Apple Releases Safari Technology Preview 107 With Bug Fixes and Performance Improvements

HBO Max Now Available on Apple TV and iOS Devices

HBO Max launched today, and is now available on Apple TV, iPhone, and iPad. WarnerMedia’s new streaming service, which replaces HBO Now, combines HBO content with shows and films from Warner Bros and Turner TV.
The service is available as a native app on the ‌Apple TV‌ HD and ‌Apple TV‌ 4K, but second and third-generation ‌Apple TV‌ owners will need to AirPlay HBO Max content…

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

APFS Bug in macOS Catalina 10.15.5 Impacts the Creation of Bootable Backups

An Apple File System bug has been discovered in macOS Catalina 10.15.5 that can prevent users from making a bootable clone of their system drive, according to the creator of Carbon Copy Cloner.


In a blog post on Wednesday, software developer Mike Bombich explained that the CCC team had uncovered the issue in the Apple File System, or APFS, when attempting to create a bootable backup in a beta version of macOS 10.15.5.

According to Bombich, the bug prevents CCC from using its own file copier to establish an initial bootable backup of a ‌macOS Catalina‌ System volume. In technical terms:

The chflags() system call can no longer set the SF_FIRMLINK flag on a folder on an APFS volume. Rather than fail with an error code that we would have detected, it fails silently – it exits with a **success** exit status, but silently fails to set the special flag. That’s a bug in the APFS filesystem implementation of chflags – if a system call doesn’t do what you ask it to do, it’s supposed to return an error code, not success.

We don’t need to set many of these flags, nor set them frequently – just on the first backup of the macOS system volume. It happens to be essential to the functionality of an APFS volume group, though, so the failure to set these flags means that new full-system backups created on 10.15.5 and later won’t be bootable, and it will _appear_ as if none of your data is on the destination (to be clear, though, all of the data is backed up). Kind of the opposite of what we’re trying to do here. It’s hard to find kind words to express my feelings towards Apple right now.

Suffice it to say, though, I’m extremely disappointed that Apple would introduce this kind of bug in a dot-release OS update. We’ve seen 5 major updates to Catalina now, we should expect to see higher quality than this from an operating system.

On a positive note, existing backups created in macOS 10.15.4 and earlier are unaffected, the bug has no effect on CCC’s ability to preserve data, nor does it affect the integrity of the filesystems on a startup disk or a backup disk. In short, the impact of this bug is limited to the initial creation of a bootable backup.

Any CCC users who established their backup on a previous version of Catalina already has functional firmlinks on their bootable volume and CCC will continue to update that volume just fine. Meanwhile, users wanting to create a new backup of a 10.15.5 volume to an empty disk should replace their copy of CCC with the CCC 5.1.18 beta, then follow these steps on launching the app.

  1. Click the X button in the Destination selector box to clear the destination selection.
  2. Click on the Destination selector and reselect the destination volume.

CCC will then guide users through the procedure of creating a bootable backup, or a Data-only backup instead. The new functionality uses Apple’s Software Restore (ASR) utility and is documented here.

Bombich has notified Apple of the bug, but he ends his blog post by entertaining the possibility that it is a security fix to prevent third-parties from creating firmlinks. If so, he argues, “this is far worse than a bug,” since the system currently reports a success when it should report a failure, not to mention that Apple’s lack of documentation on the change is hostile to third-party developers who rely on documented functionality.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Apple Confirms ‘No Longer Shared’ App Bug Has Been Fixed

On Friday, an App Store bug surfaced that caused newly updated apps to fail to open when tapped, with users receiving a message stating “This app is no longer shared with you.”


The problem affected dozens of apps that had received updates, including Facebook, Twitter, YouTube, WhatsApp, TikTok, and others. There was no fix at the time except for offloading an affected app and then re-downloading it, which was a hassle to do for every impacted app.

On Sunday morning, iPhone and iPad owners began noticing dozens of pending app updates in the App Store, including for many apps that had already been updated. The updates extended back as far as 10 days and appeared to have been released to address the bug causing apps to fail to open.

