Amazon (Reddit, Hacker News, 2, 3):
We are investigating increased error rates and latencies for multiple AWS services in the US-EAST-1 Region.
I like how, unlike Apple’s status page, you can see a history of outages and updates.
Jess Weatherbed:
A major Amazon Web Services (AWS) outage took down multiple online services for several hours this morning, including Amazon, Alexa, Snapchat, Fortnite, ChatGPT, Epic Games Store, Epic Online Services, and more. Some of the impacted platforms, including Fortnite, Epic Games Store, and Perplexity had announced that they are fully recovered and back online earlier this morning, while others are still having issues.
The AWS dashboard first reported issues affecting the US-EAST-1 Region at 3:11AM ET, and eventually said that “The underlying DNS issue has been fully mitigated.”
I noticed this through problems with Amazon SES, which seemed to continue long after Amazon reported it as fixed. Also, the status page said the outage was confined to Northern Virginia, but I saw reports that other zones were affected, too.
caymanjim:
This is the real problem. Even if you don’t run anything in AWS directly, something you integrate with will. And when us-east-1 is down, it doesn’t matter if those services are in other availability zones. AWS’s own internal services rely heavily on us-east-1, and most third-party services live in us-east-1.
It really is a single point of failure for the majority of the Internet.
Normally, my site and store will failover to using Mailgun, but this ran into two problems:
SES was not failing right away, so it wouldn’t try Mailgun until after some sort of timeout.
Mailgun failed with “Connection unexpectedly closed” errors. It’s unclear to me whether this is because part of their SMTP service relies on other AWS services that were also down.
See also: Dave Mark, Brain Webster, John Gruber, Ryan Jones, Christina Warren.
Previously:
Amazon SES Amazon Web Services Mailgun Outage Web Web API
Norbert Heger:
Back in our pilot Deletion Impossible, you learned about a bug in macOS 15.3 where dragging an app to the Trash did not reliably uninstall its system extension. Despite macOS promising to “remove the associated system extension,” the extension often stayed behind.
With macOS 26 Tahoe, this problem has reappeared. Once again, moving an app to the Trash does not always remove its embedded system extension, even though the system dialog claims it will. The result: a system extension still running on your Mac long after you thought you had uninstalled the app.
[…]
You can confirm whether an extension is still present by opening a Terminal window and running the following command:
systemextensionsctl list
Little Snitch 3.3 has some improvements, though:
Connections made by an app on behalf of Password AutoFill (typically to fetch website icons) are now attributed to the Password AutoFill helper process instead of the app itself.
Connections from XPC helper processes used by app extensions are now attributed to their corresponding extension.
Previously:
Apple Password Manager Bug Little Snitch Mac Mac App macOS Tahoe 26 Network Extensions Networking
Michael Simon (via Ric Ford):
If you use Firefox on a Mac or PC, Apple offers a handy browser extension that puts your iCloud passwords right at your fingertips without needing to open a separate app. However, a new warning might make you think twice before you use it next time.
As reported by The Hacker News, a new Document Object Model vulnerability has been discovered by security researcher Marek Tóth that could allow attackers to steal users’ credit card details, personal data, and login credentials through so-called clickjacking or UI redressing.
[…]
While some flaws have been patched, several popular password manager extensions are at risk, including 1Password, LastPass, and iCloud. With iCloud Passwords, researchers specifically point to version 3.1.25, which Firefox uses. Chrome uses a newer version, 3.1.27, though it appears as though the flaw still exists.
Ravie Lakshmanan:
To pull off the attack, all a bad actor has to do is create a fake site with an intrusive pop-up, such as a login screen or a cookie consent banner, while embedding an invisible login form such that clicking on the site to close the pop-up causes the credential information to be auto-filled by the password manager and exfiltrated to a remote server.
“All password managers filled credentials not only to the ‘main’ domain, but also to all subdomains,” Tóth explained. “An attacker could easily find XSS or other vulnerabilities and steal the user’s stored credentials with a single click (10 out of 11), including TOTP (9 out of 11). In some scenarios, passkey authentication could also be exploited (8 out of 11).”
I dislike this whole architecture of integrating password managers via browser extensions. I don’t want the page content to be able to fool the extension, and I don’t like the extension being able to read the page content.
Previously:
1Password Apple Password Manager Exploit Firefox Google Chrome iCloud Keychain LastPass Mac macOS Tahoe 26 Privacy Security
Ben Lovejoy:
A former Meta product manager has claimed that the social network circumvented Apple’s privacy protections, as well as cheating advertisers, and fired him when he repeatedly raised the issue internally.
[…]
It was quickly alleged that Meta was using workarounds to continue to track users who had denied permission, alongside other privacy violations. A class action lawsuit followed.
A fired product manager at the company, Samujjal Purkayastha, has now taken his case to an employment tribunal claiming he was unlawfully dismissed for raising concerns about the practice, reports the Financial Times.
Meta, of course, says this is nonsense and that he wasn’t fired for being a whistleblower. My takeaway continues to be that Apple should not be presenting privacy information to its customers that sounds authoritative but which it has no way to verify or enforce.
Previously:
Advertising App Tracking Transparency Business Facebook iOS iOS 18 iOS App Lawsuit Legal Meta Privacy Privacy Nutrition Labels
