Same happening to me.

I received this same prompt from Little Snitch. When I run the bihell.com domain through Whois History, it shows that since ~2017, the domain has been registered by someone in Shanghai, China.

The 2017 WHOIS registration shows the registrant as Haseo with the email tpxcer@gmail.com. All subsequent registrations have all info scrubbed, excluded the location still being Shanghai.

If I do a github search for that gmail address, it pulls up: https://github.com/bihell and that looks like the person who owns that domain.

I'll leave it up to @matryer to investigate and reach out to that person, if needed.

Same here. Not cool. Seems to be some kind of big data collection platform: https://bigdata.bihell.com

Investigating this 👍

I also came here to report this

Can we pinpoint a specific date when this started. There hasn't been a build for quite some time.

Not having an exact date in my case, but it was like 3 weeks ago.

I'm not seeing that behavior at all. Might be helpful if people post the version they have, how they installed it, any plugins they are using, and how they installed the plugins. I'm on v2.1.7-beta and only have two plugins running -- my own and MergeFreeze.

@matryer @leaanthony

I think I might know what is going on here. I wonder if Little Snitch is reporting the connection from the xbarapp.com website itself. Currently, there is a plugin being featured on the front page that is reaching out to bihell.com for its app thumbnail image:

The plugin also shows up in the initial opening view of the plugin browser:

The plugin in question seems to have been around for awhile. Might be it just started getting featured in the app recently, or people are opening the plugin browser for the first time. Seems fairly benign unless the image itself is meant to be a stealth tracker of xbar usage. 🤷🏽

Hope that helps.

The plugin in question seems to have been around for awhile. Might be it just started getting featured in the app recently, or people are opening the plugin browser for the first time. Seems fairly benign unless the image itself is meant to be a stealth tracker of xbar usage. 🤷🏽

It seems fairly naive to assume that a plugin from China, linked to a Chinese data collection service is benign.
It seems much safer to assume that such "features" are malign unless explicitly advertised, which is not the case here.

It seems fairly naive to assume that a plugin from China, linked to a Chinese data collection service is benign. It seems much safer to assume that such "features" are malign unless explicitly advertised, which is not the case here.

I gave the plugin code a read before my initial post. The plugin itself appears to be trying to get a list of videos from a particular user on bilibili.com, a Shangai YouTube-esque site. The only link it has to bihell.com is the image https://bihell.com/media/2020/02/bilibili-bitbar.jpg used for the plugin thumbnail. It doesn't even connect to a live asset any longer. Would wager the author used that site as an image host.

Unless you have the plugin installed, the most happening is a request to fetch an image and having that network connection time out. Happy to concede I may be unware of sophisticated attacks that somehow could leverage this communication. 🤷🏽

I gave the plugin code a read before my initial post. The plugin itself appears to be trying to get a list of videos from a particular user on bilibili.com, a Shangai YouTube-esque site. The only link it has to bihell.com is the image https://bihell.com/media/2020/02/bilibili-bitbar.jpg used for the plugin thumbnail. It doesn't even connect to a live asset any longer. Would wager the author used that site as an image host.

Unless you have the plugin installed, the most happening is a request to fetch an image and having that network connection time out. Happy to concede I may be unware of sophisticated attacks that somehow could leverage this communication. 🤷🏽

An attack seems unlikely but this definitely allows them to track any user of xbar which has this plugin installed. That's the whole point of linking to a data collection service.

That may be fine if properly advertised, after all, everyone can choose for themselves, but unless one has Little Snitch installed they would not know that, which is not exactly proper.

And in any case, giving a Chinese entity information that our IP correspond to an xbar using Mac does not seem like a good idea by default.

An attack seems unlikely but this definitely allows them to track any user of xbar which has this plugin installed.

I pointed that out in my initial post. "unless the image itself is meant to be a stealth tracker of xbar usage. 🤷🏽"

At this point, if you are concerned, don't open the plugin finder, visit the homepage of xbarapp.com, or the Web category page. You'll never get a request made for the image. Open a PR for the plugin removing the reference. Put on your peril sensitive sunglasses, grab your towel, and don't panic.

