Fun with desktop notifications
Linux desktop environments use notification daemons to display desktop notifications. Some of these daemons allow HTML to be put into the notification window. Unfortunately programs that push out notifications through these daemons don’t always sanitize the outgoing text, resulting in allowing arbitrary HTML to be injected into the notification. At the same time, a privacy bug exists within KDE’s notifications (tested with Qt: 4.8.7, KDE Development Platform: 4.14.16, KNotify: 4.14.16), resulting in the ability to get IP addresses from virtually every program that creates user generated notifications.
The image to the left shows a header & image tag being injected into Discord notifications and being rendered by knotify. By watching the access logs where the image is hosted, I noticed that 2 IP addresses were requesting the image. The first IP address being Discord, and the second IP address being the target user’s IP address (a totally willing participant).
Discord has already patched their software for this privacy bug, however Discord is not the only program affected.
Of the apps that I have tested and successfully exploited the bug, they were all communications (email, irc, etc.). This poses a privacy risk to communities and people that use these apps.
Many application developers don’t seem to know, or think, about the possibility of HTML injection in notifications, leaving their programs wide open to this bug on an unknown number of desktop environments that may support remote images.
KDE is looking to patch remote images in notifications at this point but I’m sure it’s not the only desktop environment affected. A developer that I spoke with from KDE says it is bad practice to not sanitize desktop notifications. But I’m sure that KDE is not the only desktop environment affected. Many desktops on Linux allow markup in notification messages, it is part of free desktop spec, however most do not allow remote images.
A big thanks goes out to Ken Spencer for letting me test these bugs on his system. That took a lot of time and patience. Also to the Discord team for a quick response and patch. It was also thanks to them that I learned the scope of this privacy bug and what exactly I had stumbled upon.
Update: It appears that KDE attempted to patch but only disallowed the image from being displayed. It still gets the image and you can still obtain the target’s IP address.