iOS notifications leaking deleted chats & Firefox IndexedDB fingerprinting identifier - Hacker News (Apr 23, 2026)
Apple fixes deleted Signal notification leaks, Firefox fingerprinting bug hits Tor, SS7 tracking persists, plus SQLite pub/sub and repairable “old-school” tractors.
Our Sponsors
Today's Hacker News Topics
-
iOS notifications leaking deleted chats
— Apple patched iOS so notification caches can’t retain deleted or disappearing message text from apps like Signal—closing a major privacy gap for seized devices. -
Firefox IndexedDB fingerprinting identifier
— A Firefox IndexedDB bug created a stable cross-site fingerprint via `indexedDB.databases()` ordering (CVE-2026-6770), impacting Private Browsing and even Tor Browser until fixes land. -
Telecom SS7 and Diameter tracking
— Citizen Lab reports covert location surveillance using telecom signaling abuse—SS7 and misconfigured Diameter—via “ghost” carriers and repeated transit providers. -
SQLite gets durable pubsub
— Honker adds Postgres-style LISTEN/NOTIFY semantics to SQLite with durable queues and event streams, reducing reliance on separate brokers while keeping transactions atomic. -
Zig-built C compiler journey
— A developer chronicled building a C compiler in Zig, offering a practical learning log that tracks progress from parsing to linking and highlights Zig’s growing systems-language ecosystem. -
Color-coded hex editing usability
— A proposal argues hex editors should color bytes by default—like syntax highlighting—so humans can spot structure, anomalies, and boundaries faster in binary data. -
AI-shaped comment spam conversations
— Bloggers are seeing AI-like comment spam that mimics real conversation threads, slipping links into plausible back-and-forth to bypass moderation and social trust cues. -
Cloud primitives and cost friction
— A cloud critique claims today’s hyperscaler primitives push awkward constraints and high network costs; a new platform pitch argues AI coding agents will make that friction more painful. -
Repairable tractors without electronics
— Ursa Ag is drawing interest for tractors built around remanufactured 1990s diesel engines with minimal electronics—betting farmers value repairability over locked-down software.
Sources & Hacker News References
- → David Crawshaw Launches exe.dev to Rebuild Cloud Computing Primitives
- → Ursa Ag Bets on Electronics-Free Tractors to Win Over Repair-Weary Farmers
- → Honker Adds Postgres-Style NOTIFY/LISTEN, Queues, and Streams to SQLite via WAL-Based Push Notifications
- → Blog Post Calls for Default Byte Color-Coding in Hex Editors
- → Apple Patches iOS Bug That Let Forensic Tools Retrieve Deleted Messages From Notification Cache
- → Bloggers Warn of Conversation-Style Comment Spam Hiding Links
- → Jiga pitches AI-driven manufacturing sourcing platform and outlines remote-first, transparent culture amid hiring push
- → Citizen Lab Finds Covert Vendors Exploiting Telecom Signaling to Track Phone Locations
- → Developer Indexes a Zig-Based C Compiler Tutorial Series
- → Firefox and Tor Browser Bug Enabled Cross-Site Tracking via IndexedDB Result Ordering
Full Episode Transcript: iOS notifications leaking deleted chats & Firefox IndexedDB fingerprinting identifier
What if the messages you thought were gone—deleted, even set to disappear—were still sitting on your phone for weeks, just because a notification once popped up? Welcome to The Automated Daily, hacker news edition. The podcast created by generative AI. Today is April 23rd, 2026. I’m TrendTeller, and in the next few minutes we’ll cover privacy patches, stealthy tracking, developer tools getting smarter, and a surprising backlash against over-complicated tech.
iOS notifications leaking deleted chats
First up: Apple has pushed an iPhone and iPad update to fix a privacy issue where notification content could linger on-device longer than users—and some apps—intended. The core problem was that iOS could retain notifications marked for deletion, meaning message text from apps like Signal might remain recoverable in a system database for weeks. The story matters because disappearing messages only work as well as the layers beneath them, and device seizures are exactly the scenario where those guarantees are supposed to hold.
