requires the user to explicitly trigger a fill (click its icon, or invoke it via the toolbar or a keyboard shortcut) and select which credential to fill on the main app itself.
Such a “dumb” mode reduces the attack surface, especially for these kinds of UI/overlay, clickjacking, or pointer manipulation attacks. If autofill doesn’t happen automatically, there’s no invisible dropdown to trick. The attacker can’t overlay or capture clicks if nothing is shown by default.
By requiring consent in the main app, Secrets minimizes exposure. You hold back the credential until absolutely necessary. That reduces what malicious scripts on the page could grab.
1Password Apple Password Manager Exploit Firefox Google Chrome iCloud Keychain LastPass Mac macOS Tahoe 26 Privacy Secrets Security
Ben Lovejoy:
A former Meta product manager has claimed that the social network circumvented Apple’s privacy protections, as well as cheating advertisers, and fired him when he repeatedly raised the issue internally.
[…]
It was quickly alleged that Meta was using workarounds to continue to track users who had denied permission, alongside other privacy violations. A class action lawsuit followed.
A fired product manager at the company, Samujjal Purkayastha, has now taken his case to an employment tribunal claiming he was unlawfully dismissed for raising concerns about the practice, reports the Financial Times.
Meta, of course, says this is nonsense and that he wasn’t fired for being a whistleblower. My takeaway continues to be that Apple should not be presenting privacy information to its customers that sounds authoritative but which it has no way to verify or enforce.
Previously:
Advertising App Tracking Transparency Business Facebook iOS iOS 18 iOS App Lawsuit Legal Meta Privacy Privacy Nutrition Labels
