apple_badger

tyler82 said:

Are you saying that it's not really an extended display- that the Mac's mouse doesn't travel over to the iPads display?

If you want it to be, it's exactly like using a second monitor. The mouse travels over just fine. It can do more than just be a second display, but if that's what you want it to be (as I do), that what it'll be for you. 

It's astounding how lag-free it is! (2017 MBP, 2018 11" iPad Pro) This is going to make some work when I'm travelling so, so much easier! 

For me, the magnetic attaching mechanism and Smart Connector of the Apple folio keyboard provide enough benefits to overcome their shortcomings of not having a backlight or function keys. I've never had a bluetooth keyboard for any of my iPads that hasn't given me just enough connection establishment/maintenance hassles to make working with it feel... ugh. 

If anyone ever makes a folio that combines backlighting and function keys with magnetic attachment and Smart Connector, I'd buy one in a second. 

"...As well as providing end-to-end encryption..."

Unless I'm missing something or the meaning of end-to-end has changed very recently, this service does not (and cannot) provide end-to-end encryption. 

lkrupp said:

AppleInsider said:

How, exactly, the vulnerabilities were exploited and by whom is unknown.

Both bugs were detailed in Apple documentation detailing security changes delivered with the iOS 12.1.4 package.

That’s the 64 Thousand Dollar Question.  Saying the bugs were exploited and explaining how are two different things. iOS is the Walled Garden so were apps downloaded from the App Store that did the exploit or were they confined to jailbroken iOS devices? 

Neither has to be the case: If the bugs are in iOS itself then *any* apps using the vulnerable code (if, for example, it’s in a library) have the potential to be the vector for exploitation. For example, if there is a security vulnerability in an image handling iOS library, any app that uses that library to deal with images can, if presented with a malicious image (let’s say hosted on a website), cause exploitation. I believe this has happened with both Safari and Messages in the past.

brianm said:

benji888 said:

This is bogus:

1) the person trying to steal your passwords has to first have access to your Mac.
2) he then ran some app to get your passwords...I’m guessing all this app does is enter your Mac’s password for the keychain items automatically and then extracts them and displays them all in a list, so, again, back to 1).
3) you can also lock keychain so that it has to be opened with a password, so they’d need not only your Mac’s password, but keychain’s password...this is not the default for keychain.

1&2) It can be chained with other exploits - zero-day, or known for older MacOS versions which this exploit affects. 3) try this, and see how long you can run with keychain staying locked, especially while browsing sites that require logins, apps during startup, etc...

Bingo! I always find it amazing at how dismissive people are about problems like this (on any platform). A single given bug may not be a problem for everyone, but bugs form links in exploit chains that very quickly become viable attack vectors. 

This looks like a reasonably concerning issue. I have no idea how the interaction between the researcher and Apple went or who's being the bigger asshat. The researcher's  behaviour seems unethical. Apple's bounty program is badly lacking as well. No cookies for anyone.