Bluesky launches Million Dollar fund, Apple and Meta battle it out, California banning ICE ... and more tech news
10:32 Share

This is TechCrunch. This episode is brought to you by Factor.

Notice how the days are shorter but your to-do lists aren't? Here's a trick: Factor. From breakfast to dinner and anything in between, Factor has easy, nutritious options to keep you fueled and feeling your best. My box at Factor is on its way and it could not get here sooner. I'm so excited because you get to choose from six menu preferences to help you manage calories, maximize protein intake, or avoid meat, or simply eat a well-balanced diet.

Whether you like routine or you enjoy mixing things up, Factor has you covered with 35 different delicious meals every week and over 60 additional convenience options you can add to your box like keto cookies, pressed juices, and smoothies.

Don't let shorter days slow you down. Stay energized with America's number one ready-to-eat meal delivery service. Head to factormeals.com slash 50TCIndustry and use code 50TCIndustry to get 50% off your first box plus free shipping. That's code 50TCIndustry at factormeals.com slash 50TCIndustry to get 50% off your first box plus free shipping while your subscription is active.

Successful tech companies follow a typical pattern: from product to platform where other startups build businesses on top of theirs. To spur that, they often launch a fund. In this case, someone else is launching a fund to help fast-growing social media site Blue Sky, which now claims 25 million users.

On Wednesday, open source and Python bigwig Peter Wang announced the fund, dubbed SkySeed, with an initial $1 million war chest. BlueSky is the decentralized social app from Jack Dorsey, though Dorsey left the BlueSky board in May. It launched five years ago and has taken off as an alternative to Elon Musk's X.

The fund will offer grants to those building on BlueSky's open-source AT protocol. It's looking for tech-like data privacy controls for AI usage and apps for parents/children and local communities.

Apple and Meta are warring in Europe over the balance between interoperability and privacy, Reuters reports. The fight focuses on the European Union's Digital Markets Act, DMA, a competition regulation that requires designated gatekeepers, including Apple and Meta, not to restrict rivals' access to core platform services.

In Apple's case, this means iOS, iPadOS, App Store, and Safari, but its concern here seems mainly focused on iOS. The iPhone maker has made no bones about its distaste for the DMA, but its latest attacks take aim at meta rather than the pan-EU law itself, likely as EU enforcers are actively considering how the DMA interoperability requirements should apply to Apple.

On Wednesday, Apple revealed that Meta has made more interoperability requests than any other company, suggesting it's seeking far-reaching access that could be bad for users' privacy and security. Were it to grant all the requests, Apple warned that Meta's apps Facebook, Instagram, Messenger, Threads, and WhatsApp could allow Meta to read on a user's device all of their messages and emails

see every phone call they make or receive, track every app that they use, scan all of their photos, look at their files and calendar events, log all of their passwords, and more. The social media giant hit back by accusing Apple of concocting privacy excuses, quote, that have no basis in reality, unquote, to try to thwart access.

The Environmental Protection Agency announced today that it will allow California to ban most sales of new gas and diesel-powered cars and light trucks starting in 2035. California has long been able to set its own emissions standards under the Clean Air Act, provided they are more stringent than federal regulations. Under that authority, the state announced in 2022 a plan to phase out fossil fuel cars in stages, culminating with the ban in 2035.

California's phase-out would begin in 2026, when the state will require 35% of automaker sales to be zero-emissions vehicles, ZEV, either electric or hydrogen. In the third quarter of this year, ZEV market share was 26.4%.

Then, 68% of new cars would have to be zero emissions by 2030 and 100% by 2035. Plug-in hybrids could make up to 20% of sales, provided they have a range of 50 miles or more. However, the Biden administration's decision is certain to be reversed by the incoming Trump administration.

The last Trump administration rescinded California's waiver in 2019, though the EPA under Biden restored it three years later after 23 states sued the federal government. Apart from California, 16 states and the District of Columbia have adopted some form of California's emission standards, and most of them have a plan to phase out gas-powered cars.

Provoking the standards once more would require more than the stroke of a pen. It took the previous Trump administration 18 months to ax the waiver. Automakers have wavered on the waiver. Many have agreed to recognize California's authority in the area, agreeing to limit emissions and wind down sales of fossil fuel vehicles in the state.

