[HN Gopher] macOS scanning and following downloaded QR codes has...
___________________________________________________________________
macOS scanning and following downloaded QR codes has been retracted
Author : lilyball
Score : 128 points
Date : 2022-10-05 19:22 UTC (3 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| chrononaut wrote:
| Prior discussions (when macOS was presumed at fault):
|
| - https://news.ycombinator.com/item?id=33095608 (83 comments)
|
| - https://news.ycombinator.com/item?id=33096540 (102 comments)
| vucetica wrote:
| This community is funny at times.
|
| A lot of people had their opinions on those two threads, didn't
| they?
|
| Kudos to the ones who questioned the origin of the phenomenon
| instead of declaring immediately that the world is falling.
| smoldesu wrote:
| It's equally funny to see the collective sigh-of-relief
| expressed through this post's upvotes. OCSP is real and can
| hurt you, warrantless iCloud access still goes un-mitigated,
| but thank God! The QR code IP leak turned out to be a fake.
| Who knew MacOS was a nice and private operating system all
| along?
| derbOac wrote:
| So... I think replication was needed and have a MacBook
| myself. However, the claim in question was tricky to verify
| because it was supposedly occuring over the course of days.
|
| I also think it says a lot about collective anxieties over
| not using an open OS. The scanning wasn't happening but it
| was plausible and there wasn't really much to do about it
| other than try to verify it.
|
| I think the episode says less about collective unwarranted
| paranoia and more about collective vulnerabilities.
|
| I still am scratching my head about the new tweet though.
| It doesn't say the scanning isn't happening, just that it's
| not MacOS.
| zimpenfish wrote:
| > The scanning wasn't happening but it was plausible
|
| I didn't think it is plausible which is why I set up a
| whole bunch of replication scenarios to verify the
| extraordinary claim.
|
| > It doesn't say the scanning isn't happening, just that
| it's not MacOS.
|
| I think it's clear that the scanning isn't happening and
| that it was just Firefox refetching something?
|
| "I now believe the canary token was triggered [...] by
| Firefox's "recent" shortcuts on the home screen"
| Tijdreiziger wrote:
| OK, now how do we solve it?
|
| I've been thinking about this problem a lot. It seems to me
| you either go full send on the privacy front -> use FLOSS
| operating systems and self-host Nextcloud, or you want the
| comforts of modern apps and services -> buy into Apple's or
| Google's ecosystem.
|
| There exists no option where you get to keep your privacy
| _and_ enjoy modern technology.
| merely-unlikely wrote:
| I'd love Apple to build iCloud hosting via your home mac
| or a new version of the server they used to sell. That
| way all data sits on and is processed by a machine you
| control. Admittedly wishful thinking but I can dream.
| aleksiy123 wrote:
| It's not even at times. It's all the time. Theres many
| threads where the actual information is sparse but people
| sound extremely confident about their conclusions. Makes me
| realise that much of the time people are just making stuff
| up, there's just nobody to call them out.
| JimDabell wrote:
| You're not kidding. From the earlier discussion:
|
| > this is the _exact same technology_ Apple lets China use
| to hunt down their religious and political minorities
|
| > one thing is for certain; Apple doesn't treat privacy as
| a human right. If you can live with that, then more power
| to you.
|
| Something tells me people won't use this as an excuse to
| accuse Firefox of human rights abuses though.
| JeremyNT wrote:
| I flagged both of those at the time because it seemed more
| likely to be user error than anything. Bold claims like that
| need more evidence before publishing.
|
| One thing that any programmer knows is that until you have a
| way to reproduce something in a clean environment, a bug report
| on its own cannot be fully trusted. That doesn't mean you
| ignore the possibility that the reporter is correct, because
| sometimes reproduction is very difficult indeed, but you have
| to allow for the fact that something about the user's
| environment or workflow unrelated to your own code might be at
| fault.