Apple today confirmed to TechCrunch that the “No Longer Shared” bug has been addressed and fixed for all affected customers, but did not provide details on what the problem was.

Customers who had apps that would not open should be able to use them again after downloading the relevant updates from the ‌App Store‌. Apps can be updated by opening the ‌App Store‌, tapping on your profile picture, swiping down to refresh, and then tapping the “Update All” option.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Apple Reissuing Numerous iOS App Updates, Potentially Related to Recent ‘This App is No Longer Being Shared’ Bug

Over the past few hours, a number of MacRumors readers have reported seeing dozens or even hundreds of pending app updates showing in the App Store on their iOS devices, including for many apps that were already recently updated by the users. In many cases, the dates listed on these new app updates extend back as far as ten days.


Apple has not shared any information as to why updates for these already up-to-date apps are being reissued, but some users suspect it may be related to the recent “This app is no longer shared with you” issue that was preventing some users from launching certain apps unless they are offloaded or deleted and then reinstalled.

It’s possible there was an issue with an expired certificate or other credential related to app sharing, and Apple has had to reissue these updates to include a valid certificate on each of the affected apps in order to fix the issue.

So if you’re seeing an unusual number of app updates available in the ‌App Store‌, you’re not alone.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

iOS Bug Preventing Some Apps From Opening With ‘This App is No Longer Shared’ Message

An app bug is causing some iOS users to be unable to open their apps, with affected iPhone and iPad users seeing the message “This app is no longer shared with you” when attempting to access an app.


There are multiple complaints about the issue on the MacRumors forums and on Twitter from users who are running into problems. A MacRumors reader describes the issue:

Is anyone else experiencing widespread app crashes? I am suddenly being informed that “this app is no longer shared with you” from several iOS apps. When I follow the prompt to the app’s App Store page, the only option is to “open” which then just puts me back into the same loop.

Dozens of Twitter complaints suggest the issue is affecting people running both iOS 13.4.1 and iOS 13.5, and it’s not clear what’s causing the problem as not everyone appears to be affected. Some users have had the problem occur after updating apps in the last day.

There have been complaints about many apps including YouTube, Twitter, WhatsApp, Facebook, TikTok, LastPass, and more. We updated the WhatsApp app an ‌iPhone‌ on iOS 13.5 prior to writing this article and immediately got the error message.

People impacted by the issue have been able to fix their apps by deleting the app that’s not working and reinstalling it. Offloading the app rather than deleting it may also work to fix the problem.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Edison Mail Sync Bug Allowing Access to Other Users’ Email Accounts

Several users of popular email app Edison Mail this morning are reporting that they are able to see email accounts of other users within the iOS app. In what appears to be a major privacy breach, users report that after enabling a new sync feature, they have full access to these other email accounts.


The new sync feature was recently rolled out by Edison to allow connected email accounts to show up across all of your devices, but clearly something has gone significantly wrong with the feature.



Users have also reported being able to see that other devices are linked to their accounts, indicating that others are able to see their emails.


Edison has yet to reply to any of the tweets from users reporting the issue, but at this time it certainly seems advisable for Edison Mail users who have enabled the sync feature to delete their email accounts from the app.

While it’s unlikely that users would be able to directly see the passwords of others’ email accounts, affected users may still want to change the passwords on their email accounts for some added peace of mind until more details on exactly what the issue is surface.

(Thanks, Chris!)


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Apple Releases Safari Technology Preview 106 With Bug Fixes and Performance Improvements

Apple Goes on Cloud Computing Hiring Spree

Apple has hired multiple well-known software engineers with cloud computing expertise in recent months, according to a report from tech site Protocol.
The range of employees Apple has hired has created “a stir” in the “tight-knit cloud community,” and is a sign that Apple is perhaps planning to build serious cloud infrastructure to compete with Amazon, Microsoft, and Google.
Employees…

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Undetected e.02 recap: Fredrik N. Almroth – Bug Bounties – 10 minute mail

Bug bounties – some argue that this is one of the buzzwords of the decade in the cybersecurity industry. Whatever you want to label it, it’s a trend that we can’t ignore these days. A lot of companies are taking part in it, so what’s it all about? 

