94 comments

[ 4.6 ms ] story [ 137 ms ] thread
Was anyone else able to confirm this?
This happened to me last week and I ignored it thinking maybe I did something wrong and Apple wouldn't be so silly to build in an attack vector like this in to their software.

It was between two devices on the same Apple ID though via AirDrop, so maybe it only did it because the device was "trusted".

"Background scanning" sounds more nefarious than what's probably really going on -- which is probably either generating thumbnail previews (for Finder) or indexing (for Spotlight), both of which are desired. Or maybe malware scanning to put files in quarantine if they point to dangerous content? macOS is also becoming more intelligent about text in images, e.g. it OCR's images so you can select text. I don't know if it indexes text in images for Spotlight the way Google has already done in Drive for years.

But I wouldn't be surprised if it fetches URL's in QR codes in order to index the title text associated with the URL for Spotlight. It's not so different from when you text someone a URL in Messages, it automatically shows a title and thumbnail to both parties. Or, if it's just a shared "preview" library used across thumbnails and iMessage.

I'm not sure what to think about it. Previews, smart text, showing URL information on hover, prefetching, indexing, etc. -- it's all pretty standard stuff. On the other hand, it does feel a little weird for previews on a local filesystem to query the internet -- we're totally used to it in e-mail and messaging though. But, I used to keep bookmarks as URL (.url) files. It would seem natural for a thumbnail of the page to show up in Finder (though I don't think it does this?).

As for it being an "attack" to get someone's IP -- seems like that ship has long since sailed, as it's common for any messaging and e-mail client to already show previews. If you need to protect yourself against all of those, you pretty much need to figure out what level of Little Snitch or turning off internet or airgapping is required for your security concerns.

I feel like there are better ways to do this, to the point that this 'feature' actually looks really out-of-place. Why wouldn't you get these thumbnail previews when you actually scan the QR Code? You're going to be fetching/caching the favicon and framebuffer for the page anyways, there's literally no reason not to get that data at runtime rather than 3 hours later.

It's not exactly malicious, but weird "we know better than you" behavior like this ultimately drove me away from MacOS as a daily-driver.

There is absolutely nothing malicious that has been shown.
Scanning your images and followong links in them without user consent is pretty malicious.
What are you talking about? It sounds like you don’t understand what is going on here. Perhaps you think some data is going to Apple?
Having read the article I entirely understand what is going on here.

Do you expect your images to be scanned on disk and the links in them to be opened, leaking your ip? What if you do something as simple as screenshot an address bar in a browser? Save a menu QR code?

Now you are sending out traffic, accidentally, with your full ip to random places due to a service Apple inserted that you have no knowledge of.

Do you seriously believe that your IP is private?

Do you know every site that has received your ip address?

I think the honest answer to both of these questions has to be no.

I think the idea is that it is a way for your IP address to leak without a user-initiated request.

I could send you a QR code that I've setup specifically to get your IP address.

I don't know, but I wouldn't be surprised if this is being done via Apple's private relay. If so, your IP address is not being leaked to anyone.
The thread says she got an information that somebody requested the URL and it was her own IP address. So no private relay here.
If you have the misfortune of living in a country where accessing $BANNED_WEBSITE can get you a nighttime visit from the local goon squad, this could well get you tortured or killed.
(comment deleted)
There have been reported cases of using qr codes for phishing/malware distribution. Previously they still required users to actually use a qr code scanner, now I need to simply glue some qr code at a famous tourist photo spot and bang lots of people accessing the site (does the indexer execute js?).
How is it malicious? “Malicious” doesn’t mean “unwanted behaviour”. You are saying that Apple intend to do harm with this. How?
On the one hand, I get where you're coming from and I agree that this specific example isn't malicious (as I've highlighted elsewhere in the thread)

...on the other hand, this is the exact same technology Apple lets China use to hunt down their religious and political minorities. Maybe they don't intend harm to Americans, but one thing is for certain; Apple doesn't treat privacy as a human right. If you can live with that, then more power to you.

Seems a bit like a witch hunt to me. It's your PC executing the request. Nowhere does it say this data gets send to apple servers.
> this is the exact same technology Apple lets China use to hunt down their religious and political minorities.

QR codes? HTTP requests? I’m not sure what technology you’re referring to.

> one thing is for certain; Apple doesn't treat privacy as a human right.