|
| We are all susceptible to errors in our methodology or
| limitations in our understanding of how complex systems
| interact. We should be humble and careful about jumping to
| conclusions.
| lapcat wrote:
| In a now deleted tweet, the person was also ridiculing
| security researchers who were DMing him for more information,
| painting them as lazy, as if they hadn't tried to reproduce
| themselves. But nobody could reproduce the issue.
| johnklos wrote:
| It's nice to see people clarify when they make mistakes.
|
| I'm still REALLY curious about the Facebook useragent. Where was
| that from, specifically? Firefox?
| resfirestar wrote:
| Yes, I just tried it and apparently Firefox on iOS uses that
| user agent when it gets a thumbnail of a page for its "Recently
| Saved" and "Jump Back In" sections on the new tab page.
| Operyl wrote:
| A lot of applications seem to use this user agent because a lot
| of sites were providing embed data only to this user agent.
| Bizarre, but a needed evil I guess.
| vestrigi wrote:
| Glad I saw this and now I wonder how often something turns out to
| be false and then we don't happen to read about the retraction.
| Next we incorporate the false information as facts into
| discussions with other people. I mean, I'm worried enough about
| infosec that I had enough interest to read the story but then I
| wouldn't have returned to look further into the story, eventually
| finding out it was false. Instead I'm just lucky to have checked
| out HN once again today.
| yjftsjthsd-h wrote:
| The retraction is that it's not the operating system doing it.
| But honestly, Firefox doing the same thing isn't great either. Am
| I alone in finding it surprising that the recent list actively
| polls the things on it?
| ale42 wrote:
| As far as I understand it, Firefox is not reading QR codes out
| of images and automatically opening links, but rather reloading
| already opened URLs that were coming from QR codes. Maybe not
| ideal, but far better than having the OS scan for QR codes in
| background and loading them without warning.
| zimpenfish wrote:
| One of the quicker cycles of "extraordinary claim" to "retracted"
| I've seen recently.
| rnjesus wrote:
| incite rage with anti-apple sentiment -> get twitter followers
| and engagement
|
| admit you were wrong and made it all up -> get people to
| 'respect' you and even more twitter followers
| imwillofficial wrote:
| I wouldn't say that's a fair characterization.
|
| Besides the ham fisted approach, the original vuln idea
| seemed reasonable.
|
| They were wrong, it happens to the best of us.
|
| I'd say the potential security risk was worth raising the
| flag over.
|
| Better be wrong and safe, having many of us learn something
| along the way, then overly cautious and leave a potential
| problem unaddressed.
| maliker wrote:
| Great job by the author for looking more closely and clarifying
| this was not an issue.
| bink wrote:
| I hope the Apple security team that was assigned to investigate
| this report is enjoying a nice beverage tonight. Dealing with
| unconfirmed critical security reports with few details can be a
| nightmare, especially when they turn out to be unfounded.
|
| Good practice for the real thing, though.
| gw99 wrote:
| This stuff happens all the time.
|
| A few years back a company I was contracting for had one of
| their end users report a high severity security defect.
| Apparently he signed into the app and thought he had been
| hacked because a couple of large 6-figure transactions had been
| made.
|
| After several hours of inconclusive investigation where even
| identifying the user proved difficult, this turned out to be
| him seeing the marketing example screens in the app store and
| having a panic. The app never even got installed and he never
| signed up for it.
|
| The marketing screens were quickly updated to show something
| less impressive and with a sample data only warning...
| Exuma wrote:
| I wonder how big of a company you'd have to be to go through
| all the effort of changing marketing screens because of that.
| I can think of the biggest company I've worked for laugh at
| that and move on.
| Arrath wrote:
| > The app never even got installed and he never signed up for
| it.
|
| ....that is some serious "My computer won't turn on. No I
| can't check to see if the power cord is plugged in, its too
| dark to see back there because the power is out." energy.
___________________________________________________________________
(page generated 2022-10-05 23:00 UTC)