Leaking URLs to the Clown
The author describes leaking URLs during Mac app testing, with a unique URL receiving requests from a random "cloud" service every three hours. This raises privacy concerns and highlights potential risks for users.
Read original article
The author shares a peculiar experience of leaking URLs while testing apps from the Mac app store. One of the unique URLs assigned to an app started receiving requests from a random "cloud" service without prior indication. Even after stopping the programs, the requests persist every three hours. The situation raises concerns about privacy as the app's web page implies offline access without internet connection, contradicting the continuous polling behavior. This unexpected data leakage highlights potential privacy risks for users accessing sensitive content through such apps.
Related
Simple ways to find exposed sensitive information
Various methods to find exposed sensitive information are discussed, including search engine dorking, Github searches, and PublicWWW for hardcoded API keys. Risks of misconfigured AWS S3 buckets are highlighted, stressing data confidentiality.
The First Spatial Computing Hack
Ryan Pickren found a Safari bug letting websites flood a user's space with 3D objects. Apple fixed it (CVE-2024-27812) in June after Ryan's report. The bug exploited Apple AR Kit Quick Look, launching objects without consent.
European Union regulators accuse Apple of breaching the bloc's tech rules
EU accuses Apple of Digital Markets Act violations for restricting App Store alternatives and charging high developer fees. New probe initiated on contractual terms. Apple defends changes, faces potential fines up to 10%.
Apple found in breach of EU competition rules
Apple breached EU competition rules by not complying with the Digital Markets Act, hindering app developers from directing consumers to alternative channels. The company faces fines if not compliant within 12 months.
Snowflake breach snowballs as more victims, perps, come forward
The Snowflake data breach expands to include Ticketek, Ticketmaster, and Advance Auto Parts. ShinyHunters claim involvement, Snowflake enforces security measures. CDK faces ransomware attack, Juniper and Apple vulnerabilities identified. Jetflicks operators convicted.
7 commentsWhich one? No names were named at any point in this post.
Everyone needs to accept the fact there's no such thing as a private URL. There are URLs that can be originally communicated to you privately—through a private channel, that is—but insisting on holding onto some (wrong) belief that we can or should be able to mint URLs that themselves possess some "private" quality goes against the fundamental design of the Web and what a URL even is.
(Yes, this does mean that every podcaster that implements subscriptions by giving one feed URL to free listeners and having listeners who pay for premium content use a different URL is fundamentally broken. Yes, this does mean that that big engineering organization that implemented file uploads and read/write access through slugs consisting of unguessable 128+ bit tokens is also wrong.)
URLs are not secrets. Don't treat them as such.
Related
Simple ways to find exposed sensitive information
Various methods to find exposed sensitive information are discussed, including search engine dorking, Github searches, and PublicWWW for hardcoded API keys. Risks of misconfigured AWS S3 buckets are highlighted, stressing data confidentiality.
The First Spatial Computing Hack
Ryan Pickren found a Safari bug letting websites flood a user's space with 3D objects. Apple fixed it (CVE-2024-27812) in June after Ryan's report. The bug exploited Apple AR Kit Quick Look, launching objects without consent.
European Union regulators accuse Apple of breaching the bloc's tech rules
EU accuses Apple of Digital Markets Act violations for restricting App Store alternatives and charging high developer fees. New probe initiated on contractual terms. Apple defends changes, faces potential fines up to 10%.
Apple found in breach of EU competition rules
Apple breached EU competition rules by not complying with the Digital Markets Act, hindering app developers from directing consumers to alternative channels. The company faces fines if not compliant within 12 months.
Snowflake breach snowballs as more victims, perps, come forward
The Snowflake data breach expands to include Ticketek, Ticketmaster, and Advance Auto Parts. ShinyHunters claim involvement, Snowflake enforces security measures. CDK faces ransomware attack, Juniper and Apple vulnerabilities identified. Jetflicks operators convicted.