They have put a huge amount of effort into privacy technology; more than any comparable company I can think of. I don’t think your certainty is even remotely justified.

I agree. The problem is that it's rather annoying, and there are many such behaviors on MacOS (many of which you can't disable). Stuff like this is another good example of esoteric, almost curious behavior taking place without any input or prompt from the user. It's really absurd stuff.
> Why wouldn't you get these thumbnail previews when you actually scan the QR Code?

These aren't scanned, they're located inside .png image files you can download or generate locally on your computer.

> You're going to be fetching/caching the favicon and framebuffer for the page anyways, there's literally no reason not to get that data at runtime rather than 3 hours later.

No one asked the OS to fetch the favicon/framebuffer. Also, I would prefer the favicon of an image containing a QR code to be a thumbnail of the QR code, not the page it points to. I expect this delay is not a nefarious Little Snitch bypassing tool but a search cache update process that only runs when the computer is very idle. Better to run background tasks lazily than every time you commit an image that might contain a QR code to the filesystem.

That's definitely a more sane analysis of the situation, thank you for your two cents.

In general, these things frustrate me just as much as they did on Windows. I don't want random processes jumping up to use 100% of my CPU for no reason. I can't even count the number of times my Mac gets pinned by mdworker processes running in the background. It's reminiscent of pulling my hair out trying to understand why OneDrive or Edge is pinning one of my cores even though it isn't open.

My overall gripe is this pattern of behavior. I'd rather spend 2-5 seconds waiting for my QR code to load instead of my OS deciding to randomly cache it at some indeterminate point. Maybe other people disagree, though. Us HN users don't really tend to reflect the opinions of Joe Shmoe and his feelings towards modern computing.

mdworker runs at background priority though, anything else using the CPU should preempt it.
That's a very comforting thought for when my Mac is idling at 80c and I have to join a video conference.
>It's not so different from when you text someone a URL in Messages, it automatically shows a title and thumbnail to both parties.

And that's how the pegasus/etc. pwned iPhones

It was before the zero day was closed.
so you are saying apple is doing something they already knew is a bad idea?
No. I’m saying your information is outdated and wrong.
how can you be so confident that it's "closed"? the last time apple announced the high protection mode for state sponsored targets in new ios (whatever it's called), they disable all auto previews in that mode. if they are as confident as you are that it's "closed" that doesn't seem necessary?
I’m confident that it’s closed because they claimed to have closed it.

As for the high protection mode - of course that reduces the attack surface.

If this forum were to live up to its name, you would be laughed out of here after that comment.
Disabling link previews in high protection mode is more likely to be a combination of not issuing any network requests that could accidentally leak your IP, and being able to see the full URL so link previews can't pretend to be a different site to trick you into clicking on it.
What do you mean? The OP said that this is how Pegasus pwned (notice the past tense) the iPhone. That's correct. Moreover while Apple might have closed that specific vulnerability, would you bet your money (or even your live) on there not being other vulnerabilities in the apple indexer?
Automatic link following is pretty bad, nefarious or not. Intent is kinda beside the point of issue here; it's not like we're trying to sue Apple...

Or maybe we should group up a massive list of poor decisions into a formal complaint?

Regardless, theis shouldn't happen. Indexing the URL, fine. Fetching it is a very poor idea and a can of worms.
> which is probably either generating thumbnail previews (for Finder) or indexing (for Spotlight)

Neither of which require, nor to be honest even makes any sense to, go to the URL that the QR code represents.

OP reached a similar conclusion farther down in the Twitter thread:

facebookexternalhit/1.1 Facebot Twitterbot/1.0

What.

"This is the iMessages app's crawler [...] Apple has chosen to use this useragent in their iMessages app to ensure the unfurling of the URL and the rich preview works more often than not."²

² https://webmasters.stackexchange.com/a/138992

I'll be interested to see if anyone else can reproduce this. I created a request bin [0], then created a QR code pointing at it, then downloaded that QR code. I'm not sure how often this "image scanning" is supposed to occur but just downloading it didn't cause a hit nor did the 10min I waited, nor did using QuickLook, nor opening it Preview, nor scanning it with my iPhone, the only thing that caused a request was clicking on the detected link in my iPhone camera app.

Obviously if this is a background daemon that runs periodically then my test wouldn't catch it (unless I got "lucky") and for a longer-term test I'd probably want to use something other than request bin. That said request bin says it keeps bins for 48 hours so that might be enough time.

