Intego Mac Security Podcast

What caused “deleted” photos to reappear on Apple devices? – Intego Mac Podcast Episode 345

Posted on by

Apple releases a fix for the zombie photos bug. But we wonder what may have caused deleted photos to reappear. Microsoft announces an AI feature for its users that takes screenshots continuously. And we’ve got a quick hands-on look at the new iPad Pro.

If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.

Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at, and use this link for a special discount when you’re ready to buy.

Get Apple security news delivered straight to your inbox, for free. Intego’s twice-monthly newsletter will keep you informed about Apple-related privacy and security, along with tips and tricks for getting the most out of your Mac or iPhone. Subscribe for free—no strings attached.

Transcript of Intego Mac Podcast episode 345

Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, May 23 2024

This week’s Intego Mac podcast security headlines include: Apple releases a fix for the zombie photos bug. But we wonder what may have caused deleted photos to reappear. Microsoft announces an AI feature for its users that takes screenshots continuously. And we’ve got a quick hands-on look at the new iPad Pro. Now, here are the hosts of the Intego Mac podcast. Veteran Mac journalist, Kirk McElhearn. And Intego’s. Chief Security Analyst, Josh Long.

Kirk McElhearn 0:44
Good morning, Josh, how are you today?

Josh Long 0:46
I’m doing well. How are you, Kirk?

Kirk McElhearn 0:47
I’m doing just well. And we need to issue a correction for something you said last week. You said that Google had patched their fifth zero day vulnerability Josh, you got it wrong?

Google has patched seven, and not five, zero-day vulnerabilities in Chromium this year

Josh Long 0:57
Yeah, we came across the story from Ars Technica that talked about how Google’s Chrome browser and therefore all other Chromium browsers had patched the fifth zero day vulnerability of the year. And we talked about oh, well, it’s May and the fifth month and all that kind of stuff. Well, it turns out that there was actually a sixth and a seventh that all came out. These were like, literally a day apart from each other. And so by the time we actually published our own article about this to include in the show notes, I realized there’s actually like, seven zero days now. And so we’ll make sure to mention that on next week’s episode.

Apple patches a bug in its operating systems that resurrects deleted photos

Kirk McElhearn 1:34
So last week, we started talking about a story, iOS, iPadOS, and apparently TVOS, perhaps, was restoring deleted photos to users Photos Library. These were photos in some cases that users had deleted years ago. And there was no explanation for this. It turns out that beta testers of iOS 17.5 had noticed this, and Apple still released it. So Apple released an update on Monday to iOS and iPadOS 17 point 5.1. And the next day for TVOS 17 point 5.1. We’re going to talk about this in the second half of the show, because we have some theories about what happened. Apple just said that photos that experienced database corruption were restored and photos aren’t databases, so they can’t experience database corruption. But we’ll come to this after the break. Speaking of patches, Josh, you’re on a crusade about the fact that Apple is not updating open source components in macOS Sonoma, for those who don’t know, macOS and OS 10 before that is built on a UNIX Foundation. And Unix is built of a whole bunch of different tools. And the way Unix has built a lot of these tools are things that do one thing, right, and they’re all bundled together. Many of these are open source maintained by a single person, many of them are much larger in scope, and have a team maintaining them. And a lot of these things get updated for very serious security vulnerabilities. And Apple seems to not they haven’t completed their to do list and their Reminders app and updating all of these things.

