There could be privacy concerns where Apple isn't the party using the data, but has allowed a third party access unintentionally.
I don't know if this would be possible given the limited information currently available, but an example may be:
User attempts to browse anonymously through the use of A VPN, obscuring their residential IP.
Website, or third party analytics on a website generate unique links and embed them in QR codes hidden on the page. A twist on tracking pixels.
Browser requests, and caches image containing QR code on disk.
Later, after user has disconnected from VPN their OS indexes images on the filesystem (for search purposes, or whatever, parses the QR code and requests the url contained.
Malicious site/analytics firm now has additional data point (residential IP, not obscured by VPN) to correlate against.
There's also the remote potential that the QR code parsing/request functionality could have vulnerabilities. The behavior known doesn't indicate that, but it might result in exploitation with less human interaction if they are found.
Wow, yes this does seem like a potential tracking use case. Especially if the user is rotating VPN servers to anonymize further, the cached QR code could be used as a persistent identifier
Similar privacy issues of URL prefetching aside, this is actually not exactly the same.
URL prefetching is usually only expected to happen "on demand" while you're using stuff (e.g. generating link previews when they appear). What's described here seems to imply it is preemptively happening to files "at rest".
Also, automatic prefetching can be turned off in most places that have it, so ideally the user should be able to configure a setting to disable loading those URLs.
> URL prefetching is usually only expected to happen "on demand" while you're using stuff
I don't think this is my expectation. When I receive messages overnight, I want URLs in those messages prefetched, for example. The whole point is that when I open my mail or messages the previews are already available, instead of waiting.
That still implies that you are actively "using" the messaging application. Just because it is listening to messages in this case doesn't mean it's inactive, you still expect it to push stuff to you.
However in the case of the QR code, just because you "have" the QR code on your disk, doesn't imply you have an intent to visit a link it. That would be like if you had a .txt file with a string that looked like a URL inside and somehow the system while indexing the body also somehow visits the supposed URL despite it not even being a real link.
Like imagine you download a restaurant menu to check out the food and they provided it as an image (pretty standard). As a part of that image is a QR code to their Facebook page (also usually benign). In this case, let's say you are uninterested in sharing your (or specifically your IP's) interest in that restaurant with Facebook, this feature as described would share the info for you without consent.
> Like imagine you download a restaurant menu to check out the food and they provided it as an image (pretty standard). As a part of that image is a QR code to their Facebook page (also usually benign). In this case, let's say you are uninterested in sharing your (or specifically your IP's) interest in that restaurant with Facebook, this feature as described would share the info for you without consent.
This isn't any different from someone sending me a link to the menu at their website and them seeing my IP hit the preview there, so I'm not sure why I would care either way; if anything, downloading the menu is more intent on my part than being sent it by someone (who I may or may not even know).
No. In this example your IP is shared with a third party "Facebook" simply because of the embedded QR code to a social page hosted by them. This is something very different from, say, the website of the restaurant you downloaded the menu from knowing your IP.
The privacy implication is very different. If you enable link previews in a messaging app, you consented to any potential site getting your IP. If the restaurant adds a tracker on their page, they've consented to the 3rd party tracking from their end. But with the QR auto-loaded by the OS, neither you nor the first part have explicitly consented to the additional information being shared. There is strictly more information being shared.
> This isn't any different from someone sending me a link to the menu at their website and them seeing my IP hit the preview there
Again this is an inaccurate comparison. The closer analogy would be someone sending a link to a website and somehow your IP is exposed not only to the website that was shared, but also to every other website that the shared website links to.
Prefetching is usually a function of a web-browser in response to navigating to a page which contains links. I think the concern is that Safari is not involved at all here. This is the OS doing the prefetch by examining just a file saved to the filesystem.
Multiple bits of information are exfiltrated actually, and to a 3rd party (if it turns out the behavior is as described). The obvious one is your IP, which allows for some coarse geolocation. Also implicitly they would know you're running macOS.
The main thing this breaks down is that it assumes that if you have a QR code with a URL saved, then you must trust the target enough to let them see your IP. However, clearly not everyone agrees.
“Downloading image causes outbound http requests against arbitrary endpoints”
Pair this with a zero-day in the HTTP request library and an image becomes the initiation of an attack that leads to a vulnerable client connecting to a malicious endpoint.
Could also easily be used to track users in new ways.
Just two scenarios that immediately comes to mind.
One way to exploit this is to send the QR code through email or messaging app.
When I open the email or see the message, the image may be downloaded, scan starts,
and it makes requests which expose my information, including IP, without realizing it.
That's expected, I think, because people want link previews (and I'd put money on what's happened in this case because it's the iMessages bot that fetched the URL rather than anything else like photosd or spotlight.)
I don't know if this would be possible given the limited information currently available, but an example may be:
User attempts to browse anonymously through the use of A VPN, obscuring their residential IP. Website, or third party analytics on a website generate unique links and embed them in QR codes hidden on the page. A twist on tracking pixels. Browser requests, and caches image containing QR code on disk. Later, after user has disconnected from VPN their OS indexes images on the filesystem (for search purposes, or whatever, parses the QR code and requests the url contained. Malicious site/analytics firm now has additional data point (residential IP, not obscured by VPN) to correlate against.
There's also the remote potential that the QR code parsing/request functionality could have vulnerabilities. The behavior known doesn't indicate that, but it might result in exploitation with less human interaction if they are found.