macOS silently opens locally-stored QR codes (updated)
It isn’t a catastrophic security flaw. But it does raise serious concerns.
UPDATE 10/6/2022 9:49 AM ET: It appears the strange behavior has a perfectly legitimate explanation. In a follow-up Tweet, Hodges attributed the activity on his QR Canary Tokens to Firefox’s home screen shortcuts feature.
“Well, I was wrong. I now believe the canary token was triggered not by macOS decoding the QR, but by Firefox’s “recent” shortcuts on the home screen,” wrote Hodges in a tweet. “I gave too much trust to a Stack Exchange answer. I have deleted the incorrect information. I regret the error.” The original article can be found below.
Original Story: A U1S technology expert has identified troubling behavior within macOS that could potentially expose the user’s location and IP address to third parties.
The potential issue relates to how macOS handles QR codes saved locally on the user’s computer.
According to Matt Hodges, Executive Director of Zinc Labs, MacOS silently interprets QR codes saved on the computer’s local storage. If the QR code contains a URL, macOS will open the link as a background process.
This process occurs without the user’s active consent or knowledge. Yea, not good.
Canaries in the Coal Mine
Hodges, who formerly served as the Director of Engineering for Joe Biden’s 2020 presidential campaign, encountered the behavior while experimenting with QR Canary Tokens.
Canaries are an essential concept within cybersecurity. Think of them as a laser tripwire. However, they don’t serve a functional purpose within a computer system other than to warn of unauthorized activity.
QR Canary Tokens work in the same way. You’d place one where a potential intruder might see it. Then, the owner receives a notification if their curiosity gets the better of them.
In addition to sending alerts, QR canaries can capture information about the user, including their IP address and user-agent string.
Hodge says he placed a QR canary within his downloads folder. Several days later, he received “a flurry of emails” warning it was triggered.
“The first thing I noticed was that the source IP was my IP. The second thing I noticed was the User Agent,” he tweeted.
When you visit a website, your browser transmits a User-Agent String (UA String).
A UA String identifies your browser and operating system to the web server, allowing them to deliver the most consistent experience with your software.
The UA String captured by Hodge’s Canary revealed the browser was the built-in web scraper used by macOS’ iMessage when rendering previews of web-based content.
Although this isn’t a smoking gun, it provides compelling evidence that this behavior is innate to MacOS and not merely Hodges accidentally clicking on a link.
Putting the Issue in Context
It’s essential to put this potential issue in context. It isn’t a catastrophic security flaw. But it does raise serious concerns.
When you use the Internet, you expose details about your identity. Your IP address and your UA string are two good examples.
IP addresses may look like indecipherable lists of numbers, but they can reveal a lot about a person. Most importantly, they correspond (albeit imperfectly) with a person’s location, often down to the city.
It’s easy to imagine how this behavior could be weaponized. Somebody, for example, could surreptitiously leave a QR code on someone’s computer and receive updates as they move from city to city.
Hackers could use this behavior as a tool to spread malware
Suppose someone identifies a critical vulnerability within Safari that allows a third party to execute a drive-by-download on someone’s computer.
If they manage to deploy a QR code on the victim’s computer, macOS would automatically open it, triggering the exploit in the process.
I don’t want to scare you. This is all theoretical. There’s no evidence — none — that anyone has used this behavior for any nefarious purposes. But it does illustrate an oversight within Apple.
On a basic level, users should be able to opt out of this automatic QR scanning.
Or, it should restrict to areas that make sense — like images received over iMessage. Not anything stored in the user’s local storage.
- New macOS security feature auto-blocks unfamiliar USB-C devices
- Stage Manager for macOS Ventura is a multitasker’s dream
- MacBook battery draining super-fast in sleep mode with macOS 12.2? Bluetooth might be why
- macOS 12.2 beta includes a new-and-improved version of Apple Music