Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extension leaking local asset requests to remote servers? #219

Open
parseword opened this issue Oct 6, 2022 · 5 comments
Open

Extension leaking local asset requests to remote servers? #219

parseword opened this issue Oct 6, 2022 · 5 comments

Comments

@parseword
Copy link

Hi,

While reviewing the error logs for a website I maintain, I recently encountered a batch of unusual requests from a visitor:

159.196.x.y - - [04/Oct/2022:17:52:13 -0500] "GET /assets/images/clockify_logo.svg HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:13 -0500] "GET /assets/images/clockify_logo_selfhosted.svg HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:13 -0500] "GET /assets/images/menu.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:13 -0500] "GET /assets/images/menu-hover.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:13 -0500] "GET /assets/images/sync.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:13 -0500] "GET /assets/images/manual-hover.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:13 -0500] "GET /assets/images/sync-hover.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:13 -0500] "GET /assets/images/automatic-hover.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:14 -0500] "GET /assets/images/manual.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:14 -0500] "GET /assets/images/out-link.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:14 -0500] "GET /assets/images/automatic.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:14 -0500] "GET /assets/images/break.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:14 -0500] "GET /assets/images/closeX.svg HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:14 -0500] "GET /assets/images/edit-unsynced.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:14 -0500] "GET /assets/images/edit-unsynced-hover.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:14 -0500] "GET /assets/images/clockify_logo_dark.svg HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"

I Googled for some of the filenames and found this repo. Based on the above log entries, it seems like your extension may be "leaking" requests meant for its own bundled image assets, and is instead making those requests to remote web servers. (Perhaps that's the intended behavior, I'm not familiar with Clockify or how it works.)

Since I'm on the receiving end, all I can offer is the list of requests, and the user-agent that points to Chrome 106 on Linux. Hope this is useful in tracking down any issue that might exist.
@7saraK
Copy link

7saraK commented Oct 8, 2022

Hi @parseword, thank you for taking the time to leave a comment and for reporting this. I immediately forwarded it to the team, so they can take a look.
Feel free to ask any further questions you might have. Cheers!

@7saraK
Copy link

7saraK commented Oct 11, 2022

Hi again, I just wanted to follow up with you regarding this. Our Devs have advised that this is actually intended behavior as these assets are public and the integration makes get requests to retrieve them.
Hope this helps. If you have any other questions feel free to ask. Cheers!

@hramosmorillo
Copy link

Hi,

While reviewing the error logs for a website I maintain, I recently encountered a batch of unusual requests from a visitor:

159.196.x.y - - [04/Oct/2022:17:52:13 -0500] "GET /assets/images/clockify_logo.svg HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:13 -0500] "GET /assets/images/clockify_logo_selfhosted.svg HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:13 -0500] "GET /assets/images/menu.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:13 -0500] "GET /assets/images/menu-hover.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:13 -0500] "GET /assets/images/sync.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:13 -0500] "GET /assets/images/manual-hover.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:13 -0500] "GET /assets/images/sync-hover.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:13 -0500] "GET /assets/images/automatic-hover.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:14 -0500] "GET /assets/images/manual.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:14 -0500] "GET /assets/images/out-link.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:14 -0500] "GET /assets/images/automatic.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:14 -0500] "GET /assets/images/break.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:14 -0500] "GET /assets/images/closeX.svg HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:14 -0500] "GET /assets/images/edit-unsynced.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:14 -0500] "GET /assets/images/edit-unsynced-hover.png HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
159.196.x.y - - [04/Oct/2022:17:52:14 -0500] "GET /assets/images/clockify_logo_dark.svg HTTP/1.1" 404 [...] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"

I Googled for some of the filenames and found this repo. Based on the above log entries, it seems like your extension may be "leaking" requests meant for its own bundled image assets, and is instead making those requests to remote web servers. (Perhaps that's the intended behavior, I'm not familiar with Clockify or how it works.)

Since I'm on the receiving end, all I can offer is the list of requests, and the user-agent that points to Chrome 106 on Linux. Hope this is useful in tracking down any issue that might exist.

Same issue on our servers, a visitor with this browser extension is doing GET request to our servers. This assets may be pulbic but our servers doesn't have those resources so i don't understand why the extension is making those request. Maybe yo should find another way to integrate Clockify with whatever it's trying to integrate.

Thanks.

@7saraK
Copy link

7saraK commented Oct 17, 2022

Hi both, I just wanted to let you know that I have forwarded this to our Devs once more so they will be looking at this deeper.
I'll update you here as soon as I receive any information about it. Cheers!

@7saraK
Copy link

7saraK commented Oct 19, 2022

Hi all, please note that the team has released the new version of the Clockify browser extension with the update for leaking assets.
Chrome extension is still in review, however, if you use the Firefox extension this is already published.

Hope this helps. Feel free to reach back if you notice anything else. Cheers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@parseword @7saraK @hramosmorillo