HACKER Q&A
📣 noduerme

Did I just catch TextEdit systematically scanning my hard drive?


I was checking to see what was holding a particular JPG file open... `lsof -V | grep "filename"`. Hm, I thought, that's odd. TextEdit? TextEdit is open with a couple little note files. So I ran `lsof | grep "TextEdit" > wtf.txt` and got thousands of open files, of all filetypes, currently opened by TextEdit. It was an in-progress list that was systematically and alphabetically running through my entire directory structure.

I quit TextEdit, ran lsof again just to make sure there wasn't some other app called "TextEdit" doing it, and the list was blank. Since reopening it, I can't reproduce it.

After quite a bit of searching I can't find any other reports resembling this.

Anyone have any thoughts on it?

This is Monterey 12.6 so in theory not vulnerable to CVE-2019-8761[0]. Also did a search for anything on my drive with "" inside a .txt file, and found none.

File descriptors were all 'txt' (regardless of filetype), type of files were all 'REG' regular.

[0]https://www.securemac.com/news/textedit-flaw-could-have-let-hackers-create-malicious-txt-files

  👤 TechBro8615 Accepted Answer ✓
It could be benign behavior of a poorly implemented change-watching system. But since TextEdit is an official Mac utility (right?), that would be surprising. It could also be some other benign behavior that is triggering false positives in your detection mechanism, e.g. the shell where you're running `lsof` and the `grep` process itself, which includes a `TextEdit` parameter in its command line arguments (the call is coming from inside the house!) - make sure you're verifying that it's actually TextEdit.app that has those files open, and take note of the PID.

If it's malicious, one possibility is that a malicious payload is masquerading as TextEdit using Dylib hijacking [0]. You can scan for this by using Dylib Hijack Scanner [1], a tool developed by Patrick Wardle, who was the researcher to first publicize the Dylib hijacking technique.

Also be sure to take a look at the other products from Patrick's site, some of which will help you monitor for and diagnose this kind of potentially malicious behavior.

[0] https://twitter.com/patrickwardle/status/1648865533041967105

[1] https://objective-see.org/products/dhs.html

👤 tengwar2
I tried the second command. I got a load of open files, but all of them system stuff or fonts, nothing suspicious.

TextEdit does store old versions of files it is working on, as with Time Machine. I wonder if what you saw was in some way related?