Juli Clover:
Language learning app Duolingo has apparently been using the iPhone’s Live Activity feature to display ads on the Lock Screen and the Dynamic Island, which violates Apple’s design guidelines.
According to multiple reports on Reddit, the Duolingo app has been displaying an ad for a “Super offer,” which is Duolingo’s paid subscription option.
Just like with notifications, another guideline that Apple doesn’t enforce. You have to fill out a privacy manifest to justify reading your own preferences file or displaying a timestamp to a user, but there are no such restrictions on Live Activities or notifications, nor even an API to tag them with a type so that users could choose to filter out ads and promotions.
Previously:
Update (2026-01-08): Nick Heer:
I saw this, too.
[…]
But the HIG is not the App Store Guidelines, and there is nothing in there expressly prohibiting this behaviour, as far as I can see.
Advertising App Review App Store Duolingo iOS iOS 26 iOS App Live Activities Push Notifications
Tim Hardwick (Slashdot, Hacker News):
Logitech users on macOS found themselves locked out of their mouse customizations yesterday after the company let a security certificate expire, breaking both its Logi Options+ and G HUB configuration apps.
Logitech devices like its MX Master series mice and MX Keys keyboards stopped working properly as a result of the oversight, with users unable to access their custom scrolling setup, button mappings, and gestures. It wasn't long before the Logitech subreddit was awash with frustrated reports as people discovered their configured peripherals had suddenly reverted to default settings.
Jeff Johnson:
This article is technically inaccurate, sigh.
All Developer ID code signing certificates expire eventually, and macOS does NOT prevent software with an expired certificate from running, otherwise all of your older apps would be dead now.
Logitech was doing some ADDITIONAL validation of their own design, and that's where the problem occurred.
Logitech:
Because the certificate also affected the in‑app updater, you will need to manually download and install the updated version of the app. Please do not uninstall the app and follow the steps below.
[…]
The certificate that expired is used to secure inter-process communications and the expiration resulted in the software not being able to start successfully.
Previously:
Update (2026-01-08): Jeff Johnson (Mastodon):
The news reporting on this incident included misinformation about how macOS Developer ID code signing works.
[…]
These stories place the blame on macOS for refusing to run apps with expired Developer ID code signing certificates, but this is false! Apple documents the behavior on its certificates support page:
If your certificate expires, users can still download, install, and run versions of your Mac applications that were signed with this certificate. However, you’ll need a new certificate to sign updates and new applications.
[…]
In other words, there’s nothing to worry about until the year 2035 at the earliest, though admittedly it’s a bit troubling that these apps have a ticking time bomb, so to speak. On the other hand, Developer ID provisioning profiles are optional, used only for a few features such as iCloud support, so many or even most Developer ID signed Mac apps have no provisioning profile, and thus no expiration.
Connor Jones:
A Logitech spokesperson replying to angry Redditors said the company was sorry for the issue and resulting disruption.
They wrote: “We dropped the ball here. This is an inexcusable mistake. We’re extremely sorry for the inconvenience caused.”
Bug Code Signing Interprocess Communication (IPC) Logitech Mac Mac App macOS Tahoe 26 Mouse Security The Media
Claudio Wunder (Hacker News):
Any Engineer at @1Password here? Your Chrome Extension seems to recently started breaking HTML from certain pages. For example, the Node.js website code snippets break when 1Password Extension is enabled.
Evan You:
1Password browser extension is injecting Prism.js globally on every page, which then applies its syntax highlighting logic on all <code> blocks matching [lang=*] regardless of whether it’s meant to be compatible, thus breaking original highlighting.
As I’ve said, I dislike this whole architecture where you need a browser extension that can read and write to the page in order to enter your password. I would hope that as little code as possible is injected and that it’s all been vetted by 1Password, not just pulled down as a dependency.
1Password:
We’re aware of an issue in recent versions of the 1Password browser extension that can interfere with syntax highlighting on some pages.
The team is actively working on a fix. We don’t have a timeline to share yet, but keeping the extension up to date will ensure you receive it once it’s available.
Robert Menke:
Sorry this bug slipped through our release process. I just raised this issue again in our internal Slack. We are working on getting a fix out.
[…]
The fix has already been merged into our main branch. We’ll be putting out a release with just this fix. I’m hoping to have it submitted to the browser extension stores today [December 30].
It’s unclear to me whether this is fixed. The latest Mac version still seems to be 8.11.22 from December 9. When I go to the page for the browser extension and click “what’s new” it takes me here, which is a release from December 30 that talks about passkeys and then says only:
We’ve made general improvements and fixed various bugs for a better 1Password experience.
I don’t see anything on the announcements page or Twitter.
Christina Warren:
I’m glad @1Password is taking this seriously now. But this issue was reported on their community forum and to their engineers weeks ago in beta and was not prioritized as a fix until it went viral here. Every company is guilty of this kind of triage, but this is a process failure as much as it is a testing one.
sheng:
really hoping to read a postmortem on this one
Previously:
Update (2026-01-08): Paulo Andrade:
One more reason for dumb extensions. Secrets extension doesn’t do anything to the page before it’s summoned. And even after that, it doesn’t change the DOM in any way (asides from filling input fields).
VS:
Apple does make autofill API available… it’s entirely 1P’s choice to not use it.
Paulo Andrade:
I’d say the API is the preferred way. It works fine, and also works on other native apps.
1Password Bug JavaScript Mac Mac App macOS Tahoe 26 Passwords Safari Extensions