Apple neglects to update critical software

Josh Long 2:57
Yeah, so this is very weird. And we’ve mentioned this a couple of times over the course of macOS Sonoma’s history, which originally came out remember late last year in the fall. And so it’s interesting to see that for whatever reason, MacOS Sonoma still has a version of LibreSSL, which is the you know, SSL Secure Sockets Layer. This is like how your device communicate securely with other computers and other servers on the Internet and things like that. So LibreSSL is a really critical library. It’s still at this point more than two years out of date, and contains several known vulnerabilities. We’ve mentioned these before. But what I thought was interesting about this is that in checking that, and every time that there’s a MacOS Sonoma update, I check is LibreSSL updated updated yet? Because Apple, interestingly enough, doesn’t always mention these open source components in their list of security things that got patched and the new versions of the operating systems, but Apple did patch a couple of things that they didn’t really allude to, but they patch them to versions that are already old. So this is bizarre. Okay, so as of MacOS, Sonoma 14 point 4.1. They had curl version 8.4. Curl is software that you can use to download something from the internet, from the command line is generally where it’s used. And it was updated to 8.6 point oh, which is weird, because that contains at least four known vulnerabilities that I could find the latest version is actually 8.7 point one. So they did update it, but they updated it to a very old version. And then that wasn’t the only component. There was another yet another one where Apple had updated it. Now, to be fair, this one had just been patched the same day that Apple released the macOS Sonoma update. So I’m not too surprised that Apple didn’t get that one included. But the curl one, that was the real shocker, because if you’re going to take the time to compile the new version of curl to include with your operating system, why wouldn’t you put the fully patched newest version of it? Why are you putting an old like non fully patched version that has known vulnerabilities? Like, what’s even the point of updating it at all at that point?

Kirk McElhearn 5:31
Well, let’s face it, Apple has to test this software on multiple devices. And maybe the testing process is so long for one version, that it takes them a year to be able to roll it out. And they’ve already tested version x. And they can’t test version x point one until they’ve rolled it out. I’m being a little bit sarcastic, but I agree with you, if they’re doing something like this. I mean, I don’t really do this myself often. But you download the source code, you compile it and you put it on your computer. It really takes about 10 minutes. Maybe that there? I don’t know. There’s no logic to this is there? It sounds like somehow this is slipping from Apple’s attention in security.

Josh Long 6:11
Well, yeah, exactly. There’s something there’s some disconnect here. For whatever reason, the biggest one really is LibreSSL. And I just bring up curl just because I happen to notice it’s like, okay, well, they did update it. Oh, wait, but that’s not even the newest version anymore. Like, okay, but LibreSSL, that’s a big problem. There’s no way that Apple should be including two years old components in the operating system when there are known nine point at at a 10 critical vulnerabilities that like haven’t been patched like, that’s insane to me, like the apples patching things in every version of the operating system, but they’re not even touching this major thing that is a main part of the operating system and how it communicates securely. I did reach out to Apple again, of course, and once again, Apple has not responded to my request for comment.

What do you think of the new iPad Pro?

Kirk McElhearn 7:02
Okay, why don’t we talk about some good Apple stuff. Apple’s new iPad Pro now, you’ve said many times, you don’t use an iPad a lot. And I do, I kind of, I’d say 20% of my work is on the iPad, because I’d like to switch from my desktop Mac to my laptop to my iPad to move around. So I bought the new iPad Pro, I got the 11 inch version. I think the 13 is just a little bit too big. And I’ll tell you the display on this is the best display I’ve ever seen on an Apple device. You know, you’ve gotten used to OLED on iPhones. They’ve been in iPhones for a few years, but they hadn’t been an iPad. And when you see it on an iPad, it’s really quite stunning. The Ultra retina XDR display is what they’re calling it. It has the same screen brightness as the iPhone 1000 nits up to 1600 nits and peak HDR brightness. It has what does this even mean a 2 million to one contrast ratio. I mean, black is black and white is white. The thing about OLED is you don’t get that sort of graininess when you see blacks, the display is just wonderful. It has this new M four processor. And I’ll tell you now, I’ve had it for a week ago last Wednesday. And I’ve been trying to figure out what I can do that could take advantage of the M four processor. I upgraded from an M one iPad Pro, it was three years old. And it did pretty much everything I needed. And now that I have Apple’s fastest processor ever, the M four, what can I do with it?

Josh Long 8:25
Well, AI stuff, I guess.

Kirk McElhearn 8:30
We’ll see . That see, that’s what we’re expecting to see at WWDC that maybe there’s going to be something that requires a faster processor, as we mentioned, you know, with respect to the M1 iMac. But for now, there’s nothing you can do with these devices. And a lot of people have been writing about this people who use the iPad for work and saying, you know, it’s good, I can do this, I can do that. I can edit photos, I can edit podcasts, I can do this sort of, you know, productivity work. But there’s nothing that stretches the limits of the iPad. It’s almost as like, you open an app and the iPad just yawns and says, Well, what can I do for you? There’s nothing to do, right? It’s kind of that feeling that it’s just wonderful. And it’s thinner, and it’s wider a little bit than the previous and it’s just wonderfully powerful tablet that there’s nothing to do with.

Josh Long 9:15
Yeah, of course, I was joking a little bit about the AI capabilities. But that is one of the big selling points, right of M for really, all of the M series chips. Apple has been adding more and more neural cores so they can do more on device processing. And that’s where I think Apple has been working towards this for years, like even in anticipation even before like ChatGPT came out. Like Apple has already been starting to move in that direction of being able to do more on device data processing and things like that. So there’s been a lot of speculation about what exactly we’re going to get in the operating system announcements coming in a few weeks, on June 10 at WWDC, So we’ll see then. But we know we’re getting something AI related, right? There’s going to be some more on device processing and and probably better Siri that has more AI capabilities that, again, are probably going to be doing a lot of processing of data on device to make it much faster. So it doesn’t have to go up to the cloud for every single thing. And that’s one of the things with like, if you’re using like the ChatGPT app, for example, or a number of other similar apps, it’s going to the cloud, it’s going to someone else’s server to process the query that you’re submitting. And it would be nice if you could do a lot more on device processing, because in theory, it would be a lot faster.

Kirk McElhearn 10:44
It would be faster, and it’d be better for privacy, because every time you query ChatGPT, or any other of these things, it’s recording your query, which may be anonymous, but you know, it depends on how much information you put into it. In any case, the new iPad Pro is quite expensive. It starts at $1,000. The magic keyboard starts at $300. And that, to me seems a bit excessive to pretend you have a laptop that you can use with a touchscreen. The new Apple Pencil Pro is quite interesting. It has this wonderful new feature where you squeezed the bottom, you get haptic feedback, and it opens a palette that lets you switch tools and wine weights and cupboards. It’s quite clever, and it has find my support. So when the pencil rolls down between the couch cushions, you can find it with find my and believe me, two days after I got the iPad, I couldn’t find my pencil and I hit T swine might find that it rolled off my desk, and it was behind something. So that’s a win on that. The 13 inches for someone who really needs to be iPad, it’s still a bit unwieldy. But if you’re using it for work, maybe you want it, I don’t know, between this and the $600 iPad Air M2. There’s a big gulf of $400 difference, you know, for the 11 inch, but it depends on what you want. For me, this is the luxury iPad. It’s quite nice. I liked the display. And I’m looking forward to what I can do with the M four and we’ll talk about that in a few weeks. Let’s take a break. When we come back we’ll talk more about that reappearing photo bug in iOS and iPadOS

Voice Over 12:11
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple Silicon Macs. Download the free trial of Mac Premium Bundle X9 from today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at That’s and click on this episode to find the special discount link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.

What was the bug that caused the recent problem with deleted photos reappearing?

