A US technology expert has identified troubling behavior within macOS that could potentially expose the user’s location and IP address to third parties.
The potential issue relates to how macOS handles QR codes saved locally on the user’s computer.
According to Matt Hodges, Executive Director of Zinc Labs, MacOS silently interprets QR codes saved on the computer’s local storage. If the QR code contains a URL, macOS will open the link as a background process.
This process occurs without the user’s active consent or knowledge. Yea, not good.
Canaries in the Coal Mine
Hodges, who formerly served as the Director of Engineering for Joe Biden’s 2020 presidential campaign, encountered the behavior while experimenting with QR Canary Tokens.
Canaries are an essential concept within cybersecurity. Think of them as a laser tripwire. However, they don’t serve a functional purpose within a computer system other than to warn of unauthorized activity.
QR Canary Tokens work in the same way. You’d place one where a potential intruder might see it. Then, the owner receives a notification if their curiosity gets the better of them.
In addition to sending alerts, QR canaries can capture information about the user, including their IP address and user-agent string.
Hodge says he placed a QR canary within his downloads folder. Several days later, he received “a flurry of emails” warning it was triggered.
“The first thing I noticed was that the source IP was my IP. The second thing I noticed was the User Agent,” he tweeted.
When you visit a website, your browser transmits a User-Agent String (UA String).
A UA String identifies your browser and operating system to the web server, allowing them to deliver the most consistent experience with your software.
The UA String captured by Hodge’s Canary revealed the browser was the built-in web scraper used by macOS’ iMessage when rendering previews of web-based content.
Although this isn’t a smoking gun, it provides compelling evidence that this behavior is innate to MacOS and not merely Hodges accidentally clicking on a link.
Putting the Issue in Context
It’s essential to put this potential issue in context. It isn’t a catastrophic security flaw. But it does raise serious concerns.
When you use the Internet, you expose details about your identity. Your IP address and your UA string are two good examples.
IP addresses may look like indecipherable lists of numbers, but they can reveal a lot about a person. Most importantly, they correspond (albeit imperfectly) with a person’s location, often down to the city.
It’s easy to imagine how this behavior could be weaponized. Somebody, for example, could surreptitiously leave a QR code on someone’s computer and receive updates as they move from city to city.
Hackers could use this behavior as a tool to spread malware
Suppose someone identifies a critical vulnerability within Safari that allows a third party to execute a drive-by-download on someone’s computer.
If they manage to deploy a QR code on the victim’s computer, macOS would automatically open it, triggering the exploit in the process.
I don’t want to scare you. This is all theoretical. There’s no evidence — none — that anyone has used this behavior for any nefarious purposes. But it does illustrate an oversight within Apple.
On a basic level, users should be able to opt out of this automatic QR scanning.
Or, it should restrict to areas that make sense — like images received over iMessage. Not anything stored in the user’s local storage.
Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.