Also Microsoft's Master Key and Kimmel's Compliance Issue
The World's Most Valuable Photo Copier Mishap
The trillion-dollar company, Apple, appears to have run into a classic first-day-of-internship problem: a file copy operation that occasionally deletes the source file and corrupts the destination file. Security researcher Aaron Patterson, a Ruby engineer, detailed how the Photos application sometimes corrupts image files, including both RAW and JPEG formats, during the import process from a camera. The specific mechanism seems to be an interaction between the import pipeline and the "delete photos after import" checkbox, which, as it turns out, is the digital equivalent of trusting a hungry squirrel with your lunch money.
Mr. Patterson recounts losing nearly thirty percent of his photos from a family wedding due to this non-deterministic corruption bug; he later determined the issue was not his hardware, but Apple's software, which somehow alters the file contents after a successful import, even though the original file on the SD card was perfectly fine. The problem has the distinct smell of a concurrency bug, where the app tries to delete a file, copy a file, merge a file, and probably index the file into a thousand different cloud-based filing cabinets all at the same nanosecond. Perhaps the company should pivot from "It Just Works" to "It Mostly Works, But Please Do Not Check That Box."
Microsoft Left the Master Key Taped to the Bottom of the Keyboard
In what is being called the "One Token to Rule Them All" vulnerability, security researcher Dirk-jan Mollema discovered a flaw in Microsoft Entra ID, formerly Azure Active Directory, that could have allowed an attacker to gain Global Administrator access to essentially every single tenant in the world. The issue centered on undocumented, internal-only "Actor tokens" and a critical, and apparently unmonitored, flaw in the legacy Azure AD Graph API. Think of it as Microsoft building a skyscraper with a perfectly locked front door, but then forgetting to remove the rusty old back-alley service entrance that accepts any employee's ID card as the master key.
The tokens in question, which Microsoft uses for its own service-to-service delegation, did not validate the tenant of origin, meaning a token requested in one test environment could be crafted to impersonate a Global Admin in any other customer's environment. Worse still, this massive security blunder bypassed all the sophisticated security we are constantly told to pay for; Conditional Access, Multi-Factor Authentication, and even audit logs in the victim tenant were effectively useless. Microsoft fixed the issue rapidly and issued CVE-2025-55241, but the entire episode confirms the core principle of enterprise IT: all major security crises are the result of a single, forgotten, dusty service account.
WASM 3.0 Ships, FCC Halts Late Night
The WebAssembly Community Group has finalized and published the specification for WASM 3.0, a major update that nobody in the C-suite will understand but which we will all be using for everything from their spreadsheets to their crypto scams within the year. The standards body has signed off on the new version of the binary instruction format for the web's virtual machine. This means the committee has done its job for the quarter; they can now go back to arguing about semicolons until the 4.0 process begins.
Meanwhile, the corporate compliance wing of ABC has decided to indefinitely pull Jimmy Kimmel Live after a threat of enforcement action from Federal Communications Commission Chairman Brendan Carr. The controversy stems from a segment where talk show host Jimmy Kimmel interviewed political commentator Charlie Kirk. This is not a censorship issue, it is a content review failure; the corporate lawyers simply realized they had allowed an unauthorized conversation in a designated safe space and pulled the whole production before the fine arrived. They are treating a highly-rated television program like an email attachment that failed the virus scan.
Briefs
- YouTube's Ad Blocker View Problem: YouTube addressed lower view counts that appeared to be caused by ad blockers. The department reports that when users refuse to look at the billboard, the billboard does not count them as a visitor. Simple metrics, really.
- Anthropic's Postmortem: The AI firm Anthropic published a postmortem of three issues, shortly after they irked the White House with new use limits on their models. The AI team broke something minor, fixed it, and then got an angry phone call from the biggest client in the world.
- Blender's CEO Transition: Ton Roosendaal is stepping down as chairman and CEO of Blender. The creative department is losing its most powerful champion; we will see who gets stuck with the graphic rendering budget next quarter.
COMPLIANCE & INCIDENT RESPONSE DRILL (MANDATORY)
The "One Token" Entra ID vulnerability allowed access across tenants because:
When importing photos, the Apple Photos app sometimes corrupts images. What was the confirmed root cause of the data corruption?
// DEAD INTERNET THEORY 45282482
The Apple Photos bug is a relief; I thought I was losing my mind, replacing all my cables and formatting three SD cards. It is nice to know a multi-billion dollar entity is just as confused as I am about basic file I/O. They should just stick to making charging cables that break when you look at them wrong.
Microsoft’s Entra ID 'one token' flaw is peak cloud architecture. Undocumented token, legacy API, cross-tenant access, no audit logs, bypasses MFA. It’s like a textbook on how to ensure that the eventual catastrophic failure is both absolute and completely untraceable. I'm filing a Jira ticket to switch us to a paper ledger.
The Kimmel thing is all a distraction. I don't care about their content compliance issue; I need to know why my new Asus gaming laptop keeps bluescreening because of a weird ACPI firmware bug. My frame rate is suffering. Prioritize the real problems, people.