I pointed that out in my initial post. "unless the image itself is meant to be a stealth tracker of xbar usage. 🤷🏽"

Yet you ignore my concern that this tracker is not publicized to users.

At this point, if you are concerned, don't open the plugin finder, visit the homepage of xbarapp.com, or the Web category page. You'll never get a request made for the image. Open a PR for the plugin removing the reference. Put on your peril sensitive sunglasses, grab your towel, and don't panic.

Can we abstain of sarcasm and keep the topic on point of the issue?
If you do not mind the tracking, then you can simply leave the conversation to people who do.

Yet you ignore my concern that this tracker is not publicized to users.

I think where we differ is the opinion that it is a tracker. I feel based on the overall plugin it was simply someone hosting an image somewhere. Maybe the site is connected to a data tracking platform. That doesn't necessarily mean the plugin author is malicious or is attempting to track us. Your mileage clearly varies.

Can we abstain of sarcasm and keep the topic on point of the issue? If you do not mind the tracking, then you can simply leave the conversation to people who do.

No sarcasm intended; apparently my attempt at humor at the end to lighten things up fell flat. I pointed out legitimate ways to avoid having this image appear in your network traffic. The only way I've managed to get that image to appear in my network traffic is by:

1. Opening the xbar plugin browser. The first view of this brings up a similar view to the xbarapp.com homepage, a view that features the plugin details in turn making a network request for the image.
2. Opening the xbarapp.com homepage. See above.
3. Opening the Web plugin page on xbarapp.com where the plugin is also listed.

Finally, I mentioned the solution to not even have this "tracker" present is to open a PR and remove the image line from the plugin. No one will ever see it again. Was going for a bit of levity in the presentation. Apologies for not landing the joke.

The request to bihell.com was made on my device without opening any of Xbar's UI elements. It occurred when Xbar launched at device startup. The plugin browser was not open.

The request to bihell.com was made on my device without opening any of Xbar's UI elements. It occurred when Xbar launched at device startup. The plugin browser was not open.

Interesting. I haven't been able to reproduce that behavior. What version are you on? By "device startup", do you mean literally after booting up your machine? I've been closing / reopening the xbar app. Maybe on bootup, there is a code path that pre-fetches the plugin browser data.

The request to bihell.com was made on my device without opening any of Xbar's UI elements. It occurred when Xbar launched at device startup. The plugin browser was not open.

Same happens to me, no UI shown and I also have it at startup. Running latest version (2.1.7-beta).

At this point, best I can say is someone can get a PR against the file (in the xbar-plugins repo) and poke @matryer, et. al. to merge it. I don't know if there would be anything in the site or plugin code that would need to change. If the pages / dialogs are hard-coded / cached with the view of that plugin, may need something there.

What's the real solution here though? Mirror all the plugin images?

Kudos for tracking down the culprit 🙏

What's the real solution here though? Mirror all the plugin images?

This would require a dedicated server, which would be quite weird for a standalone utility like xbar and probably an undesirable additional amount of work for Mat Ryer.

The problem lies in the fact that the plugin image is specified via a URL in the plugin metadata.
It would probably be simpler to require the plugin image to be somehow embedded in the plugin data instead.

Also, from a security standpoint, exposing users to potentially unsafe URLs that they cannot control is a problem.

Kudos for tracking down the culprit 🙏

Indeed.

That's a great idea. Base64 encoded PNG should suffice. That's still a lot of work but worth considering

Hello @leaanthony,

I'm very new here and while checking the issues list before installing I found this thread and wanted to offer up a sledgehammer solution of sorts to this ET phone home style issue that @xenio raised.

This project looks cool and I hope to dive into it more over the coming weeks.

Hello, I would like to add that I just installed xbar for the first time using homebrew (brew install xbar), and bihell.com was the second or third connection xbar made after xbarapp.com according to Little Snitch. I have no plugins installed yet, so it looks like it's coming from the base app?

It's a thumbnail for the plugin. @matryer and I are looking to self host the images once we can sync 👍