There's a clarification from the original poster of this [1]:
"Well, I was wrong. I now believe the canary token was triggered not by macOS decoding the QR, but by Firefox’s “recent” shortcuts on the home screen. I gave too much trust to a Stack Exchange answer. I have deleted the incorrect information. I regret the error."
I'll be interested to see if anyone else can reproduce this. I created a request bin [0], then created a QR code pointing at it, then downloaded that QR code. I'm not sure how often this "image scanning" is supposed to occur but just downloading it didn't cause a hit nor did the 10min I waited, nor did using QuickLook, nor opening it Preview, nor scanning it with my iPhone, the only thing that caused a request was clicking on the detected link in my iPhone camera app.
Obviously if this is a background daemon that runs periodically then my test wouldn't catch it (unless I got "lucky") and for a longer-term test I'd probably want to use something other than request bin. That said request bin says it keeps bins for 48 hours so that might be enough time.
For what it’s worth I was also unable to reproduce this. I’ve tried scanning but not clicking, AirDropping, iMessage, adding to Photos library, getting the url from Photos library… nothing triggered as a page visit.
Relatedly, searching for the url in my photos library does not return the picture as a result, indicating that the scanning is not being used for indexing currently. I was trying to test with other QR codes that I happened to have in my photos library, but every one of them has the website name in the picture.
I will keep the files on my computer and continue monitoring but I am becoming very skeptical of the Twitter thread author’s methodology.
The original twitter threads talks about "a couple of days ago".. so that it didn't do it in 10 minutes, is not that surprising. Also not sure if your 48 hours will be enough if I go from the original thread from the person who found the issue.
My M1 Mac does OCR on images. You can select text in bitmaps, look up words, and it highlights phone numbers and dates. Maybe this feature is related? Try highlighting the file using finder or viewing with quickview. Maybe you have to be on M1, too.
I'm on an M1 Max, I tried QL and opening it preview but it didn't trigger anything. I also tried scanning the QR from my iPhone and nothing came through until I clicked on the link.
most of the photos context scans (face detection etc) occurs when the computer is idle and plugged in.. I am sure this is just another background task..
Just over 23 hours later and my QR code in my downloads folder has still not been "tripped". I guess I have another 24 hours before my requestbin expires but so far it seems there has been no reproduction of this.
I've just reproduced it.
Went to a qr-code generator online, generated a code with an url http://xxx.xxx.xxx.xxx
In a terminal i did "sudo tcpdump ip host xxx.xxx.xxx.xxx"
Then I do a screen capture of the QR code, and save it. At that moment I see an http query to the ip.
uname -a:
Darwin Kernel Version 21.6.0: Mon Aug 22 20:17:10 PDT 2022; root:xnu-8020.140.49~2/RELEASE_X86_64 x86_64
Really shitty idea from apple...
EDIT!!!
Sorry, I think I know where the problem was:
I was testing with a site I visited in safari already. It happens that after you type a couple of characters in safari address bar, and you have a cache hit in your history, safari already loads the site. While doing the experiment I visited sites which triggered hits in the history with my test site... so no. I could not really reproduce it. Maybe original tweet comes from similar error.
I'm not saying it's not happening but I just did this (with both a public and private IP) and was unable to produce. For reference I used the following:
I generated a QR code locally, saved it to Downloads; created a QR code online, downloaded it to Downloads; created a QR code online, downloaded it, added it to Photos, deleted it from Downloads immediately. Thus far, after 20 minutes, of those 3 QR codes with distinct URLs, not one has been hit by anything. Will keep monitoring though.
mmmm now I'm trying again, but does not work... I will keep trying.
For the record, before I did it 3 times in a row to be sure. But now it does not happen :S
did you keep leave your computer idle? Afaik most of the photos functionality executes when the computer is plugged in and is not executing anything else..
It was just plugged in and idle for 60 minutes. Still no URL activity but the QR code I saved to Photos has been synced to my iPhone and iPad (indicating that Photos scanning and syncing has, to some extent, happened.)
Counterpoint: I did the same thing and used Little Snitch to try to catch a request, and did not see one. If there had been one, it would have attributed it to a particular process.