There were many valuable soundbites to take from this, and especially from podcast guest, Fredrik N. Almroth (@almroot) because he’s hacked all the tech giants and more. If you can name it, he’s probably hacked it. We’ve taken highlights from this bug bounties episode, and the dialogue has been edited for brevity. Let’s dive in:

Disposable mail Co-founder and security researcher Fredrik Nordberg Almroth

Image: Fredrik Nordberg Almorth, Disposable mail co-founder and world-class bug bounty hunter

Undetected – a web security podcast is a Disposable mail production that uncovers different depths of web security. You can listen to the full length of Episode 2 on SimpleCast or your preferred podcast platform. The video version is also available online.

Fredrik and his take on the evolution of web security

Fredrik: Well, I’m a security researcher and co-founder of Disposable mail and… I hunt for bug bounties, which kind of correlates to how we do things in Disposable mail. I started already in high school … when I met my fellow co-founders of Disposable mail. By that point we realized that, well the Internet is quite broken. This was back in 2006 when we first met and by 2008, we decided to start a consultancy business doing penetration testing. But one thing led to another and we started automating things and this idea kind of grew. So we all went to university and dropped out one after another. And by this point, some ideas started to stick, like crawling is pretty good to find your URLs on the website and if you have query parameters in URLs then you can start looking for SQL injection.

Then Cloud started becoming a buzzword around here in Sweden. So we figured why not make a new company doing something else.

Laura: We have taken quite huge strides when it comes to security in these past few years as well. How do you feel that automation, for example, played into this?

Fredrik: You can say that some vulnerabilities come and go, SQL injection was a lot more out there a couple of years ago, but now it’s mostly been abstracted that way by different frameworks and so forth. But at the same time, you now have like server-side template actions, and it’s basically the same kind of injection attack state. 

They come and go, but in different forms over the years. Now there’s more out on the internet, more services, more technologies in general. There are more things, hence more things can break, but at the same time, the vulnerabilities that exist back then, are not as common nowadays except for XSS.

Laura: It (web security) really evolved and the hacks in general. The Tesla hack you did was a cross-site scripting attack. Right?

Tesla DOOM DOM XSS

Fredrik: Tesla was running Drupal at the time, and Drupal was bundled with a “what-you-see-is-what-you-get” kind of editor called CK editor, and this library bundles with an example file. So using this example file you could do a drag-and-drop XSS where you can drag something that looks okay on one website onto some other place, and it executed in Tesla’s origin… And then you have cross-site scripting – Tesla DOM DOOM XSS. So what I demonstrated was you could play Doom on Tesla’s website, and I replaced the entire window with the game Doom.

Laura: That sounds like fun. Couldn’t play Doom anywhere else?

Fredrik: Yes, it’s, well I packed away this payload because it was fun. So I use it every now and again in various cross-site scripting demonstrations.

Getting read access on Google

Laura: Also a bigger vulnerability that you found previously was back in 2014 when you found an XXE vulnerability in Google. Basically you were able to run your own code on Google’s server. 

Fredrik: While the company wasn’t low on cash yet, Mathias Karlsson (a co-founder) and I figured that bug bounty actually works as a way to collect some money. So what’s the most bang for the buck? What companies are out there that we can hack and get the most money for the least amount of effort? Facebook or Google.  

Well, Facebook is not very fun to target, so we went for Google. Our approach was: we should find the newest features and products or go for the really old legacy stuff that they might’ve forgotten. So using Google search itself, we found a feature that dated earlier than 2008 called the Google toolbar button gallery. So if you remember this way back in the Internet Explorer, you had this toolbar from Google and companies could upload their own buttons to this toolbar and that was the feature we attacked. This was an XML file uploaded to Google.

