iOS notifications leaking deleted chats & Firefox IndexedDB fingerprinting identifier - Hacker News (Apr 23, 2026)

First up: Apple has pushed an iPhone and iPad update to fix a privacy issue where notification content could linger on-device longer than users—and some apps—intended. The core problem was that iOS could retain notifications marked for deletion, meaning message text from apps like Signal might remain recoverable in a system database for weeks. The story matters because disappearing messages only work as well as the layers beneath them, and device seizures are exactly the scenario where those guarantees are supposed to hold.

Sticking with privacy, Mozilla fixed a subtle but serious fingerprinting vector in Firefox tied to IndexedDB. Researchers found that the order returned by the `indexedDB.databases()` API could act like a stable identifier across unrelated websites within the same browser process. That’s especially uncomfortable because it could persist in Private Browsing as long as the process stays running—and in Tor Browser, it could even undermine “New Identity” in that same session. The takeaway is a bit humbling: even something as mundane as result ordering can become a high-entropy tracking signal when it’s influenced by global internal state.

And zooming out from browsers to networks: Citizen Lab says it uncovered two covert surveillance campaigns abusing telecom signaling systems to track phone locations. This is the long-running SS7 story, but with a modern twist—attackers can also exploit Diameter when carriers don’t enforce protections correctly, and some setups effectively fall back to SS7-like weakness. The report points to “ghost” companies posing as legitimate operators and to a few providers showing up repeatedly as entry or transit points. Why it matters is simple: location is one of the most sensitive data types, and the infrastructure that routes calls and texts still offers too many ways to quietly query it.

On the developer tooling side, an experimental project called Honker is trying to give SQLite something it’s famously missing: Postgres-style NOTIFY and LISTEN, plus durable queues and event streams—without adding a separate broker. The interesting angle is that jobs and events live as rows in the same SQLite database, so publishing a message can commit atomically with your application data. For teams shipping single-machine apps—or embedded systems that still need background work—this could shrink operational complexity while keeping reliability characteristics people normally reach for Redis or a message bus to get.

If you like learning-by-building, there’s also a collected set of posts on writing a C compiler in Zig, called “paella.” It’s based on a well-known compiler-writing guide, but the value here is the journal-like progression: it’s the messy, practical record of getting from “hello, parser” to producing linkable outputs. These kinds of write-ups matter because they’re often the on-ramp for the next wave of systems programmers—especially as Zig keeps attracting folks who want low-level control without the full pain of older toolchains.

A smaller, but oddly compelling usability argument: one developer is making the case that hex editors and hexdump tools should use richer color by default. The point is that monochrome byte grids hide patterns your eyes are actually good at spotting—boundaries, repetition, or the single weird byte that shouldn’t be there. Think of it as syntax highlighting for binary data: a low-cost change that can make debugging files, formats, and corruption issues faster and less disorienting.

Now for the unglamorous reality of running a website in 2026: comment spam is evolving. One blogger described a new flavor that shows up as a short, believable conversation—multiple replies posted minutes apart—so it feels like genuine engagement. The trick was that a casino link was tucked into the middle comment in a way that blended into normal text. The broader point is that AI-generated “plausible filler” doesn’t need to be great to be effective; it just needs to look socially real long enough to slip past moderation and capture a click.

On infrastructure, developer David Crawshaw published a sharp critique of modern cloud primitives—alongside news that he’s building a new cloud platform. His argument is that the big clouds are fundamentally shaped around awkward constraints: fixed VM instance types, storage trade-offs that push you toward remote services, and network pricing that turns data movement into a tax. He also predicts AI coding agents will increase the amount of software we produce, meaning cloud friction and cost won’t feel like an inconvenience—it’ll become a bottleneck. Whether or not his new approach wins, the critique resonates because it challenges a quiet assumption: that higher-level platforms can fully paper over the economics and ergonomics of the underlying cloud building blocks.

And finally, a very different kind of backlash against complexity: a Canadian startup, Ursa Ag, says it’s seeing strong interest from U.S. farmers for tractors built around remanufactured 1990s-era diesel engines—and intentionally light on modern electronics. The appeal is repairability: fewer locked-down components, less dependence on dealer software, and a better chance of fixing problems during the narrow windows that matter in planting and harvest. The bigger signal here is market pressure. If enough buyers prioritize maintainability over extra features, major manufacturers may have to rethink where “smart” becomes “fragile,” and where control becomes a liability.