[0] https://requestbin.io/

The Twitter thread says it was created "a few days ago" and was hit "this morning" so I'm guessing 10 minutes might not be enough (if it is even something time-based).
Absolutely and I called that out, I just thought that opening it in QL/Preview or even scanning on an iPhone might manually kick off the same “processing” that’s being speculated about here.
I guess we all regroup here in a week or so then, right?
I'm willing to bet that if you triggered a spotlight database rebuild that it would be triggered in that process. My guess is that spotlight sees an image to index, ocrs all the text and adds it to the index. It probably also detects qr codes and generates a 'preview' of their content by following the link. Possible it may also do that if you were to take a picture of a url clearly enough that it could be OCRed.
You can use the mdimport command-line tool to manually index individual files.
I will try it, I will leave a tcpdump running in the background. The tweet is not very helpful giving information on how it was detected, or how to reproduce it.
They may have received it through iMessage, which will hit a url and grab the 'opengraph' meta tags to generate a preview.
That's not how it works. The metadata is captured on the sender side and sent with the message.
> I'll be interested to see if anyone else can reproduce this.

Indeed. This is a really bold claim and so far we have one person who has reproduced it on a single machine.

I'm no Apple apologist by any means but I'm a little skeptical of the claims in the twitter thread. It's easy enough to imagine that the poster made some kind of mistake in his methodology or some other variables are at play that he didn't consider. I'd withhold judgment until there's some corroboration.

(comment deleted)
I am, and so is the author of those tweets.
Is your claim that data is being exfiltrated to Apple?
Data exfiltration is not necessary for this to be a privacy concern; data becomes a liability as soon as it's collected even locally.

EDIT: in this case, however, data exfiltration is happening, by means of Apple's closed-source software blindly sending HTTP requests to unknown servers. Apple might not be the recipient of the exfiltrated data, but the exfiltration is happening nonetheless.

> Frankly this is absurd.

What's absurd is Apple's software sending requests to random and entirely-unvetted servers without even so much as notifying the user, let alone obtaining consent.

> Did you know that the file system of your computer contains your personal data, including files you save?

Why yes, and that would just so happen to be the reason why I ain't exactly comfortable with closed-source software silently sifting through it and blindly following anything and everything vaguely resembling a URL or encoding thereof.

> EDIT: No, that’s not what exfiltration means. You are simply misusing the word.

https://www.fortinet.com/resources/cyberglossary/data-exfilt...:

"A common data exfiltration definition is the theft or unauthorized removal or movement of any data from a device. Data exfiltration typically involves a cyber criminal stealing data from personal or corporate devices, such as computers and mobile phones, through various cyberattack methods.

"Another data exfiltration meaning is data exportation and extrusion, data leakage, or data theft, which can pose serious problems for organizations. Failing to control information security can lead to data loss that could cause reputational and financial damage to an organization."

Thanks to this crawler, anyone who sends you even so much as a QR-encoded image of a link will know that it was successfully received, that it was a macOS machine that received it, and quite possibly the public IP address of the machine that received it. That's data that's worth preventing disclosure, for the same reasons email clients often don't load images in emails by default.

This doesn't have to anything nefarious. It could be an unfortunate combination of code reuse and feature creep.

Probably the QR scanner written for the iOS camera has an option to present URLs nicely (by fetching them), and some other OS component for image indexing reused the QR scanner without realizing it comes with side effects.

> This doesn't have to anything nefarious

It doesn't have to be explicitly nefarious to be a privacy issue. I'm sure there's some perfectly innocuous reason Apple could come up with for doing this, but unless and until Apple is forthcoming with those reasons and is transparent in how this is implemented (i.e. by providing source code) I have zero reason to take any such reason at face value.

Transparency is a dependency of trust. Apple is not transparent, and therefore is not trustworthy - especially when it's running a full-blown crawler on ostensibly-private messages.