1. When Apple first switched from kexts to the network framework for apps like LittleSnitch, they exempted a ton of their own system processes (things like the App Store, and iCloud) from flowing through that framework. This change was reverted shortly after (I believe even before the GA release of that version, but don't quote me on that)
2. LittleSnitch ships with a bunch of default Allow rules designed to let expected first-party things like the App Store and iCloud work. I assume this is done so that the user experience for new LS users isn't "install app, entire system comes grinding to a halt". But these rules can be disabled by the user.
That's what I thought but on checking, it seems they've been stripped back to a bunch of Apple domains rather than blanket permissions for daemons, etc.
There could be privacy concerns where Apple isn't the party using the data, but has allowed a third party access unintentionally.
I don't know if this would be possible given the limited information currently available, but an example may be:
User attempts to browse anonymously through the use of A VPN, obscuring their residential IP.
Website, or third party analytics on a website generate unique links and embed them in QR codes hidden on the page. A twist on tracking pixels.
Browser requests, and caches image containing QR code on disk.
Later, after user has disconnected from VPN their OS indexes images on the filesystem (for search purposes, or whatever, parses the QR code and requests the url contained.
Malicious site/analytics firm now has additional data point (residential IP, not obscured by VPN) to correlate against.
There's also the remote potential that the QR code parsing/request functionality could have vulnerabilities. The behavior known doesn't indicate that, but it might result in exploitation with less human interaction if they are found.
Wow, yes this does seem like a potential tracking use case. Especially if the user is rotating VPN servers to anonymize further, the cached QR code could be used as a persistent identifier
Similar privacy issues of URL prefetching aside, this is actually not exactly the same.
URL prefetching is usually only expected to happen "on demand" while you're using stuff (e.g. generating link previews when they appear). What's described here seems to imply it is preemptively happening to files "at rest".
Also, automatic prefetching can be turned off in most places that have it, so ideally the user should be able to configure a setting to disable loading those URLs.
> URL prefetching is usually only expected to happen "on demand" while you're using stuff
I don't think this is my expectation. When I receive messages overnight, I want URLs in those messages prefetched, for example. The whole point is that when I open my mail or messages the previews are already available, instead of waiting.
That still implies that you are actively "using" the messaging application. Just because it is listening to messages in this case doesn't mean it's inactive, you still expect it to push stuff to you.
However in the case of the QR code, just because you "have" the QR code on your disk, doesn't imply you have an intent to visit a link it. That would be like if you had a .txt file with a string that looked like a URL inside and somehow the system while indexing the body also somehow visits the supposed URL despite it not even being a real link.
Like imagine you download a restaurant menu to check out the food and they provided it as an image (pretty standard). As a part of that image is a QR code to their Facebook page (also usually benign). In this case, let's say you are uninterested in sharing your (or specifically your IP's) interest in that restaurant with Facebook, this feature as described would share the info for you without consent.
> Like imagine you download a restaurant menu to check out the food and they provided it as an image (pretty standard). As a part of that image is a QR code to their Facebook page (also usually benign). In this case, let's say you are uninterested in sharing your (or specifically your IP's) interest in that restaurant with Facebook, this feature as described would share the info for you without consent.
This isn't any different from someone sending me a link to the menu at their website and them seeing my IP hit the preview there, so I'm not sure why I would care either way; if anything, downloading the menu is more intent on my part than being sent it by someone (who I may or may not even know).
No. In this example your IP is shared with a third party "Facebook" simply because of the embedded QR code to a social page hosted by them. This is something very different from, say, the website of the restaurant you downloaded the menu from knowing your IP.
The privacy implication is very different. If you enable link previews in a messaging app, you consented to any potential site getting your IP. If the restaurant adds a tracker on their page, they've consented to the 3rd party tracking from their end. But with the QR auto-loaded by the OS, neither you nor the first part have explicitly consented to the additional information being shared. There is strictly more information being shared.
> This isn't any different from someone sending me a link to the menu at their website and them seeing my IP hit the preview there
Again this is an inaccurate comparison. The closer analogy would be someone sending a link to a website and somehow your IP is exposed not only to the website that was shared, but also to every other website that the shared website links to.
Prefetching is usually a function of a web-browser in response to navigating to a page which contains links. I think the concern is that Safari is not involved at all here. This is the OS doing the prefetch by examining just a file saved to the filesystem.
Multiple bits of information are exfiltrated actually, and to a 3rd party (if it turns out the behavior is as described). The obvious one is your IP, which allows for some coarse geolocation. Also implicitly they would know you're running macOS.
