668

Apple forgot to disable production source maps on the App Store web app (files.catbox.moe)

submitted 3 months ago by mudkip@lemdro.id to c/programmer_humor@programming.dev

65 comments fedilink hide all child comments

top 50 comments

sorted by: hot top new old

[-] bleistift2@sopuli.xyz 147 points 3 months ago* (last edited 3 months ago)

Depending on the exact level of stupidity clinging to the judge on that day, some jurisdictions might consider this “hacking.”

One case from the states that was luckily dismissed: https://uk.pcmag.com/security/136282/missouri-gov-goes-after-reporter-who-found-shockingly-bad-flaw-in-state-website https://www.vice.com/en/article/this-is-the-hacking-investigation-into-journalist-who-clicked-view-source-on-government-website/

[-] CHKMRK@programming.dev 11 points 3 months ago

Germany for example. There was just the Modern Solutions case and the ruling was that using a hex editor to get hardcoded MySQL passwords from a binary is considered hacking

[-] chazwhiz@lemmy.world 97 points 3 months ago

Isn’t that just effectively un-minified? It’s just the client side code in the first place?

[-] TeamAssimilation@infosec.pub 86 points 3 months ago

Comments and full-length names make the source way more accessible.

[-] RagingRobot@lemmy.world 4 points 3 months ago

Yeah but even then they should be writing secure code anyways so it doesn't matter if someone reads it. It's just ui code. It's always readable

[-] locuester@lemmy.zip 43 points 3 months ago

Nah it’s more complete with comments and all. Here’s a link to a random svelte file:

https://github.com/rxliuli/apps.apple.com/blob/main/src/components/pages/SearchResultsPage.svelte

[-] boonhet@sopuli.xyz 9 points 3 months ago

Huh, I hate doing front end but I feel like in this team I'd manage. Shit even has comments.

[-] Rusty@lemmy.ca 7 points 3 months ago

It's already down.

[-] locuester@lemmy.zip 6 points 3 months ago

This is why you self host a private Gitea instance and have it auto mirror all of your github repos.

I forked it, and my instance automatically grabbed me a forever copy.

[-] CodingCarpenter@lemmy.ml 16 points 3 months ago

Once the code is minified it's basically unreadable by humans it's useless this is far more readily available to anybody who may be curious about the work being done

[-] Bane_Killgrind@lemmy.dbzer0.com 8 points 3 months ago

Learning resource yeah.

[-] mr_satan@lemmy.zip 97 points 3 months ago

Security through obscurity is not security. I see no reason why source maps should be unavailable.

[-] entwine@programming.dev 74 points 3 months ago

Because source maps show how shitty your organization's code and overall engineering practices are.

[-] phoenixz@lemmy.ca 46 points 3 months ago

Ding ding ding

Open source code is usually quite nice and well done because money pressure is way less of an issue and everyone knows people will be looking at your code

[-] ulterno@programming.dev 22 points 3 months ago

If you look at the casual code that I have shamelessly made public on my GitLab, that might change your mind on that.

[-] Lifter@discuss.tchncs.de 10 points 3 months ago

That's probably also why development is usually really slow and most maintainers can't keep up/give up.

[-] SleeplessCityLights@programming.dev 17 points 3 months ago

Nope, it is simply because they are overwhelmed. Either it's too much work to do after your day job or just too much work for one person.

load more comments (1 replies)

[-] mack@lemmy.sdf.org 10 points 3 months ago

depends.

if we're talking about a personal website nobody will care. if you are a multibillion company and there's the risk that literally anyone can create a 1:1 clone of your services... yeah that's a bit of a trouble

[-] mr_satan@lemmy.zip 9 points 3 months ago

Omitting source maps doesn't prevent that.

[-] mack@lemmy.sdf.org 4 points 3 months ago

no it doesn't, and I am very aware that if anything runs on someone's computer then it can get replicated. but it gets slightly harder, also to reverse-engineer it or find potential fallacies. as well as source maps on prod are just a waste of bandwidth

load more comments (1 replies)

load more comments (2 replies)

load more comments (3 replies)

[-] QuazarOmega@lemy.lol 89 points 3 months ago

Copyrighted content

archived them

on GitHub

Idk man 🧐
Run the countdown to when it's taken down

[-] refalo@programming.dev 23 points 3 months ago* (last edited 3 months ago)

There's lots of content sitting just below the surface on github. Any time you make a PR on a repo, even if it gets closed or "deleted" by the repo owner, the actual link to the file itself stays there forever if you save it. Github's own dmca repo even has warez links on it, sitting there for years.

[-] QuazarOmega@lemy.lol 5 points 3 months ago

Oh that's cool, I had no idea! Though does that apply to content removed for DMCAs?

[-] refalo@programming.dev 4 points 3 months ago

Usually entire repos are disabled in that case. I've never tried to access hidden content on a DMCA-removed repo, but I assume it would not work.

[-] bluemellophone@lemmy.world 8 points 3 months ago* (last edited 3 months ago)

Yep, it’s got a DMCA takedown now

load more comments (1 replies)

load more comments (2 replies)

[-] dogs0n@sh.itjust.works 65 points 3 months ago

SVELTE 🥹 (im very happy to see svelte)

Also I'm scared that this person may be risking their github account by posting this, I dunno if it's legal to "distribute" apples website code yourself. If not, best hope they dont ban your whole account.

[-] mudkip@lemdro.id 18 points 3 months ago

we love svelte

[-] 87Six@lemmy.zip 14 points 3 months ago

I mean... They kinda distributed it themselves /s

[-] northernlights@lemmy.today 9 points 3 months ago

Or even sue them

[-] NotMyOldRedditName@lemmy.world 55 points 3 months ago

And now the source code is part of copilot

[-] kibiz0r@midwest.social 46 points 3 months ago

You’re supposed to disable source maps in prod?

Asking for a friend

[-] dreadbeef@lemmy.dbzer0.com 36 points 3 months ago

if you think your source code is that precious and unique and special, go ahead and worry about it haha

[-] dogs0n@sh.itjust.works 18 points 3 months ago

Just to save on wasted bandwidth for the client (and your server) is why I would disable them.

[-] brian@programming.dev 41 points 3 months ago

they're different files generally, the only client that will automatically request them is a debugger.

you turn them off because you don't want to expose your full source code. if you would be ok making your webpage git repo public then making sourcemaps available is fine.

[-] dreamkeeper@literature.cafe 6 points 3 months ago

I work for a large software corp and we generally keep them in prod because it makes debugging prod issues much easier. The browser only downloads them when the dev tools are open.

load more comments (1 replies)

[-] gravitas_deficiency@sh.itjust.works 30 points 3 months ago

Yo gimme a repo link, you can’t blueball us like that

[-] QuazarOmega@lemy.lol 30 points 3 months ago

Here it is https://github.com/rxliuli/apps.apple.com

[-] CannonFodder@lemmy.world 6 points 3 months ago

load more comments (1 replies)

[-] mmmac@lemmy.zip 28 points 3 months ago

Our international teams kept enabling sourcemaps and I just had devops lock the directory to vpn access only 🤷

I know sourcemaps aren't the end of the world as it's all client side code that lives on the clients computer but it just feels dirty

[-] 0x0@lemmy.dbzer0.com 28 points 3 months ago

Is this interesting for some reason?

[-] panda_abyss@lemmy.ca 50 points 3 months ago

It’s how the web worked before minifiers, so kinda but not really.

You just have comments and original variable/function names.

I’m sure someone will argue this helps scrapers or hackers, but really it’s not that big of a deal.

[-] Axolotl_cpp@feddit.it 10 points 3 months ago* (last edited 3 months ago)

It help users that make websites styles!

Eg. I have a discord style for fixing their bullshit

[-] dreamkeeper@literature.cafe 3 points 3 months ago

Anyone capable of doing damage already knows how to format and read minified code anyway. I do it in prod all the time when I want to test something with an override, which causes the source map to become invalid.

load more comments (1 replies)

[-] silt_haddock@lemmy.world 17 points 3 months ago

I’m gonna download this to my iPhone, just in case.

Try and stop me, Tim Apple!

load more comments (1 replies)

[-] oopsallnaps@piefed.ca 12 points 3 months ago

iirc Apple music's web ui also has sourcemaps, but I'm not subbed to apple music anymore to check. Its neat, but not really a huge blunder, nor takedown worthy.