You as a website owner could add your own button to the toolbar so that other users could find you. This button definition was an XML file and quite frankly, you can do a lot of weird things in a plain vanilla XML file, and an external entity is one of those.

Fredrik: We uploaded a file and gave it some name and description, etc, but we added a definition that instructed Google to try to read another file from their local file system. So we tried to pull the normal user file on Unix systems and uploaded it and it worked. But we asked, “Okay, did anything actually happen?” 

We made another attempt where we changed the title to something like “hello world”, and then searched on Google or for toolbar buttons containing “hello world.” … meaning we searched for what we just uploaded.

Laura: That’s kind of like local file inclusion.

Fredrik: Yeah, that’s basically the impact. We got read access on Google.com. This was quite fun. So from start to stop, it took us four hours to identify, exploit and have it reported.

Start of bug bounty career:

Laura: Were these all bug bounty programs or were they public programs that you enrolled in or how did you stumble across these?

Fredrik: This was about the time that we actually founded Disposable mail and bug bounty started becoming something you spoke about on Twitter. So Google, in my world, was the first company I saw that had this kind of policy, meaning anyone can hack Google. If they manage to do it and Google accepts it as a new unique vulnerability, you get money for it and afterward, you can speak about it. As an early-stage startup, this was nice to have some material to be seen and heard.

Laura: How did people react to your work on bug bounties back then?

Fredrik: It varied. People in Silicon Valley know about this as that’s kind of where this entire industry started. But over here in Sweden, it was unheard of that this was even a possibility. For example, a friend’s friend of mine happens to work for the Swedish Police and I told him about the Dropbox hacking event which I attended in Singapore, and his response was, “What? You can’t do that? That’s criminal.” I said, “No, no, no, you missed the point.” I had to elaborate a bit on what bug bounty is and so forth.

Laura: In our bubble of Infosec, everyone knows what a bug bounty is or what responsible disclosure is, but outside of this immediate bubble, it is not that obvious. What is your short description of bug bounties?

Fredrik: Bug bounty is freelance penetration testing in a way. Anyone on the Internet can go to a company, find a vulnerability and have a streamlined process of reporting it to the company. If it’s a unique vulnerability and you are the first one to submit it, then you get a monetary reward at the end. Now we have platforms and marketplaces to facilitate this among vendors and researchers such as Bugcrowd, HackerOne and Synack.

Laura: Yes and bug bounties are offering a [monetary] reward in exchange for the vulnerability report or swag.

Responsible Disclosure Policy – that’s all it takes:

Laura: These bug bounties have basically lifted hackers out of the darkness, and now hackers can actually talk about what they have found. They can disclose it, depending on the program. It’s also shedding a more positive light on hackers.

Fredrik: Indeed. But I think it’s quite important to speak a bit about Responsible Disclosure programs as well, since it’s basically the first stepping stone to do something like this. It could be as simple as having an email address or a contact form where someone can submit vulnerability information. That’s all it takes.

More often than not, you (an ethical hacker) know it yourself that there are vulnerabilities all over the place, but it can be quite tricky to report it.

And you (application owner), you don’t always have to offer swag or money. You just have a channel to accept it.

Laura: A common practice out there is putting a security.txt file in your domain so that people find the contact information of your security personnel there for reporting.

Is this the minimum thing that a company should do in terms of Responsible Disclosure?

Fredrik: Security.txt is a very good starting point. With that, you can set up a [email protected] email (to receive reports).

Laura: So you don’t need to go on a commercial bug bounty platform and open a program there?

Fredrik: No, I think that should come a bit later once you have matured your security processes, so you know what you get basically. It can be quite overwhelming if you go directly to one of these platforms, open a bug bounty publicly to the world because everyone will start reporting straight away.

Laura: Do you think that a company who enlists in a public program will get a ton of reports right from the get-go?

Fredrik: More in the beginning, and then it should probably slow down.