Kirk McElhearn 13:27
Okay, so we’re talking about this bug that undeleted photos. And we mentioned last week that one of the first articles was talking about how it undeleted sensitive photos and because nudes gets clicks. And that’s not really it wasn’t just picking the sensitive photos to undelete it apparently and deleting a lot of photos. Apple came out and said something to the effect that photos experienced database corruption. Now, as I said earlier, photos aren’t databases so they can’t be corrupted. So they can’t experience database crops. They can be corrupted in many ways. But that wasn’t the case. I have a theory, your Photos Library. If you look at it on your Mac, you can’t see the file itself on an iPhone or an iPad. If you look on your Mac, you see a single file that is the photo library. But inside that file, there are hundreds, maybe even 1000s of other files. There’s a database, which tells the Photos app which photo is where there’s a series of folders that contain photos. So the database gets the file paths of the photos in these various photos. There’s original photos, there’s edit information, and there’s thumbnails and previews. So if you delete a photo from your photos, library, photos has to delete the original photo, any edit information and any thumbnails and previews. It’s multiple items for each photo. It’s not a single photo. And what I think happened is that somehow, deleting photos prior to 17.5 may in some cases not have deleted the previews or the thumbnails and there are usually two sizes for these Full size one and a smaller one. And the reason photos does this is that when you’re displaying your library, it doesn’t have to read all the photos, which could be within current iPhone 48 megapixel. So that’s a lot of files. So it generates previews. And then when you click Edit to edit a photo, then it displays the whole photo. And you’ll notice, at least on my M1 iMac, some photos take a few seconds to fully resolve when you do that, because of the size of the photos. So if what happened is that deleting photos didn’t delete previews and thumbnails. And Apple changed something in the way the photos database works, or the way all SQL lite databases work. Somehow the Photos app saw these previews and thought that these were actual photos and re added them to the Photos Library. Now one of the reasons this seems likely is that people have mentioned that these photos had funny names with combinations of random letters and numbers. And all of these preview and thumbnail files have these funny names. And Apple uses these a lot for preference files and data files for different apps. I don’t know why they do it this way, and what the randomness is, but they’re their file names that don’t have anything related to a date or place or anything like that. But these names are stored in the database. So it would make sense that if Apple did something to correct the database, that maybe the database hadn’t fully recorded that these files had been deleted, and still had traces of them, found those previews and added them to the library, under the thought that better to not lose anything right than to take any chances. another data point to consider a lot of people have a large Photos Library. And if they have a Mac, they’ll keep all the photos on the Mac, but on an iPhone or an iPad, they’ll choose not to download all the photos because it will take up so much space. If you do this, what happens is the photos go into iCloud and your device downloads those previews and thumbnails from the cloud rather than the full resolution photos. So on the iPhone and iPad, we still have these preview and thumbnail photos now. So far, I haven’t seen anything to suggest that this bug has affected people on the Mac. We’ve only seen people talking about iPad and iPhone. Now, macOS didn’t get an update to fix this bug. So it would be surprising to me that the database code would be different on all of them. Doesn’t seem like it’s a server side issue. Apples clearly said it’s something to do with database, but they didn’t say anything more. So this is speculation. But I spent a good part of today looking through all the evidence and trying to think of all the possibilities. Maybe I’m wrong. What do you think, Josh?

Josh Long 17:39
Well, I think this is probably one of the best theories that I’ve seen. I’ve not ruling out the possibility that there could have been a server side database issue. There are a number of like complications like why that might not make sense. But then there are also some reasons why your theory might not make sense if some of the reports that people have made about what they experienced were actually accurate. So that’s that’s the thing is like we have very few reports to work from, you know, there were a handful of people who said, Well, I experienced this and I experienced that. So the very first post, which was on Reddit that we talked about last week, talked about not safe for work material that this person had made with their, you know, a significant other during COVID. And so that original post on Reddit is gone now for we don’t know why we don’t know why they decided to delete that. But there’s been another Reddit posts where somebody said, Well, I wiped my iPad using the official Apple guides before selling it. And I sold it to a friend of mine in September, they called me after updating the iOS 17.5 and said my old pictures appeared in their photos app. Okay, so it’s possible that maybe this was a photo that that original owner had shared with their friend. And that’s why this photo resurfaced. Again, maybe there was some old cached preview because maybe the friend had airdropped it to them. And so that was why this particular photo resurfaced. So I, you know, that does still kind of fit with the theory. Now, someone else who commented in a MacRumors forum said, I had an old random photo from 2004 show up in my library, and it had EXIF data, which is kind of metadata about what kind of camera took the picture, etc. That was from a camera I never had in my life. My iPad Pro is an Apple Care replacement from last year. So this person makes it sound like okay, well I saw a photo I’ve never seen before and I never owned the camera that this photo was taken with but if We’re just basing it on that report alone. Well, maybe there’s some possibility that somebody at some point had sent this photo to the person, they saved it to their Photos Library, and he forgot about it, you know, it’s possible.

