A US tech expert has identified troubling behavior within macOS that could potentially expose a user’s location and IP address to third parties.
The potential issue relates to how macOS handles QR codes saved locally on the user’s computer.
According Matt Hodges, executive director of Zinc Labs, MacOS silently interprets QR codes saved on the computer’s local storage. If the QR code contains a URL, macOS will open the link in the background.
This process occurs without the active consent or knowledge of the user. Yeah, not well.
Canaries in the coal mine
Hodges, who previously served as director of engineering for Joe Biden’s 2020 presidential campaign, encountered this behavior while experimenting with QR Canary Tokens.
Canaries are an essential concept in cybersecurity. Think of them as a laser tripwire. However, they have no functional purpose within a computer system other than to warn of unauthorized activity.
QR Canary Tokens work the same way. You would place one where a potential intruder could see it. Then the owner receives a notification if their curiosity prevails.
In addition to sending alerts, QR canaries can capture user information, including their IP address and user agent string.
Hodge says he placed a QR canary in his downloads folder. A few days later, he received “an avalanche of emails” warning him that he had been triggered.
“The first thing I noticed was that the source IP was my IP. The second thing I noticed was the user agent,” he said. tweeted.
When you visit a website, your browser transmits a user agent string (UA string).
A UA string identifies your browser and operating system to the web server, allowing them to provide the most consistent experience with your software.
The UA string captured by Hodge’s Canary revealed that the browser was the built-in web scraper used by macOS’ iMessage when rendering previews of web content.
While this isn’t absolute proof, it does provide compelling evidence that this behavior is innate to macOS and not just Hodges accidentally clicking a link.
Put the problem in context
It is essential to put this potential problem in context. This is not a catastrophic security flaw. But this raises serious concerns.
When you use the internet, you expose details about your identity. Your IP address and UA string are two good examples.
IP addresses may look like lists of indecipherable numbers, but they can reveal a lot about a person. More importantly, they match (albeit imperfectly) a person’s location, often in town.
It’s easy to imagine how this behavior could be weaponized. Someone, for example, could surreptitiously leave a QR code on someone’s computer and receive updates as they move from city to city.
Hackers could use this behavior as a tool to spread malware
Suppose someone identifies a critical vulnerability in Safari that allows a third party to run a drive-by-down download on someone’s computer.
If they manage to deploy a QR code to the victim’s computer, macOS will automatically open it, triggering the exploit in the process.
I don’t want to scare you. All of this is theoretical. There is no evidence – none – that anyone used this behavior for any nefarious purpose. But this illustrates an oversight within Apple.
Basically, users should be able to disable this automatic QR scan.
Or, it should be limited to areas that make sense, like images received via iMessage. Nothing is stored in the user’s local storage.
Do you have any thoughts on this? Report the discussion to our Twitter or facebook.
Editors recommendations: