https://bugs.kde.org/show_bug.cgi?id=421886
Bug ID: 421886
Summary: Privacy & security issue by art URL requested
externally by desktop environment
Product: plasma-browser-integration
Version: unspecified
Platform: Debian testing
OS: Linux
Status: REPORTED
Severity: major
Priority: NOR
Component: general
Assignee: k...@privat.broulik.de
Reporter: zocker.netw...@gmail.com
Target Milestone: ---
SUMMARY
On a website (example below) where plasma-browser-integration finds an art for
the currently playing media, the add-on does send the URL for this art using
MPRIS to the desktop environment, which is quite a nice feature. However this
feature introduces issues which are not stated in the description of the addon.
Per definition, the desktop environments trusts these URLs to get a proper art
URL because these URLs come from application the user should fully trust. If
plasma-browser-integration is installed, it allows any webpage you visit to let
the desktop environment download and open the URL it wants to. This leads to
following issues:
- This request is outside the expectation of any user who does not know how
MPRIS works.
- The protections the browser is using (using a proxy, using HTTPS only, only
connect to trusted thirdparty domains) may not apply to the desktop
environment. In case of circumventing a proxy or a HTTPS-only rule, the privacy
of the user may be at a higher risk.
- The server getting the request from the desktop environment may now know
which environment the user runs on his system due to the 'User-Agent' header.
The common user only expects that the kernel and browser may be known to the
server.
- If the browser is running with further restrictions (AppArmor, SELinux, snap,
…), these restrictions may not apply to the desktop environment requesting the
art.
STEPS TO REPRODUCE
1. Open a webpage embedding a video with a thumbnail in your browser (example:
https://www.youtube.com/watch?v=tPDF3LMG_q8). In my example you need to start
playing the video.
2. Open the media player widget of Plasma to ensure the thumbnail is shown
(indicates remote request for thumbnail)
3. Run `playerctl metadata` (requires https://github.com/altdesktop/playerctl/)
and search for an entry like below (verifies remote source of art, URl may
change):
`plasma-browser-integration mpris:artUrl
https://i.ytimg.com/vi/tPDF3LMG_q8/hqdefault.jpg?<ADDITIONAL-GET-PARAMETER>`
EXPECTED BEHAVIOR
I expect & recommend that either no art url is shown, only trusted domains (for
the art URL, not the webpage itself!) are downloaded or the browser downloads
the art to a cache directory where the desktop environment can load it. This
would limit the attack vectors massively and either let users decide where
their data (about the desktop environment) goes or it even is not required.
SOFTWARE/OS VERSIONS
Kernel: Linux 5.6.0-1-amd64
OS: Debian GNU/Linux Bullseye/Sid
(available in About System)
KDE Plasma Version: 5.17.5
KDE Frameworks Version: 5.62.0
Qt Version: 5.12.5
ADDITIONAL INFORMATIONS
I discovered this issue because due to a video embedded into a website my
plasma-desktop crashed repeatedly until the site was closed or the
plasma-browser-integration was disabled. I could not find the page again to
research why Plasma kept crashing (if I find a similar case, I will append the
URL to this issue). Plasma was showing a certificate issue because I
temporarily trusted the certificate of the server in my browser but not in
Plasma. But this issue should focus on the general security & privacy issues of
this otherwise great feature.
--
You are receiving this mail because:
You are watching all bug changes.
