[kde] [Bug 508240] New: (Security/privacy) thumbnail.so making online connections for generating HTML file previews

nazo bugzilla_noreply at kde.org
Thu Aug 14 13:34:09 BST 2025 

https://bugs.kde.org/show_bug.cgi?id=508240

            Bug ID: 508240
           Summary: (Security/privacy) thumbnail.so making online
                    connections for generating HTML file previews
    Classification: I don't know
           Product: kde
      Version First unspecified
       Reported In:
          Platform: Debian stable
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: unassigned-bugs at kde.org
          Reporter: nazosan at gmail.com
  Target Milestone: ---

SUMMARY
This is specifically about the thumbnail.so that Dolphin and etc use.  In my
system this file is located at: 
/usr/lib/x86_64-linux-gnu/qt6/plugins/kf6/kio/thumbnail.so  I do not know which
component owns this file, only that Dolphin is using it.  Removing the dolphin
and dolphin-plugins packages does not remove this particular plugin, so it is
presumably external to Dolphin.

Things like Dolphin are using this thumbnail plugin to generate previews of
HTML files and etc, however, it seems it makes online connections in doing so. 
Because thumbnail.so is not a qualified browser, it is unlikely to stay
up-to-date on security necessities, thus making this a potential exploit point
(so HTML processing needs to be very minimal already,) but also, even putting
that aside, because some .html files may be saved with, for example, ad
server/tracking connections, it's also making those connections and it also
lacks anti-fingerprinting/tracking measures that a fully qualified browser
might have.  As the user can't modify it to install some extension like uBlock
or etc nor can the user raise security settings in general, it would be better
to not even generate previews for HTML files at all than to be doing all this,
but alternately, doing very minimal processing would probably be the best
compromise.

STEPS TO REPRODUCE
1. Save a .html file to a folder that makes online connections.
2. Open Dolphin to such a folder with html previews enabled (this is on by
default...)
3. Watch connections using something such as OpenSnitch or whatever is
convenient.

OBSERVED RESULT
kioworkers spawn from the thumbnail.so plugin that make outgoing connections.

EXPECTED RESULT
No outgoing connections should be occurring.

SOFTWARE/OS VERSIONS
Distro Version: Debian Trixie (13)
KDE Plasma Version: 6.3.6
KDE Frameworks Version: 6.13.0
Qt Version: 6.8.2

ADDITIONAL INFORMATION
As a side note, I first observed this as I saw kioworkers from Dolphin trying
to contact actual full blown ad servers (the kinds that do serious tracking.) 
If you want an example of something probably full of ads to watch this thing
try to connect to, you can apparently try saving recipes from recipe sites. 
(My normal browser has uBlock with blocklists, anti-fingerprinting, and etc,
but even so I should probably be using TOR Browser.)  I used the "web page
complete" option when saving, but it likely does not matter.  (This may seem
minor, but modern fingerprinting has reached insane levels...)  This may worry
me more than the security implications since injections via html file previews
probably are going to be very limited in scope (I would hope at least, but I'm
not a security expert) and of course would require you to first save a file
with such an exploit.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the Unassigned-bugs mailing list