Laura: Would it make sense then to do some kind of security assessment before that?

Fredrik: Yes. I think you should only start with a Responsible Disclosure Policy. 

Once you’ve had your pentest reports, some automated scanning and an organization that can handle the security reports, then you should consider a Responsible Disclosure Policy or a private bug bounty program. After that, you could make it public.

Laura: Do you feel that offering a bug bounty program is appropriate for all sorts of companies out there?

Fredrik: Yes, I think so as long as you have some kind of online presence. But it has to be something technical. It’s quite hard to have a bug bounty otherwise. Even manufacturers of hardware, for example, are growing with IoT applications. These could open up as bug bounty programs.

Laura: Yeah. I’m just trying to think of something that wouldn’t have an online presence these days.

Fredrik: But Everything has, right?

Laura: Yeah. Everything has at least a company website, if nothing else.

Fredrik: Exactly. You always have something important to your business and you can probably make a bounty program around that. Ask yourself what you are trying to protect. Say you are Dropbox. The most sensitive things would be your users and their files, right? If you’re Apple, well, it’s basically everything, that’s a bad example I guess. For a bank, it’s probably the money.

So then it doesn’t really matter if it’s only one domain. That’s the scope for your program. You should really try to think about this, “what am I trying to protect?” and make a policy thereafter.

Setting the scope of your disclosure program:

Laura: You mentioned “Scope”, and the scope in a bug bounty program is defined by the company and it can be a domain or source code or some device.

Fredrik: Yes, it’s usually along those lines. It’s one or several domain names that can be mobile apps, GitHub repositories, etc. If it’s a hardware manufacturer, it could be their devices to sell to consumers. There are a lot of blockchain companies that would be attacking the blockchain technology itself.

Laura: What is the best scope for you as a bug hunter?

Fredrik: For me privately, the bigger scopes the better. Being a security researcher, you have a bit of an arbitrage. The more things that are exposed and that you can audit, the more things will break, as simple as that. The bigger the company, the easier it is in my opinion, and that’s because a bigger scope means more critical vulnerabilities and that’s more business impact. So it will help you as a company even more.

Laura: So what happens if you go outside of a scope in a bug bounty program?

Fredrik: That really depends on the organization. What really matters in a bug bounty program is the business impact that an outsider can have. So unless something is explicitly out of scope, it could be fine to report a vulnerability if it has a proven impact.

That’s my take on it. Although that could also be considered scope creeping if you do this.

Laura: What is scope creeping?

Fredrik: You go a bit out of scope and in again. For example, if you find something on Adobe and you go outside to some local subsidiary or something and then back into scope. More often than not, it’s generally accepted on these live hacking events. 

Laura: Maybe at the live hacking events, the overall environment is easier to control than hacking otherwise.

Fredrik: In these events, they collect a group of people to hack a company over a day or two in person. Then you have all the stakeholders at one place they can communicate about it.

Laura: Do some security researchers not report something if it’s out of scope and if it’s not that critical?

Fredrik: 100%. I really believe so. For example, Open Redirect is no longer on the OWASP Top 10. Finding an open redirect somewhere on a subdomain that might be explicitly out of scope and while you know it’s there, you wouldn’t report it with the risk of losing a score or a reputation or what-not on one of these platforms.

But at the same time ,if they have Oauth and misconfigured, I can use it to do some kind of authentication bypass or steal some sensitive tokens. Then all of a sudden you’re out of scope, then go in again, and you might have an account takeover and that would be usually considered critical.

And that companies would accept.

Laura: So it really depends on the impact and if you can demonstrate the impact.

Fredrik: Exactly. That’s, I think that’s the moral of the story. It’s the impact that matters. You need a proof of concept. Otherwise it’s kind of a void report.

Laura: Yeah. Because I used to work as a pentester and during an assignment you have limited time as well, so you don’t always have to provide the proof of concept. Pentesters look at it from a wider angle and they can see white box, the infrastructure, the servers and so on. So for me, it’s interesting how impact-driven the bug bounty community is. It’s a good thing.

