-
-
Notifications
You must be signed in to change notification settings - Fork 643
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What is it? Why xbar connect to bihell.com on startup? #859
Comments
Same happening to me. |
I received this same prompt from Little Snitch. When I run the The 2017 WHOIS registration shows the registrant as If I do a github search for that gmail address, it pulls up: https://github.com/bihell and that looks like the person who owns that domain. I'll leave it up to @matryer to investigate and reach out to that person, if needed. |
Same here. Not cool. Seems to be some kind of big data collection platform: https://bigdata.bihell.com |
Investigating this 👍 |
I also came here to report this |
Can we pinpoint a specific date when this started. There hasn't been a build for quite some time. |
Not having an exact date in my case, but it was like 3 weeks ago. |
I'm not seeing that behavior at all. Might be helpful if people post the version they have, how they installed it, any plugins they are using, and how they installed the plugins. I'm on |
I think I might know what is going on here. I wonder if Little Snitch is reporting the connection from the xbarapp.com website itself. Currently, there is a plugin being featured on the front page that is reaching out to bihell.com for its app thumbnail image: The plugin also shows up in the initial opening view of the plugin browser: The plugin in question seems to have been around for awhile. Might be it just started getting featured in the app recently, or people are opening the plugin browser for the first time. Seems fairly benign unless the image itself is meant to be a stealth tracker of xbar usage. 🤷🏽 Hope that helps. |
It seems fairly naive to assume that a plugin from China, linked to a Chinese data collection service is benign. |
I gave the plugin code a read before my initial post. The plugin itself appears to be trying to get a list of videos from a particular user on Unless you have the plugin installed, the most happening is a request to fetch an image and having that network connection time out. Happy to concede I may be unware of sophisticated attacks that somehow could leverage this communication. 🤷🏽 |
An attack seems unlikely but this definitely allows them to track any user of xbar which has this plugin installed. That's the whole point of linking to a data collection service. That may be fine if properly advertised, after all, everyone can choose for themselves, but unless one has Little Snitch installed they would not know that, which is not exactly proper. And in any case, giving a Chinese entity information that our IP correspond to an xbar using Mac does not seem like a good idea by default. |
I pointed that out in my initial post. "unless the image itself is meant to be a stealth tracker of xbar usage. 🤷🏽" At this point, if you are concerned, don't open the plugin finder, visit the homepage of xbarapp.com, or the |
Yet you ignore my concern that this tracker is not publicized to users.
Can we abstain of sarcasm and keep the topic on point of the issue? |
I think where we differ is the opinion that it is a tracker. I feel based on the overall plugin it was simply someone hosting an image somewhere. Maybe the site is connected to a data tracking platform. That doesn't necessarily mean the plugin author is malicious or is attempting to track us. Your mileage clearly varies.
No sarcasm intended; apparently my attempt at humor at the end to lighten things up fell flat. I pointed out legitimate ways to avoid having this image appear in your network traffic. The only way I've managed to get that image to appear in my network traffic is by:
Finally, I mentioned the solution to not even have this "tracker" present is to open a PR and remove the image line from the plugin. No one will ever see it again. Was going for a bit of levity in the presentation. Apologies for not landing the joke. |
The request to bihell.com was made on my device without opening any of Xbar's UI elements. It occurred when Xbar launched at device startup. The plugin browser was not open. |
Interesting. I haven't been able to reproduce that behavior. What version are you on? By "device startup", do you mean literally after booting up your machine? I've been closing / reopening the xbar app. Maybe on bootup, there is a code path that pre-fetches the plugin browser data. |
Same happens to me, no UI shown and I also have it at startup. Running latest version (2.1.7-beta). |
At this point, best I can say is someone can get a PR against the file (in the xbar-plugins repo) and poke @matryer, et. al. to merge it. I don't know if there would be anything in the site or plugin code that would need to change. If the pages / dialogs are hard-coded / cached with the view of that plugin, may need something there. |
What's the real solution here though? Mirror all the plugin images? Kudos for tracking down the culprit 🙏 |
This would require a dedicated server, which would be quite weird for a standalone utility like xbar and probably an undesirable additional amount of work for Mat Ryer. The problem lies in the fact that the plugin image is specified via a URL in the plugin metadata. Also, from a security standpoint, exposing users to potentially unsafe URLs that they cannot control is a problem.
Indeed. |
That's a great idea. Base64 encoded PNG should suffice. That's still a lot of work but worth considering |
Hello @leaanthony, I'm very new here and while checking the issues list before installing I found this thread and wanted to offer up a sledgehammer solution of sorts to this ET phone home style issue that @xenio raised. This project looks cool and I hope to dive into it more over the coming weeks. |
Hello, I would like to add that I just installed xbar for the first time using homebrew (brew install xbar), and bihell.com was the second or third connection xbar made after xbarapp.com according to Little Snitch. I have no plugins installed yet, so it looks like it's coming from the base app? |
It's a thumbnail for the plugin. @matryer and I are looking to self host the images once we can sync 👍 |
I am getting this alert on MacOs from Little Snitch Firewall. I just started and with no script/plugin loaded.
I can't get any reference to this website on the source code.
Any idea?
The text was updated successfully, but these errors were encountered: