Chrome Does Not Log Network Traffic That Emanates from PDFs
Reported by
kderb...@gmail.com,
Aug 16 2017
|
||||||
Issue descriptionVULNERABILITY DETAILS When opening a PDF document which contains live links and HTTP calls, the network traffic is not logged by the Console and cannot be viewed within the Chrome Browser. The only way you can see traffic (and data / security / etc info) is being sent is to either have access to the server it is contacting, or actually watch the local network traffic from the computer. This provides an avenue of information capture that may not be noticed by users and could lead to privacy and security concerns. VERSION Chrome Version: 60.0.3112.90 + stable Operating System: Linux / Windows / Mac REPRODUCTION CASE If you have a PDF which makes an HTTP call (such as POST / GET) then you can send information from the Client's computer without them necessarily knowing that information is being transferred. It requires that a call be made from within the PDF to an outside server. Note that you do not see the network traffic in the development console, yet traffic is being sent out.
,
Aug 20 2017
A PDF to reproduce this would be appreciated! Sounds like it requires investigation into whether requests by PDFs can be surfaced in DevTools Network panel.
,
Aug 20 2017
Certainly, I had one I was using for a project, but its content is important, allow me to gather one that has no IP in it and I will send it in. I'll do that today. Cheers, Kyle
,
Aug 20 2017
Thank you for providing more feedback. Adding requester "luoe@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 23 2017
@kderbyma-- Could you please provide us the sample file as per your comment #3. Thanks!
,
Aug 24 2017
,
Sep 21 2017
We are actively trying to clean up some bugs. Can we please get a sample PDF that causes this issue and we can look deeper into it? Thanks!
,
Dec 1 2017
Triaging network issues, closing the ones we won't be able to address. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by elawrence@chromium.org
, Aug 16 2017Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Summary: Chrome Does Not Log Network Traffic That Emanates from PDFs (was: Security: Chrome Does Not Log Network Traffic That Emanates from PDFs)