New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 756021 link

Starred by 2 users
Status: WontFix
Owner:
allada@chromium.org
Last visit > 30 days ago
Closed: Dec 2017
Cc:
hdodda@chromium.org
l...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Chrome Does Not Log Network Traffic That Emanates from PDFs

Reported by kderb...@gmail.com, Aug 16 2017 
VULNERABILITY DETAILS
When opening a PDF document which contains live links and HTTP calls, the network traffic is not logged by the Console and cannot be viewed within the Chrome Browser. The only way you can see traffic (and data / security / etc info) is being sent is to either have access to the server it is contacting, or actually watch the local network traffic from the computer. This provides an avenue of information capture that may not be noticed by users and could lead to privacy and security concerns.

VERSION
Chrome Version: 60.0.3112.90 + stable
Operating System: Linux / Windows / Mac

REPRODUCTION CASE
If you have a PDF which makes an HTTP call (such as POST / GET) then you can send information from the Client's computer without them necessarily knowing that information is being transferred. It requires that a call be made from within the PDF to an outside server. Note that you do not see the network traffic in the development console, yet traffic is being sent out.

Comment 1 by elawrence@chromium.org, Aug 16 2017

Components: Platform>DevTools>Network
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Summary: Chrome Does Not Log Network Traffic That Emanates from PDFs (was: Security: Chrome Does Not Log Network Traffic That Emanates from PDFs)
Thanks for the report!

Display of traffic in the developer tools is not a security feature, but this does sound like an interesting functional problem. 

Can you please provide a PDF that demonstrates this issue?

Comment 2 by l...@chromium.org, Aug 20 2017

Labels: Needs-Feedback
Owner: allada@chromium.org
A PDF to reproduce this would be appreciated!  Sounds like it requires investigation into whether requests by PDFs can be surfaced in DevTools Network panel.

Comment 3 by kderb...@gmail.com, Aug 20 2017 

Certainly,

I had one I was using for a project, but its content is important, allow me
to gather one that has no IP in it and I will send it in. I'll do that
today.

Cheers,

Kyle
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 20 2017

Cc: l...@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "luoe@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by hdodda@chromium.org, Aug 23 2017

Cc: hdodda@chromium.org
Labels: Needs-Traige-M60 Needs-Feedback
@kderbyma-- Could you please provide us the sample file as per your comment #3.

Thanks!

Comment 6 by thestig@chromium.org, Aug 24 2017

Components: Internals>Plugins>PDF
Labels: Pri-3

Comment 7 by allada@chromium.org, Sep 21 2017 

We are actively trying to clean up some bugs. Can we please get a sample PDF that causes this issue and we can look deeper into it?

Thanks!

Comment 8 by dgozman@chromium.org, Dec 1 2017

Status: WontFix (was: Unconfirmed)
Triaging network issues, closing the ones we won't be able to address.

Sign in to add a comment