Many have agreed to recognize California's authority in the area, agreeing to limit emissions and wind down sales of fossil fuel vehicles in the state, but they have also asked for more time and have pressed the Trump administration to intervene. We expect President Trump will revoke the waiver in 2025, John Bozzella, CEO of Alliance for Automotive Innovation, said in a statement.

A major McDonald's delivery system in India exposed the personal information of its customers and drivers due to several simple security flaws TechCrunch has exclusively learned. The flaws, discovered by traceable AI security researcher Eaton Zvere, were found in the APIs of the delivery system associated with McDonald's India, West and South, which is owned by Hardcastle Restaurants.

Zvere exclusively told TechCrunch that bugs in the company's delivery system, McDelivery, meant anyone could access, hijack, redirect, or real-time track orders or make legitimate orders for one cent by interacting with the company's API, which apps and websites use for placing orders and tracking. This is because the API wasn't properly checking to make sure the person making requests was allowed to make requests.

The bugs also allowed access to invoices and provided the ability to submit feedback for customer orders. The security flaws exposed McDelivery customer full names, email addresses, and phone numbers of McDonald's India West and South customers and exposed access to vehicle numbers, profile pictures, and tracked the real-time location of the restaurant chain's drivers delivering orders.

In a since-published blog post, Zvere found the vulnerabilities and reported them to the restaurant chain in July. They were fixed in late September, per the researcher. McDonald's India told TechCrunch that a thorough verification of systems and logs showed the flaws did not result in a breach of its customer data.

We conduct regular audits and assessments to continuously strengthen our security measures and have all the necessary enhancements implemented, ensuring all our systems are up-to-date and secure. Salakshana Mukherjee, a spokesperson at McDonald's India West and South, said in a statement emailed to TechCrunch.

McDonald's India did not disclose the number of customers whose information may have been exposed by the bugs. However, the researcher told TechCrunch that the flaws exposed access to hundreds of millions of orders.

The McDelivery West and South mobile app uses the same exact backend APIs as the website. As a result, both were vulnerable to the same exploits, the researcher told TechCrunch. This is not the first time McDonald's India has exploited its customers' sensitive data. In 2017, the delivery app of McDonald's India West and South leaked the personal information of about 2.2 million customers.

GPS tracking firm Happn exposed the names of thousands of its customers due to a website bug TechCrunch has learned. A security researcher alerted TechCrunch in late November to customer names and affiliations, such as the name of their workplace, spilling from one of Happn's servers, which TechCrunch has seen. Happn, formerly known as SpyTech, is a tracking company that allows users to remotely monitor the real-time location of internet-enabled tracking devices.

which can be attached to vehicles or other equipment. The company also sells GPS trackers to consumers under its SpyTech brand, which rely on the Happn app for tracking. SpyTech touts its GPS devices for tracking the locations of valuable possessions and, quote, loved ones, unquote. According to its website, Happn claims to track more than 460,000 devices and counts customers within the Fortune 500.

The bug allowed anyone to log in with a Happn account to view the exposed data using the developer tools in their web browser. The exposed data contained information on more than 8,600 GPS trackers, including the IMEI numbers for the SIM cards in each tracker which uniquely identify each device. The exposed data did not include location data, but thousands of records contained the names and business affiliations of customers who own or are tracked by the GPS trackers.

Happn did respond to multiple emails from TechCrunch. Several emails to Happn CEO Joe Besden went unreturned prior to publication. A message sent to an email address listed on the company's privacy policy returned with a bounce error, saying that the email address does not exist. The company does not have a webpage or form for reporting security vulnerabilities.

In an email provided to TechCrunch after publication, Happen CEO Joe Bestin said that the company had no knowledge of the exposure prior to publication and that the data was limited to three customer accounts, each with a large number of trackers. Bestin said the exposed records concerned data from April 2024. Bestin said the security issue is resolved.

When we contacted individuals whose names and affiliations were listed in the exposed data, several people confirmed their names and workplaces but declined to discuss their use of the GPS tracker. One company listed on Happn's website as a corporate customer had several trackers listed in the exposed data TechCrunch has seen. The security researcher said they began looking into the GPS tracker after finding that customers had left online reviews for the devices recommending the tracker for monitoring a person's spouse or partner.

TechCrunch has seen dozens of reviews on Spitex online stores from customers who claim to have used the GPS devices to track their spouses. The list of exposed customer records also showed thousands of trackers with associated names but no other discernible affiliation. It's not known if the individuals are aware of having been tracked. That's all for now. For more stories like this one, visit TechCrunch.com.