Bug bounty is a growing industry

Laura: Bug Bounties have become a big industry but it has also gotten some criticism or scrutiny over how many active researchers there actually are, like this Dark Reading article by Robert Lemos on how bug bounties continue to rise. But the market has its own 1% problem

It’s kind of like the same as being a professional in anything, like a professional basketball player. And I think that was also something that was said here in Lemos’ article that was most likely a quote from Mårten Mickos that not everyone is going to succeed. And then there’s a group who succeed are really, really good at what they do.

Fredrik: Right. A lot of people are drawn into what they see on Twitter and the media that bug bounty is a growing thing. People go around on these live events where it’s an open environment and everyone always finds something critical, which is true. But to get there, that’s the hard part.

A vast majority might not have a professional take on how to report vulnerabilities, and then it might be people like yourself coming from pentesting background without experience on the same style of reporting.

Laura: … And having all of them rejected.

Fredrik: That’s the thing, right? If you go in with the mindset of a pentester, then I don’t think you would grasp it well, and it probably would be a bit discouraging. And once you get the grasp of it, then you need it to beat the rest that are in the game with vulnerabilities that will be accepted. So I think it could be a steep curve to get into.

Laura: You have been active since 2013 so you’re well ahead of people who are only starting out now. What are tips you have for beginners when trying out bug bounties?

Fredrik: Learn by doing. Submit reports and see how it works, and when it works. There are a lot of good resources out there and streamers that speak about how to do bug bounty, and educate people on what to look for.

Laura: What do you recommend?

Fredrik: I’m going to be a bit biased here, and recommend our fellow coworker, TomNomNom. I also like STÖK, a Swedish researcher.

Anything that Bug Bounties aren’t good for?

Laura: What is something that bug bounties are not really good for?

Fredrik: It’s not a silver bullet to your security. It’s a nice addition to an already quite mature organization in terms of security. It’s the many-eyes principle meaning you have more people looking and trying to break something – and someone will eventually be able to do that. 

If you start a bit premature with doing bug bounties as a company, chances are that it will be a bad experience for researchers. For example, it sucks for me if I report a vulnerability and it gets flagged as a duplicate. I’m probably not the first one to be flagged as a duplicate.

Laura: Or if the companies are slow to respond?

Fredrik: Yes. It must be horrible for the company as well. They get an overwhelming amount of reports as they can’t act on it fast enough, so then it’s not nice for anyone.

Start with private and then slowly expand the scope and amount of people that participate in your program and have it as an addition.

Laura: It’s a good way of getting rid of those low hanging fruit and understanding what you’re exposing there?

Fredrik: No, on the contrary. The bug bounty community will find all of it. They will find the XSS’s. If you can’t fix the XSS fast enough, then you will have a problem.

Laura: You will have multiple reports on the same XSS.

Fredrik: Yes, you will. The best researchers tend to go for more creative vulnerabilities and you want them to be looking deep into your system and catching hard-to-find things.

Laura: Do you think that all companies get equal treatment from bug bounty hunters as well?

Fredrik: No, I don’t think so. It’s absolutely a monetary interest. There are more and more companies joining these platforms, and there’s a limited amount of researchers that provide value. So then you have to compete with other programs to have researchers look at your stuff.

Researchers like big scopes

Laura: We’ve had multiple takeaways for our listeners in this episode already, but do you have any like one big takeaway for our listeners?

Fredrik: If you’re a company, start small, then expand. Researchers love big scopes, so try to reach that eventually. 

If you’re starting off with bug bounty hunting, don’t give up too soon. It takes time and practice to get into this, but it’s not impossible. Anyone can do it. Really. It’s just problem-solving.


Did you like the highlights of this episode? Check out the full episode in the web player. It’s also available on Spotify, Apple Podcasts, Google Podcasts or another preferred podcast platform.

