textarea placeholder bug in Firefox


Screenshot - the text is rendered on a single line

The new Firefox is out! Powered by the ludicrous-speed quantum engine - it really is a marvel to behold. Unfortunately, there's a rather annoying bug in the way it renders placeholder text. Consider the following HTML: <textarea placeholder="In loving memory of Buffy Anne Summers She saved the world A lot..."></textarea> This should render a textarea (a multi-line input box) pre-filled with placeholder text. The text should be over multiple lines. Instead, it renders like this: Is that …

Continue reading →

Bug with Google Pay and Amex


It is impossible to contact large companies to report a bug in their software. So I'm reduced to writing snarky blog posts about it in the vague hope that a Social Media Manager will see the issue and raise it with the appropriate team. Welcome to 2017! Google Pay now supports American Express cards in the UK. Hurrah! But if you try to ring Amex from within the app - a problem occurs. Can you spot what it is? The country code should be +44. For some reason, it's missing the +. It…

Continue reading →

Google's AMP is a gilded cage


AMP is Google's attempt to re-fight the transcoding wars of the early 2000s. It is actively dangerous to the web ecosystem, helps disseminate propaganda, and is disliked by many users. If, like me, you made the mistake of trying out AMP on your website - you're in a tricky position if you try to remove it. Google doesn't like anything leaving its clutches. After a few weeks of AMP, I decided that it wasn't suitable for me. So I uninstalled the WordPress plugin. That's when the problems…

Continue reading →

Full Disclosure - This Bluetooth tag is leaking your personal data


If you have a TingTag, your location is being broadcast without encryption! Earlier this year I purchased and reviewed the TinTag. I've spent the last month trying to get hold of the company to report a serious privacy problem with their Android app. I've not received an adequate response, so I'm publishing this post to let affected users know about the issue. The TinTag is a BLE tracker. It's designed to attach to your keys or bag. An app on your phone can send a message to the tag,…

Continue reading →

Disclosed - Lifx Security Issue


I love my Lifx Bulbs. They're a quick and easy way to retrofit Internet connected goodies into a smart-home. One of the best things about them is their open API. Sure, you can use IFTTT if you want something easy - but us 1337 hax0rs want an API and Lifx provides it. The API is pretty secure - good use of OAuth and tokens to make sure whatever you're building is resistant to infiltration. I mean, imagine if someone hacked your lightbulbs and ... err... switched off the light while you were …

Continue reading →

Responsible Disclosure - XSS Flaw at LetsSaveMoney.com


Another day, another bug! LetsSaveMoney.com is a "money saving" site. It offers discounts on a wide range of products and services, and is financed through affiliate marketing. Links removed, because the site has disappeared. My Trade Union, Prospect, has just launched a white-labelled "Members' Rewards" based on LetsSaveMoney - that's how I came across this bug. It's a depressingly familiar story - do a search which includes some HTML and watch it being echoed back to the user. Once you…

Continue reading →

Google Play Won't Accept PayPal


Hey kids! Did you know that the best way to report bugs to Google is via passive-aggressive blog posts? Yup, s'true. They don't offer support for any of their products*, so your only hope is getting your complaint to the top of Reddit / HackerNews / Cool Site of the Day and hoping that particular Google Product Manager is taking note. So - here's my rant :-) Google now let you pay for apps and games using PayPal. Well, I've got a bunch of credit left over in an old PayPal account, so I…

Continue reading →

How Not To Manage Email Subscriptions - Apple


As with most tasks in life, there are two paths you can go by - the easy way, or the right way. Sadly, many of us choose the easy way which, in the long run, means more work for us all. Take, for example, the seemingly dull task of email unsubscription. A developer wants to make it easy for a user to unsubscribe from an email newsletter. They want to place an unsubscribe link at the bottom of an email, a user can click on it, be taken to a web page, then confirm her unsubscribe. Let us…

Continue reading →

Samsung Lock Screen Security Flaw


Photo of a finger tapping at a Samsung screen.

Here's a rather nifty security flaw I discovered on Samsung's Android 4.1.2. It allows you - in limited circumstances - to run apps and dial numbers even when the device is locked. Video: This attack works against Pattern Lock, PIN, Password, and Face Unlock. There is no way to secure your phone against your home screen being accessed. Notes HOWTO Lock the device with a "secure" pattern, PIN, or password. Activate the screen. Press "Emergency Call". Press the "ICE"…

Continue reading →

Samsung Copy & Paste Bug (AKA Never Trust Samsung)


Samsung phones crash if you use copy & paste more than 20 times. http://t.co/2OnBwo86Shockingly bad engineering.— Terence Eden is on Mastodon (@edent) February 20, 2013 Sounds crazy, doesn't it? If you copy and paste text more than 20 times, your phone will restart! Some people have reported more severe crashes than that - but for me it is only (!) a soft restart. This affects the Galaxy Note II, as well as the SIII and Note tablet. Other Samsung products may also be broken in this m…

Continue reading →