Tech News
← Back to articles

ICEBlock handled my vulnerability report in the worst possible way

2025-10-31 | original
read original related products more articles

Last week, I wrote about how Joshua Aaron's ICEBlock app, which allows people to anonymously report ICE sightings within a 5-mile radius, is – unfortunately, and despite apparent good intentions – activism theater. This was based on Joshua's talk at HOPE where he made it clear that he isn't taking the advice of local community groups, that ICE sightings aren't verified in any way, and that he doesn't know what he's doing when it comes to security and privacy.

In that post, in the section about his "HIGHLY secure" server that he kept mentioning, I wrote:

Without providing more details, I also discovered that his server is running outdated software with known vulnerabilities.

I was intentionally vague because I knew that his server was vulnerable at the time of writing, and I didn't want anyone to exploit one of these vulnerabilities before he had a chance to fix it.

ICEBlock has been downloaded over one million times from the App Store. I don't know whether Joshua's server stores data related to these users or the reports they submit, but it might, and he certainly bragged about the security of it in his HOPE talk.

I'm publishing this because it's important for people who are trusting ICEBlock to know that the developer is careless about computer security, even when people specifically point out security issues and give him time to fix them. Hopefully his server doesn't have any user data. Hopefully no one will hack his server despite the fact that he's making it easy for them to. And hopefully this blog post will compel him to finally fix the issue.

UPDATE: It worked! Hours after I published this, Joshua has updated Apache in his server, fixing the issue.

Joshua runs two Bluesky accounts: @iceblock.app, the account of the ICEBlock app, and @joshua.stealingheather.com‬, Joshua's personal account. His personal account had DMs closed, but the ICEBlock account had DMs open, so I sent him DMs there.

On September 1, I wrote:

Hey Joshua, I'm one of the people who saw your HOPE talk and asked some of the questions. I'm giving you a heads up that I'm preparing to publish a blog post about the app and your talk that isn't very flattering. But also, I wanted to give you notice that you're running a vulnerable version of Apache on your linode server. I'm not mentioning this specifically, but you should install updates

... continue reading

Related:
EU accuses Apple of putting users at risk; Apple accuses EU of hypocrisy
I tested the e-paper smartwatch that got the internet buzzing - and don't want to take it off
Apple TV’s colorful new intro was created with real glass and practical effects
Apple highlights four apps from award-winning student developers
iOS 26.2 adds offline lyrics support to Apple Music

© 2025 GoKawiil