The tweet has now been deleted and the author has retracted his claim.<p><a href="https://twitter.com/hodgesmr/status/1577739222412312578" rel="nofollow">https://twitter.com/hodgesmr/status/1577739222412312578</a><p><a href="https://news.ycombinator.com/item?id=33100130" rel="nofollow">https://news.ycombinator.com/item?id=33100130</a>
"Background scanning" sounds more nefarious than what's probably really going on -- which is probably either generating thumbnail previews (for Finder) or indexing (for Spotlight), both of which are desired. Or maybe malware scanning to put files in quarantine if they point to dangerous content? macOS is also becoming more intelligent about text in images, e.g. it OCR's images so you can select text. I don't know if it indexes text in images for Spotlight the way Google has already done in Drive for years.<p>But I wouldn't be surprised if it fetches URL's in QR codes in order to index the title text associated with the URL for Spotlight. It's not so different from when you text someone a URL in Messages, it automatically shows a title and thumbnail to both parties. Or, if it's just a shared "preview" library used across thumbnails and iMessage.<p>I'm not sure what to think about it. Previews, smart text, showing URL information on hover, prefetching, indexing, etc. -- it's all pretty standard stuff. On the other hand, it does feel a little weird for previews on a local filesystem to query the internet -- we're totally used to it in e-mail and messaging though. But, I used to keep bookmarks as URL (.url) files. It would seem natural for a thumbnail of the page to show up in Finder (though I don't think it does this?).<p>As for it being an "attack" to get someone's IP -- seems like that ship has long since sailed, as it's common for any messaging and e-mail client to already show previews. If you need to protect yourself against all of those, you pretty much need to figure out what level of Little Snitch or turning off internet or airgapping is required for your security concerns.
I'll be interested to see if anyone else can reproduce this. I created a request bin [0], then created a QR code pointing at it, then downloaded that QR code. I'm not sure how often this "image scanning" is supposed to occur but just downloading it didn't cause a hit nor did the 10min I waited, nor did using QuickLook, nor opening it Preview, nor scanning it with my iPhone, the only thing that caused a request was clicking on the detected link in my iPhone camera app.<p>Obviously if this is a background daemon that runs periodically then my test wouldn't catch it (unless I got "lucky") and for a longer-term test I'd probably want to use something other than request bin. That said request bin says it keeps bins for 48 hours so that might be enough time.<p>[0] <a href="https://requestbin.io/" rel="nofollow">https://requestbin.io/</a>
So, if I send you a QR code via iMessage the URL in it will automatically be hit, <i>using your IP address and browser/OS details</i>. Wow that's quite an attack vector.
This claim has been retracted: <a href="https://news.ycombinator.com/item?id=33100130" rel="nofollow">https://news.ycombinator.com/item?id=33100130</a>
Apple should be proxying and caching these results to avoid the risk of exposing client devices, prevent incidental DDOS, as well as the obvious privacy issues.
Isn't this like WhatsApp, Teams, Skype and others giving you instant previews of URLs when sending them around?
I really hate this feature. Impossible to share 'single hit' URLs as they'll be called already when you want to open them.
My first thought was he used Canary tokens. I'm going to try to reproduce it right now, and you can too: <a href="https://www.canarytokens.org/generate#" rel="nofollow">https://www.canarytokens.org/generate#</a>
I wouldn't be surprised if it turns out that an IOS device has the page open in a tab and refreshes it from time to time. I wish manual refresh was an option, especially for pages with redirects to another app or the AppStore.
This happened to me last week and I ignored it thinking maybe I did something wrong and Apple wouldn't be so silly to build in an attack vector like this in to their software.<p>It was between two devices on the same Apple ID though via AirDrop, so maybe it only did it because the device was "trusted".
I wonder about deep links. I know ios can pass links to apps that register certain URLs. can this happen with qr codes (so although the os doesn't, an app can make the request)
All browsers now download links in the background in case you click on them by default. A QR code is a kind of link. Why not?<p>Question is, can you disable it?