——

Keeping up with the fast-pace of web security is a challenge if you are only relying on standard CVE libraries and annual security checks. Disposable mail works with some of the best ethical hackers in the world to deliver security research and modules from the forefront of security, so you can stay on top of emerging threats. Interested in giving Disposable mail a go? Start your 14-day free trial today.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

macOS JPG File Truncation Bug More Pervasive Than Originally Thought

Earlier this week we reported on a bug in Apple’s macOS Image Capture app that adds empty data to photos when imported from iOS devices, potentially eating up gigabytes of disk storage needlessly. Today, we’re hearing that the bug in macOS 10.14.6 and later is a lot more extensive than was initially believed.


NeoFinder developer Norbert Doerner, who originally discovered the bug, informed MacRumors that the same issue affects nearly all Mac apps that import photos from cameras and iOS devices, including Adobe Lightroom, Affinity Photo, PhaseOne Media Pro, and Apple’s legacy iPhoto and Aperture apps.

The reason is said to be because the bug is located inside Apple’s ImageCaptureCore framework, which is a part of macOS that all developers must use to connect to digital cameras. The only app that isn’t affected is said to be Apple’s Photos app, which uses other undocumented APIs to talk to iOS devices.

Essentially, the pervasive Mac bug causes HEIC files imported from iOS devices and converted to JPG to contain more than 1.5MB of empty data appended to the end of each file, increasing the file size and eating up storage exponentially. As an example, Doerner said he discovered more than 12,000 JPG files in his own photo library containing this extra unwanted data, resulting in over 20GB of wasted disk space.

Hex data of a JPG file viewed using Hex Fiend

Apple is apparently aware of the bug, but until a patch arrives, one short term workaround for future transfers is to prevent your iPhone or iPad from using the HEIF format when taking photos: To do so, launch the Settings app, select Camera -> Formats and check Most Compatible.

For users with large existing photo libraries, Doerner has suggested using a new beta version of the third-party utility Graphic Converter, which includes an option to remove the unwanted empty data from the JPEG files.

Alternatively, media asset management app NeoFinder is itself being updated on Monday to include a tool that can find and eliminate the unwanted data in JPG files. NeoFinder for Mac costs $39.99 and a free trial is available to download on the developers’ website.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Newly Discovered macOS Image Capture Bug Can Fill Up Hard Drives With Empty Data

A bug has been discovered in Apple’s macOS Image Capture app that needlessly eats up potentially gigabytes of storage space when transferring photos from an iPhone or iPad to a Mac.

Discovered by the developers of media asset management app NeoFinder and shared in a blog post called “Another macOS bug in Image Capture,” the issue occurs when Apple’s Mac tool converts HEIF photos taken by iOS to more standard JPG files.

This process happens when users uncheck the “Keep Originals” option in Image Capture’s settings, which converts the HEIC files to JPG when copied to Mac. However, the app also inexplicably adds 1.5MBs of empty data to every single file in the process.

image capture

“Of course, this is a colossal waste of space,” said the NeoFinder team, “especially considering that Apple is seriously still selling new Macs with a ridiculously tiny 128 GB internal SSD. Such a small disk is quickly filled with totally wasted empty data.

“With just 1000 photos, for example, this bug eats 1.5 GB off your precious and very expensive SSD disk space.”

NeoFinder’s developers say they discovered the bug by “pure chance” when working on improving the metadata capabilities of NeoFinder using a hex editor, and provided an example shot of what the end of individual JPG files look like in hex, post-transfer.

Hex data of a JPG file viewed using Hex Fiend

MacRumors was also able to replicate the issue in macOS 10.14.6 and later using an online hex editor. It’s worth noting that the bug only occurs when transferring photos from Apple devices, not when importing photos from digital cameras using Image Capture.

NeoFinder’s team says it has notified Apple of the bug, and the developers suggest anyone plagued by the issue can try using a new beta version of the third-party utility Graphic Converter, which includes an option to remove the unwanted empty data from the JPEG files.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.