The main thing this breaks down is that it assumes that if you have a QR code with a URL saved, then you must trust the target enough to let them see your IP. However, clearly not everyone agrees.
“Downloading image causes outbound http requests against arbitrary endpoints”
Pair this with a zero-day in the HTTP request library and an image becomes the initiation of an attack that leads to a vulnerable client connecting to a malicious endpoint.
Could also easily be used to track users in new ways.
Just two scenarios that immediately comes to mind.
One way to exploit this is to send the QR code through email or messaging app.
When I open the email or see the message, the image may be downloaded, scan starts,
and it makes requests which expose my information, including IP, without realizing it.
That's expected, I think, because people want link previews (and I'd put money on what's happened in this case because it's the iMessages bot that fetched the URL rather than anything else like photosd or spotlight.)
1. Copy/paste the link and send it to himself over iMessage from his laptop, perhaps to test it out on his phone or vice versa?
2. Send the QR code itself from his phone to his laptop or vice versa perhaps to test out scanning?
The fact that the user agent matches that of iMessage screams that the code is somehow in a iMessage thread and iMessage is trying to refresh a preview thumbnail, detect an app clip, or make sure a url is accessible. Add to that the fact that this requests came in the morning suggesting they happened when he turned his laptop on or unlocked his phone to check messages, etc.
I am skeptical. So far there is only a single report of this, triggering at 8:08 am local time (according to OP's bio). If it were the middle of the night, doing some kind of dark wake background scan, it would sound more plausible. During normal user hours? Is it not possible he accidentally triggered it?
The user agent is the one used by the Link Presentation framework. It shouldn't be too much to dig through the shared cache for binaries that link to this framework and see if there are any QuickLook ones.
Moreover joshstrange in this thread and others I know from elsewhere aren't able to reproduce. Yet the original unsubstantiated tweet has 500 retweets and will probably reach thousands as the west coast logs in this morning.
If, as he suggests, it may be happening on iOS as well then it would offer third parties the interesting possibility of "probing" some locations for iPhone photo events, especially if the background requests and their headers can be distinguished from intentional requests.
Say you own a bar, nightclub, popular tourist location, or whatever. Place specific QR codes at locations of encoding URLs pointing to a server you own, and you will be able to count how many times an iPhone user took a photo that included said QR code (or, if background scanning is active even before the picture is taken, how many times an iPhone was pointed towards it).
Not that this would likely provide any valuable information for a malicious actor, nor could it really be done covertly. It's more of a thought experiment.
> if background scanning is active even before the picture is taken
Just tested this and no matter how many times I point Camera at my QR code, it doesn't access the URL until I specifically click on the little yellow callout box.
It could be an AV engine doing it. Some phishing attacks have switched to using QR codes instead of links as an evasion technique in the last couple of years, so the anti-evasion to that is decode it and browse the link to see if it's malicious.
The language used throughout this thread is terrible; "better click on it" you think an AV is literally loading up a full browser and forcing it to navigate to a random link it finds in a QR code on an image?
Even the title uses the word "executed" as if a QR code is "runnable" in some way; it's not. QR code related hacks are not some magical "scan this image and get pwnd", they're related to browser exploits and other methods of forcing code execution by way of the browser.
To my knowledge there have never been any "offline" QR code hacks, where simply scanning the QR code itself has ever lead to an exploit. AV is generally dumb, but simply converting a QR code itself is harmless.
No, I don't think it's loading up a full browser - I think it's sending an HTTP request and then parsing the results to some degree. To whatever extent the HTTP request mechanism is secure, and the parsing mechanism is secure, it's secure. But you don't need a browser to have security holes - anything parsing random data from the internet could be a vector.
That said, I agree - parsing the QR code itself isn't really a vector I'd worry much about.
If you've ever seen Tavis Ormandy and P0's analysis of AV software, you know this isn't actually far-fetched. A lot of these products have horrifying vulnerabilities.
> And sure, just browsing the web "exposes your IP address" so this may not be the most impactful privacy issue, but it's surprising and unexpected behavior
Well, it's certainly fantastic for fingerprinting. You could put some UUID in the QR code and have macOS tell you who the IP address is every few days.
It also feels like something that would leak across VPN/proxy/ISP changes. "This tracking code was loaded first from this residential IP, then this coffee shop IP, then this VPN IP" tells quite a story!
