Dunhilltraveldeals.com [SOLVED!]

The only document TP3 had open was a new and unchanged file with the default text — I doublechecked that — but TP3 called out to images.dunhilltraveldeals.com?

Uhh… I have absolutely no idea on that one. I just searched my own codebase and didn’t find that URL (as expected of course)… I’ll look around a bit more now.

I don’t know if this will work, but can you try:

  1. Get that dialogue to show again
  2. Open Activity Monitory
  3. Double-Click “TaskPaper” in the Process Name list.
  4. Click the “Sample” button that shows in the Dialogue
  5. And send me those results?

Not sure, but that might help me figure out where the call is coming from.

I’ve been trying to reproduce this myself with a demo version of LittleSnitch… but so far I’ve only seen TaskPaper connect to places that I expect: paddle.com (licensing and analytics) and s3 for software update checks.

Is anyone else running LittleSnitch or other similar software? If so can you tell me if you’ve ever seen TaskPaper connect to any strange servers such as the above?

Thanks for the quick replies, Jesse. Here’s more detail from LS, with the proviso that if I’m the only one who has this problem then it’s probably just my problem — so I’ll try to reproduce it. It seemed odd, but over the years I’ve seen apps make surprising calls that turned out to be innocuous, like pimage.timespeople.nytimes.com. (When the Sparkle vulnerability cropped up, I reset all my LS rules so apps to deny network calls — which is why TP3 has all the denies, FYI.)

There’s another weird URL in there abyss.design... also isn’t expected.

The www.paddle.com guys helped me with this. They said the call isn’t coming from them, and I’m pretty sure it’s not coming from any of my code. Instead I think the problem is coming from when the clipboard reads HTML with some sorts of image links.

For example if you go to your twitter web page, select all the text. Copy your profile image and then paste it into the TaskPaper search field you’ll start seeing LittleSnitch warnings about pbs.twimg.com. I don’t understand the details, but it’s happening when cocoa reads the HTML off the clipboard and tries to load it’s resources.

Might be related to LittleSnitch not handling CNAME’d URLs correctly:

But I don’t really know what I’m talking about what I say that… just repeating what Paddle guys told me :smile:

Jesse

I never would have guessed that, but I’m sure that is it. Super! Many thanks for your attention — fantastic.