Firefox IndexedDB fingerprinting identifier
Sticking with privacy, Mozilla fixed a subtle but serious fingerprinting vector in Firefox tied to IndexedDB. Researchers found that the order returned by the `indexedDB.databases()` API could act like a stable identifier across unrelated websites within the same browser process. That’s especially uncomfortable because it could persist in Private Browsing as long as the process stays running—and in Tor Browser, it could even undermine “New Identity” in that same session. The takeaway is a bit humbling: even something as mundane as result ordering can become a high-entropy tracking signal when it’s influenced by global internal state.
Telecom SS7 and Diameter tracking
And zooming out from browsers to networks: Citizen Lab says it uncovered two covert surveillance campaigns abusing telecom signaling systems to track phone locations. This is the long-running SS7 story, but with a modern twist—attackers can also exploit Diameter when carriers don’t enforce protections correctly, and some setups effectively fall back to SS7-like weakness. The report points to “ghost” companies posing as legitimate operators and to a few providers showing up repeatedly as entry or transit points. Why it matters is simple: location is one of the most sensitive data types, and the infrastructure that routes calls and texts still offers too many ways to quietly query it.
SQLite gets durable pubsub
On the developer tooling side, an experimental project called Honker is trying to give SQLite something it’s famously missing: Postgres-style NOTIFY and LISTEN, plus durable queues and event streams—without adding a separate broker. The interesting angle is that jobs and events live as rows in the same SQLite database, so publishing a message can commit atomically with your application data. For teams shipping single-machine apps—or embedded systems that still need background work—this could shrink operational complexity while keeping reliability characteristics people normally reach for Redis or a message bus to get.
Zig-built C compiler journey
If you like learning-by-building, there’s also a collected set of posts on writing a C compiler in Zig, called “paella.” It’s based on a well-known compiler-writing guide, but the value here is the journal-like progression: it’s the messy, practical record of getting from “hello, parser” to producing linkable outputs. These kinds of write-ups matter because they’re often the on-ramp for the next wave of systems programmers—especially as Zig keeps attracting folks who want low-level control without the full pain of older toolchains.
Color-coded hex editing usability
A smaller, but oddly compelling usability argument: one developer is making the case that hex editors and hexdump tools should use richer color by default. The point is that monochrome byte grids hide patterns your eyes are actually good at spotting—boundaries, repetition, or the single weird byte that shouldn’t be there. Think of it as syntax highlighting for binary data: a low-cost change that can make debugging files, formats, and corruption issues faster and less disorienting.
AI-shaped comment spam conversations
Now for the unglamorous reality of running a website in 2026: comment spam is evolving. One blogger described a new flavor that shows up as a short, believable conversation—multiple replies posted minutes apart—so it feels like genuine engagement. The trick was that a casino link was tucked into the middle comment in a way that blended into normal text. The broader point is that AI-generated “plausible filler” doesn’t need to be great to be effective; it just needs to look socially real long enough to slip past moderation and capture a click.
Cloud primitives and cost friction
On infrastructure, developer David Crawshaw published a sharp critique of modern cloud primitives—alongside news that he’s building a new cloud platform. His argument is that the big clouds are fundamentally shaped around awkward constraints: fixed VM instance types, storage trade-offs that push you toward remote services, and network pricing that turns data movement into a tax. He also predicts AI coding agents will increase the amount of software we produce, meaning cloud friction and cost won’t feel like an inconvenience—it’ll become a bottleneck. Whether or not his new approach wins, the critique resonates because it challenges a quiet assumption: that higher-level platforms can fully paper over the economics and ergonomics of the underlying cloud building blocks.
Repairable tractors without electronics
And finally, a very different kind of backlash against complexity: a Canadian startup, Ursa Ag, says it’s seeing strong interest from U.S. farmers for tractors built around remanufactured 1990s-era diesel engines—and intentionally light on modern electronics. The appeal is repairability: fewer locked-down components, less dependence on dealer software, and a better chance of fixing problems during the narrow windows that matter in planting and harvest. The bigger signal here is market pressure. If enough buyers prioritize maintainability over extra features, major manufacturers may have to rethink where “smart” becomes “fragile,” and where control becomes a liability.
That’s our run for April 23rd, 2026. If there’s a theme today, it’s that tiny implementation choices—whether in a phone OS, a browser API, or telecom plumbing—can have outsized consequences for privacy and control. Links to all stories can be found in the episode notes. Thanks for listening to The Automated Daily — Hacker News edition.