Kirk McElhearn 20:13
And it’s worth pointing out that these preview photos do contain all the EXIF data. And there’s a reason for this, that when you’re looking at a photo in the Photos Library, before you edit, you want to click on the little eye button to see information when it was taken, what camera what lens etc, before you go into edit mode, which is when you need to load the actual photo. So this is all to save time and processing power on the device.

Josh Long 20:35
Right. So this person based on the reports that had come out, I think was probably under the assumption that they had gotten somebody else’s photo from like maybe a previous user of that now refurbished iPad that they ended up with. So we don’t actually know whether that’s true or not, you know, we still don’t really have a lot of other details. There have only been scattered anecdotal reports. And by the way, there’s only been one report so far that I’ve seen about somebody claiming that their voicemails resurfaced and like, Well, that was one person who said that. So these are all very scattered reports. And it’s very difficult to work from that little bit of information from people who might be forgetting things, or might have made a mistake, and might not be accurately reporting the things that they’ve observed. So

Kirk McElhearn 21:26
if any listeners have had this bug, if you’ve seen photos, it reappeared in your Photos Library, drop us a line at [email protected]. I don’t think Apple is going to give us any more information about it. But I think they really ought to because this is a privacy issue. You delete photos for a reason. And as as Josh wrote in his article about this, these photos could be photos you don’t want other people see that could be explicit, but they could also be screenshots that you’ve taken of credit cards of passwords of QR codes of banking information I owe a lot of people take screenshots. Rather than writing down or typing things, you see something in a web page, take a screenshot, let’s say you’ve just got a new bank account, I’m gonna take a screenshot with all the information. So this is a serious bug, it might be less serious than some of the articles have suggested, particularly that original Reddit post has disappeared. And so now that could be a number of things. He could have fallen out a window, Apple could have paid him off to get his silence, he could have realized he made a mistake deleted the post. There’s a lot of possibilities. Yeah.

Josh Long 22:30
So unfortunately, that’s all we’ve really got for you. We’ve got some speculation, but it at least, is based on good information about what we do know, unfortunately, because and we did reach out to Apple, by the way, and Apple, of course, has not responded because they literally never respond to any inquiries that I send them about anything security and privacy related. But you know, in any case, we don’t know more than what we’ve said here. But there’s a little bit more detail in the article that you’ll find in the show notes. That’s also at Intego Mac’s security blog, if you want to read more about what exactly happened, what people claimed. And you know where we go from here.

What is Microsoft’s “Recall” feature?

Kirk McElhearn 23:12
Speaking of screenshots, Microsoft announced a creepy new AI feature for Windows called Recall. And what it does is it records everything you do on your computer, everything. By the way, when I saw this, I said, Oh yeah, there’s a company called rewind, it’s been doing this for a couple of years. And it’s available on the Mac. And there’s also, I believe, a Safari extension. So you can record all your safari activity on an iPhone or an iPad. And it doesn’t just capture your activity. It takes screenshots, like every I don’t know how many seconds or every minutes. Now think of all the things that you look at on your screen think of I’m applying for a loan, and there’s all sorts of personal information screenshot. I’m sending messages to someone maybe I shouldn’t be sending messages to screenshot that. Not necessarily that your spouse doesn’t agree but maybe it’s you’re looking for a new job and your boss doesn’t want to see it or whatever. Right? Think of all the things you do that are really personal, that aren’t illegal, that aren’t immoral, but are just things you don’t want to share. You put passwords in your in your password manager and you’re editing your information for your passwords well screenshot of username and password. Imagine if that got into the wrong hands, either someone who installs malware on the device and can read those screenshots, or a significant other who has access to a device in situations that could be involving domestic abuse. This is wrong they have to not do they have to stop this. And in fact, the UK Data watchdog is already looking into the fact that Microsoft’s Recall was taking screenshots even before it’s out this was just after the announcement.

