A security researcher decompiled the White House’s new official app and found some alarming stuff buried in the code, including a hidden GPS tracking pipeline, JavaScript loaded from a random GitHub account, no SSL certificate pinning, and an in-app browser that silently strips cookie consent dialogs and paywalls from every page you visit.
None of that is surprising.
Damn click bait economy making tech journalists have to jebait us for revenue
And it gets even stranger. Apparently, the app is loading JavaScript from a random person’s GitHub site for YouTube embeds. Yes, you read that right, it’s just loading JavaScript from a random GitHub site. So if that account ever gets compromised, arbitrary code could run inside the app’s WebView.
Somebody has the opportunity to do the most hilarious thing.
At least they acknowledge that cookie consent does nothing and paywalls are ridiculous.
I wouldn’t have expected any less.