The fact that to reproduce this you need hours/days is probably a good indication that it shouldn't be taken very seriously. There are numerous things that could have occurred not having anything to do with MacOS that caused the URL to be visited. Until someone else can reproduce this let's stop wasting everyone's time on something we have no evidence of.
For the record I tried to reproduce this and so far the URL has not been visited.
QR code scanner should be passing and opening the url with the default url handlar, http/ sms/ deeplink to app within phone.
This can be a pretty scary attack vector where a popular compromised QR code scanner is used with images sent in SPAM folders, which are processed offline, possibility sending out everything a user id has access to.
ITT a lot of attempts to reproduce which didn't catch the assertion that this is alleged to have happened during background processing hours/days after receipt.
It's not supposed to be happening promptly; reproducing (or not) will take a couple days AFAIK?
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0"
Well the scanning is supposed to be local. It's not uploading your photos or anything. You can turn it off in System Preferences -> Spotlight -> Privacy. Or go further and remove Spotlight https://cleanmymac.com/faq/how-to-turn-off-spotlight-search-... Not positive this works on the latest hardware.
"NOTHING, literally nothing works anymore" is an alarmist exaggeration, even if you would do the ham-fisted thing of adding your entire home directory to Spotlight's exclusion list. The sane and logical option is to add only your Pictures directory (or whatever folders you keep images in) to the exclusion list.
Yes, that part is different. It's a misguided feature but not too crazy of an idea. Link previews are a common feature in many applications, and this is likely just the search index equivalent of that.
As voting based social communities become more popular, the more nuanced commentary get's drowned out by the popular viewpoint. The issue isn't the site being "too mainstream", the issue is that the nuance gets lost amongst the noise with social voting. I'm not sure if it is because of the appeal of the popular viewpoint itself, or if it is because of the amount of posts containing it.
Reddit 10+ years ago had, what I consider, great commentary on the default subs/frontpage—it was very different than the Reddit of today.
"Good" social voting sites get more popular with time; I agree with you and think it's almost inevitable that HackerNews will too. My philosophy on this is to just enjoy the site while it's in the state of popularity you like, and try to find a new one when it happens. Yearning for yesteryear isn't exactly productive. ('Better to have loved and lost than never to have loved at all'?)
My take: HackerNews is still quite niche in comparison. I'd estimate the comment volume is one or two orders of magnitude away from the point where it becomes too noisy to find the nuance.
How are you going to send it to them in such a way that it wouldn’t be glaringly obvious to a court that they were sent it unsolicited?
If your threat model is the government fabricating evidence then why even bother, just arrest them, “collect” a USB drive at their house with CP and lie.
I mean hell why even bother with the song and dance, just send them the link and iMessage preview will do it too.
If it's sitting in your browser's cache, how do you determine wether it's there unsolicited or not? That's the problem already with real-time ad brokering. And it's easy to set any images to "display: none" with CSS, but they would still be loaded in the background. Now explain that to a court.
I am more worried about browsing Reddit, and steganography has put that horrible things into it, so I am looking at a picture of a tree and something horrible is in it. Seriously, imagine a tree being 'bound' to evil.
A high school friend Bruce told me about that and I flipped the fuck out. That guy told me that and I went what the fuck is wrong with people. I want to browse a decent godddamn internet. It should have stayed Arpanet considering the users. Military technology should be used by the military alone in my opinion.
The US government isn't that fucked up. Cops just sprinkle crack on people.
Well, as it is worth remembering, we killed 286,000 (mostly innocent) people in 3 days to win a war...
> Cops just sprinkle crack on people.
I wouldn't blame cops - I'd blame the FBI. If they planted it, and said you had it because they investigate that kind of thing (and they have tons of examples for material), you're screwed. Very convenient way to silence a dissident and silence the supporters... (not saying they have but in the future...)
I've literally had a cop plant drugs on me, and one of my hometowns recently had a big bombshell where a bunch of cops were indicted for doing the same thing, so I'm not sure you know what you're talking about.
"Well, I was wrong. I now believe the canary token was triggered not by macOS decoding the QR, but by Firefox’s “recent” shortcuts on the home screen. I gave too much trust to a Stack Exchange answer. I have deleted the incorrect information. I regret the error."
False alarm, Get back to work folks! ;)
[1] https://twitter.com/hodgesmr/status/1577739222412312578