![[matt-hodges/@hodgesmr]-macos-is-background-scanning-images-on-my-computer-and,-when-those-images-are-qr-codes-that-point-to-urls,-it’s-decoding-the-codes-and-requesting-the-url](https://news.gsmarthub.info/wp-content/uploads/2022/10/10592/matt-hodges-hodgesmr-macos-is-background-scanning-images-on-my-computer-and-when-those-images-are-qr-codes-that-point-to-urls-its-decoding-the-codes-and-requesting-the-url.jpg)
It’s not any crazier than what a website could do
Any website (or app) can make arbitrary requests to any URL on the user’s behalf, without the user knowing. This is exactly how trackers like facebook and google operate
This has less impact since the image needs to be stored on your device – which means you either intentionally took the picture, copied it onto your device, or downloaded it
(a QR code on a website would trigger this as well, but, if a website wanted to do that, they could just directly tell your browser to request the URL without your consent, so there’s no point to go the QR code route there)
This isn’t to say it’s not a privacy risk, it absolutely is – but it’s not any more of an attack surface than safari or apps in the app store, all of which can make arbitrary requests without consent, and there’s nothing you can do about them (on an iOS device, Settings > Privacy & Security > App Privacy Report > Most Contacted Domains: Show All)
The proper solution would be to prevent ALL apps and the OS from reaching certain domains (i.e. a firewall for outgoing connections). For example, if an app, website, or in this case QR code tries to make a request to google, block it, regardless of what triggered the request.