Bear (macOS) looks silently into your clipboard and fetches URLs

A feature — that can be disabled — in the famous notes application for macOS looks into the clipboard every time the windows of the app is on focus and fetches URLs in order to fetch link information.

I accidentally discovered a behaviour of the super popular application Bear for macOS, which is still (12 October) Editors’ choice on the Mac App Store and won 2017 Apple Design Award. In other words, it’s pretty big.

Bear on MAS: editors’ choice and Apple Design Award 2017

The not-expected behaviour is this:

1. I copy some text from anywhere in my Mac: a browser, an application, the spotlight search text field.
2. You can keep normally using your Mac.
3. As soon as you focus on the Bear app (clicking into the window or using Cmd+Tab to go back to the app, opening the app from scratch), Bear will look into the system’s clipboard and look for the http[s] pattern. If a match is found, the app make a call to the URL. No action is required inside Bear: just the fact that is active will trigger the fetching.

In this video, URL is called as soon as the Bear window’s active

I posted the question on the reddit of the Bear’s community and the developers promptly replied me:

Bear want to provide you with an easy way to paste your links in markdown format and for doing that it needs the title for the URLs you’re going to paste, so when you focus the app and you have a link in the clipboard Bear grabs the link title making an http request to the URL (only once) and pre-populate your clipboard with a well formed markdown link.

Fetching the URLs when the user paste is unfortunately not viable as the http request could take seconds and it asynchronous, and we don’t want to make the user wait :)

Key point is that this is a wanted behaviour and the purpose is exclusively to have a better user experience when copy-pasting links. In my opinion, evidently not in line with the developers’, is that this behaviour constitues an high risk for both privacy and security of the users. A few points that I can briefly think of:

1. Privacy issue #1: Bear continuously explores the users’ clipboard looking for URLs. I had limited this research to http[s] patterns but of course I have no idea what else can be scanned — just think about how many things you copy-paste in the daily life, especially passwords.
2. Privacy issue #2: the developers stated — and it’s easily verifiable — that URLs are fetched only once. It’s true: all links are fetched the first time and then they are not, even if you close the app or change note. I currently don’t know how much time Bear keeps the fetched URLs, but the point is that Bear, in order to do so, actually keeps a list of all the copied URLs.
3. Security and privacy issue #3: It may be the case that I’m using a VPN only for the browser navigation — or more commonly, that I’m using TOR Browser. In this situation, only the traffic generated by that specific application are routed through the TOR network or the VPN. It’s not needed to say how common it is to copy-paste URLs. If you’re using Bear, there’s a high chance to involuntarily make a call to those addresses nullifying the effect of the security and privacy tools like TOR/VPNs.
4. Security issue #4: There are URLs that are much more that normal addresses but real commands. Nobody wants to trigger an operation via URLs without even knowing just because Bear is fetching the title of the page. Just think about any GET call to an API that can involuntarily be actioned, adding, editing or deleting data on a web service.
   For issues #3 and #4, thanks to OderWat who commented on my original Reddit post.

This feature can be disabled from the user but the option itself is misleading: Bear is not parsing URLs “when pasting web addresses” but without any action other than being on the application window.

The option text is misleading

In conclusion, I hope Bear’s team will revaluate this behaviour and change it as soon as possible. A way to operate completely obscure to users that can be dangerous in several different ways and it’s done because “we don’t want to make the user wait” for seconds. I was expecting much more from such an awarded application and a great team of developers. As many other text editors and web services do, I think a reasonable way it’s to fetch URLs once pasted into the note, avoiding to adopt risky behaviours. In other words, it’s time to start thinking with privacy by desing and by default as fundamental principles.

On my same reddit post I’ve been informed that a similar issue was discovered in the app iTerm2. In that case though, it was correctly handled like a big security issue. As of today (23/10), Bear’s developers seem indifferent to the problem.