SUMMARY This is specifically about the thumbnail.so that Dolphin and etc use. In my system this file is located at: /usr/lib/x86_64-linux-gnu/qt6/plugins/kf6/kio/thumbnail.so I do not know which component owns this file, only that Dolphin is using it. Removing the dolphin and dolphin-plugins packages does not remove this particular plugin, so it is presumably external to Dolphin. Things like Dolphin are using this thumbnail plugin to generate previews of HTML files and etc, however, it seems it makes online connections in doing so. Because thumbnail.so is not a qualified browser, it is unlikely to stay up-to-date on security necessities, thus making this a potential exploit point (so HTML processing needs to be very minimal already,) but also, even putting that aside, because some .html files may be saved with, for example, ad server/tracking connections, it's also making those connections and it also lacks anti-fingerprinting/tracking measures that a fully qualified browser might have. As the user can't modify it to install some extension like uBlock or etc nor can the user raise security settings in general, it would be better to not even generate previews for HTML files at all than to be doing all this, but alternately, doing very minimal processing would probably be the best compromise. STEPS TO REPRODUCE 1. Save a .html file to a folder that makes online connections. 2. Open Dolphin to such a folder with html previews enabled (this is on by default...) 3. Watch connections using something such as OpenSnitch or whatever is convenient. OBSERVED RESULT kioworkers spawn from the thumbnail.so plugin that make outgoing connections. EXPECTED RESULT No outgoing connections should be occurring. SOFTWARE/OS VERSIONS Distro Version: Debian Trixie (13) KDE Plasma Version: 6.3.6 KDE Frameworks Version: 6.13.0 Qt Version: 6.8.2 ADDITIONAL INFORMATION As a side note, I first observed this as I saw kioworkers from Dolphin trying to contact actual full blown ad servers (the kinds that do serious tracking.) If you want an example of something probably full of ads to watch this thing try to connect to, you can apparently try saving recipes from recipe sites. (My normal browser has uBlock with blocklists, anti-fingerprinting, and etc, but even so I should probably be using TOR Browser.) I used the "web page complete" option when saving, but it likely does not matter. (This may seem minor, but modern fingerprinting has reached insane levels...) This may worry me more than the security implications since injections via html file previews probably are going to be very limited in scope (I would hope at least, but I'm not a security expert) and of course would require you to first save a file with such an exploit.
I can't reproduce this. I saved this site as a HTML file, and opensnitch did not report thumbnailer trying to connect anywhere. Operating System: Fedora Linux 42 KDE Plasma Version: 6.4.80 KDE Frameworks Version: 6.18.0 Qt Version: 6.9.1 Kernel Version: 6.16.3-200.fc42.x86_64 (64-bit) Graphics Platform: Wayland Processors: 12 ร AMD Ryzen 5 3600 6-Core Processor Memory: 16 GiB of RAM (15.5 GiB usable) Graphics Processor: AMD Radeon RX 6600
I'd like to try to reproduce this using as close a setup as possible as yours. When you say: 1. Save a .html file to a folder that makes online connections. What do you mean by that? How can I set up a folder the same way? Thanks.
๐๐งน โ ๏ธ This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information, then set the bug status to REPORTED. If there is no change for at least 30 days, it will be automatically closed as RESOLVED WORKSFORME. For more information about our bug triaging procedures, please read https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging. Thank you for helping us make KDE software even better for everyone!
๐๐งน This bug has been in NEEDSINFO status with no change for at least 30 days. Closing as RESOLVED WORKSFORME.