[grooot]

Sure but as has been pointed out, the likely explanation is that this is a function being performed locally for indexing or thumb nail generation.

Nobody has come close to showing anything malicious or that data is being exfiltrated, so why is this a problem?

[jabbany]

> that data is being exfiltrated

Multiple bits of information are exfiltrated actually, and to a 3rd party (if it turns out the behavior is as described). The obvious one is your IP, which allows for some coarse geolocation. Also implicitly they would know you're running macOS.

The main thing this breaks down is that it assumes that if you have a QR code with a URL saved, then you must trust the target enough to let them see your IP. However, clearly not everyone agrees.

[haswell]

“Downloading image causes outbound http requests against arbitrary endpoints”

Pair this with a zero-day in the HTTP request library and an image becomes the initiation of an attack that leads to a vulnerable client connecting to a malicious endpoint.

Could also easily be used to track users in new ways.

Just two scenarios that immediately comes to mind.

[lazide]

Calling the URL is a form of data leakage and exfiltration

QR codes often include marketing trackers, for one really common examples.