Josh Long 24:46
Missed opportunity to call this “Total Recall” like the movies. But ya know this, that was the first thing that I saw. So there’s actually we’ll link in the show notes to a video of Microsoft CEO Satya Nadella in an interview discussing this whole thing, and this little clip is, it’s kind of concerning how flippantly the CEO of Microsoft is treating this. Because as soon as the person interviewing him says, Well, isn’t that kind of creepy? Like, she literally says, creepy. And then Satya Nadella goes, Oh, well, hold on, wait a minute. And we’ve you got to slow down and realize that, you know, we’re doing things in the right way. We’re being careful. And, and of course, some of the behind the scenes stuff about this is that you can opt out particular apps. And it won’t take screenshots when you’re in private browsing mode and Microsoft Edge. So I mean, you know, that’s good. That’s a good start.

Kirk McElhearn 25:48
But you can wait, what if you’re in private browsing mode on Google Chrome?

Josh Long 25:52
I don’t know, I don’t know whether that’s something that you will be able to say also opt out of private browsing mode in every browser isn’t going to recognize every browsers. So there’s a lot of really concerning things here. No, you know, a lot of people use password managers that have an extension in their browser. And those might occasionally display a password, right, depending on how you’re using it. And a particular Password Manager, you might have credit card numbers, you have to type in credit card numbers on websites, you might not necessarily be using a private browsing window, when you’re doing that, you know, you might have a government website that you’re accessing, where you have to put in your social security number, again, you might not be using a private browsing window in Microsoft Edge for that. So there’s so many things that, you know, seem like would be not such a good thing for your device to constantly be taking screenshots of all of this stuff. So I would suggest that if you do have windows, and you’re thinking about using this feature, maybe think about not using this feature.

Kirk McElhearn 26:55
Okay, I just want to riff on this a little bit. Because when I’m working when I’m doing research for an article, sometimes I’m looking at 100 web pages, right? I’m looking at articles, I’m looking at product, price pages, etc. And I can’t find them in my Safari history easily. I don’t leave 100 tabs open like you do, I kind of limit myself, and it doesn’t when I can no longer see the names of the tabs, that’s too many. I would like spotlight to do something to allow me to search for things that I’ve done in the browser, but not just that are in the page titles, right? I would like spotlight to be indexing the content of webpages I view. So I could ask spotlight, find me that product page about the men’s shorts in navy blue, right. For example, I would like something like that, where you’re not searching for an exact text string. And sometimes I go into Safari history, and I have to search for a text string and I can’t find it. So I would like something that does that, but doesn’t take screenshots.

Josh Long 27:56
And as long as you can selectively and easily turn this on and off. Like if you’re using a Windows PC with this feature. Maybe that’s okay. In certain circumstances for a limited amount of time. If I want to do if I want to go into research mode and turn this on. Great, I can do that. And then I’ll turn it off as soon as I’m done as long as I remember to turn it off, or I can set an amount of time.

Kirk McElhearn 28:21
Okay, that’s enough for this week. Until next week, Josh, stay secure and don’t turn on Recall.

Josh Long 28:25
All right, stay secure.

Voice Over 28:29
Thanks for listening to the Intego Mac podcast, the voice of Mac security with your host, Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like or review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at The Intego website is also where to find details on the full line of Intego security and utility software.

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →