[kde] [Bug 508240] New: (Security/privacy) thumbnail.so making online connections for generating HTML file previews
nazo
bugzilla_noreply at kde.org
Thu Aug 14 13:34:09 BST 2025
https://bugs.kde.org/show_bug.cgi?id=508240
Bug ID: 508240
Summary: (Security/privacy) thumbnail.so making online
connections for generating HTML file previews
Classification: I don't know
Product: kde
Version First unspecified
Reported In:
Platform: Debian stable
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: unassigned-bugs at kde.org
Reporter: nazosan at gmail.com
Target Milestone: ---
SUMMARY
This is specifically about the thumbnail.so that Dolphin and etc use. In my
system this file is located at:
/usr/lib/x86_64-linux-gnu/qt6/plugins/kf6/kio/thumbnail.so I do not know which
component owns this file, only that Dolphin is using it. Removing the dolphin
and dolphin-plugins packages does not remove this particular plugin, so it is
presumably external to Dolphin.
Things like Dolphin are using this thumbnail plugin to generate previews of
HTML files and etc, however, it seems it makes online connections in doing so.
Because thumbnail.so is not a qualified browser, it is unlikely to stay
up-to-date on security necessities, thus making this a potential exploit point
(so HTML processing needs to be very minimal already,) but also, even putting
that aside, because some .html files may be saved with, for example, ad
server/tracking connections, it's also making those connections and it also
lacks anti-fingerprinting/tracking measures that a fully qualified browser
might have. As the user can't modify it to install some extension like uBlock
or etc nor can the user raise security settings in general, it would be better
to not even generate previews for HTML files at all than to be doing all this,
but alternately, doing very minimal processing would probably be the best
compromise.
STEPS TO REPRODUCE
1. Save a .html file to a folder that makes online connections.
2. Open Dolphin to such a folder with html previews enabled (this is on by
default...)
3. Watch connections using something such as OpenSnitch or whatever is
convenient.
OBSERVED RESULT
kioworkers spawn from the thumbnail.so plugin that make outgoing connections.
EXPECTED RESULT
No outgoing connections should be occurring.
SOFTWARE/OS VERSIONS
Distro Version: Debian Trixie (13)
KDE Plasma Version: 6.3.6
KDE Frameworks Version: 6.13.0
Qt Version: 6.8.2
ADDITIONAL INFORMATION
As a side note, I first observed this as I saw kioworkers from Dolphin trying
to contact actual full blown ad servers (the kinds that do serious tracking.)
If you want an example of something probably full of ads to watch this thing
try to connect to, you can apparently try saving recipes from recipe sites.
(My normal browser has uBlock with blocklists, anti-fingerprinting, and etc,
but even so I should probably be using TOR Browser.) I used the "web page
complete" option when saving, but it likely does not matter. (This may seem
minor, but modern fingerprinting has reached insane levels...) This may worry
me more than the security implications since injections via html file previews
probably are going to be very limited in scope (I would hope at least, but I'm
not a security expert) and of course would require you to first save a file
with such an exploit.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Unassigned-bugs
mailing list