I decompiled the White House's new app

Posted by amarcheschi 23 hours ago

I decompiled the White House's new app(thereallo.dev)

261 points | 92 commentspage 2

Arainach 23 hours ago|

"An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls."

In their defense, this is the first thing the Trump admin has done that's unambiguously positive for ordinary people.

ronsor 23 hours ago||

Yes, this is a major UX improvement considering I remove those with uBlock Origin anyway.

subscribed 21 hours ago|||

Indeed.

I'd love it somehow taken out of it and made available for the general public. Custom uBlock / Adblock filers will be probably the easiest.

shimman 20 hours ago||

I too love it when US imperialism invades digital spaces, just ignore how the US treats people critical of its own government (not just referring to the Trump admin here) then yeah sure great.

Let me know when this can ignore malware/adware from US companies then I'll give accolades.

oefrha 23 hours ago||

> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.

Giving people a taste of web with Ublock Origin annoyance filters applied, refreshing. Can’t believe orange man regime is doing one thing right.

post-it 22 hours ago||

> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.

Rare Trump administration W. I'm assuming there's one particular website they open in the app that shows a cookie popup, and this was a dev's heavy-handed way of making that go away.

replwoacause 23 hours ago||

lol honestly all of this tracks given the current administration. i'm actually surprised it isn't worse. but yeah, amateur hour for sure.

jfengel 22 hours ago|

"Amateur hour" is basically their theme. They were swept in on a wave of distrust for people who know what they're talking about. They were elected to tear down Chesterton's fence, even (and especially) the parts holding in the face-eating leopards.

To mix the metaphors further, they (the politicians and their supporters) fancy themselves the kind to dream of things that never were and ask why not. Why not have a war in Iran? You won't know until you give it a try.

pugchat 19 hours ago||

[dead]

iam_circuit 20 hours ago||

[dead]

somebudyelse 21 hours ago||

[dead]

razkaplan 18 hours ago||

[flagged]

verteu 18 hours ago|

> Don't post generated comments or AI-edited comments. HN is for conversation between humans.

https://news.ycombinator.com/newsguidelines.html#generated

trimethylpurine 23 hours ago||

I don't see what the fuss is about. This all looks pretty standard. I use random people's stuff all the time. Isn't that the point of open source?

Did you find something malicious in the random GitHub repo? If so, you should write an article about that instead.

kevinsync 22 hours ago||

Using somebody's stuff is different than hot-linking directly to a hosted version of it, even just from the perspective that dude could delete it at any time and break the whole app.

trimethylpurine 19 hours ago||

That's fair. I download and embed, personally. Still, it's not a rant worthy mistake, honestly. Suggest a better approach, sure.

xocnad 22 hours ago|||

All good for you to make those choices for yourself. Your response seems to be show ignorance of all the recent supply chain attacks that have occurred. You can imagine that given the situation with the shoe gifts that many high up members of the administration and cabinet members are running this app.

trimethylpurine 19 hours ago||

I'm critical of the author.

I'm well aware of supply chain attacks. But this isn't a supply chain attack. If it were, the article would be way more interesting.

The supply chain attack articles are interesting exactly because this is so common. So what's special here other than it being loosely related to a disliked political figure? HN isn't supposed to be an especially political website.

"A common app is doing the same thing that basically every other app is doing."

Is that a good headline? No. And this isn't a good article.

rendx 22 hours ago|||

I don't know if you're being serious or not, but in case you are: There is a difference between (re)using other people's open sourced code, hopefully reviewed, and giving anyone in control of the third party repository the ability to run arbitrary code on your user's devices. Even if the "random GitHub repo" doesn't contain any malicious code right now, it may well contain some tomorrow.

torstenvl 20 hours ago||

Completely agree. This is really unique. Can you imagine if it were standard practice to be open to supply chain attacks like that, by blindly relying on hotlinked or unpinned dependencies?

input_sh 21 hours ago|||

It's always a better idea to make a local copy of it.

Imagine they're downloading a project directly from your GitHub account. Even if you're not doing anything malicious and have no intention of doing anything malicious even after you've been aware of this, now all of a sudden your GitHub account / email is a huge target for anyone that wants to do something malicious.

rpdillon 21 hours ago||

The dependencies weren't vendored, meaning their behavior can change at any time if a malicious actor gains control of that third-party repo.

This is bad for security.

crimshawz 20 hours ago|

[flagged]

More comments...