The author removed their tweet and retracted their claim. Yet another reason to not believe everything we see posted online.
My comment stands if you s/Apple/Mozilla/.
I'm guessing it's an antivirus/anti-malware operation.
Apple should be proxying and caching these results to avoid the risk of exposing client devices, prevent incidental DDOS, as well as the obvious privacy issues.
We'll just switch to user-specific QR codes then, like unique links in spam mails to find out who clicked it.
But if every code you send out gets hit by the proxy regardless of any user action taken, then the hit doesn't tell you anything but "you got the proxy's attention" which isn't much.
So far only actively downloaded codes seem to trigger this. Put in a dynamically generated "instructions.pdf" which you have to download before opening. I'm sure someone will find a way...
So, if I send you a QR code via iMessage the URL in it will automatically be hit, using your IP address and browser/OS details. Wow that's quite an attack vector.
Nobody said that.
That's exactly what happens though, and is an obvious method of attack.
Is it? Has anyone actually tested sending a QR code over iMessage? Because doing that does not generate a link preview, and so there is no reason for Messages.app to be decoding it and fetching the URL.

If macOS really is background-scanning all images, and if Messages.app actually writes all received images out to disk as individual image files, then the background scanning could conceivably scan it. However I haven't seen anyone make this claim, it certainly doesn't seem necessary (why write it out to a file on disk?), and if this scanning is triggered by e.g. Spotlight indexing then it wouldn't be indexing cache files anyway.

So, has anyone actually demonstrated that sending a QR code over iMessage causes the recipient's device to fetch the URL? Because so far this just seems like complete speculation presented as fact.

> Has anyone actually tested sending a QR code over iMessage?

I have, just now. Nothing happened at either end - the URL was not accessed at all. I can get it to recognise it's a QR code on my iPhone by tapping to focus the image, waiting for the OCR badge, tapping that, and then tapping the image again to bring up a small menu with the URL as a title and headed by "Open in Safari". None of those steps accesses the URL. You have to make a conscious action to access the URL...

If you send me the URL directly it will be hit. A QR code wouldn't even add anything. And it's worked that way for many years, iMessage showing link previews.
If I send a URL directly it will be hit from my phone. Big difference there.
That is not true.

Messages on my iPhone shows me link previews for links sent to me via SMS, not just via iMessage. I just checked to make sure. Those are necessarily generated on the recipient's end.

They could still be doing that through an Apple hosted proxy though? I believe services like discord and gmail webclient do that for links to not leak IPs.
Is it really better for SMS content to be sent to a server to achieve that? I like my SMS content to only be known to my telecom provider and my device.
I wonder if it would work with airdropped photos too. Another potential attack vector is, if you are using VPN and you rotate VPN servers every day, a website can display a unique QR code that is now saved to your browser cache, and then the next day after you have changed VPN server (and now have a new IP), macOS scans the QR code and basically tells the website your new IP
That's It. I am done. Back to Debian Linux full time for me.

Anyone want to buy a lightly used MacBook Air M1?

Isn't this like WhatsApp, Teams, Skype and others giving you instant previews of URLs when sending them around? I really hate this feature. Impossible to share 'single hit' URLs as they'll be called already when you want to open them.
Single-hit URLs abuse the REST design of HTTP(S).
I wonder about deep links. I know ios can pass links to apps that register certain URLs. can this happen with qr codes (so although the os doesn't, an app can make the request)
All browsers now download links in the background in case you click on them by default. A QR code is a kind of link. Why not?

Question is, can you disable it?

I wouldn't be surprised if it turns out that an IOS device has the page open in a tab and refreshes it from time to time. I wish manual refresh was an option, especially for pages with redirects to another app or the AppStore.
The tweet has now been deleted and the author has retracted his claim.

https://twitter.com/hodgesmr/status/1577739222412312578

https://news.ycombinator.com/item?id=33100130

The explanation for the retraction doesn't explain that user agent string. It's weird enough coming from macOS; it's even weirder coming from Firefox.

The behavior's still concerning in any case, whether it's macOS silently doing it or Firefox silently doing it.

The original tweets explained it. The user agent is impersonating a shared Facebook/Twitter/etc link preview/thumbnail. Many sites respond with markup more appropriate for a thumbnail when using that user agent, and if not, it’s unlikely that they serve anything worse, so it’s little harm done.
The author originally made it sound like they just generated the QR code, saved it, and then left it in the downloads folder. Now they are saying the Firefox "recents" feature on the home screen triggered it. This would have to mean the author already visited the link embedded in the QR code. If the author had mentioned that fact, then internet speculation would have probably figured out the real cause a lot earlier.

Though I gotta say, this is still an attack vector that I hadn't considered. If you use a VPN and occasionally rotate IPs, this Firefox "recents" feature can leak your new IP to websites that you previously visited.