Rendering of PDFs in Onshape re-enabled

jakeramsley

EDIT:

We've pushed a change to help restore critical workflows with PDFs.  PDF viewing has been restored for users that are signed in.  People who are viewing an Onshape document while not signed in will see the behavior below.



original:
As a result of recent activity, we are disabling rendering of PDFs inside of the product.  PDFs will now show as a file available for download when viewing inside of Onshape.  In order to view the PDF, users will have to download the file and open on their own system.  This is being done in order to protect the safety and security of our users.  It is strongly advised to only download files from sources that you trust.  It is strongly advised to only click on links from sources that you trust.

ex. PDFs will now appear in the product the same way other data types do, like STLs.

While we understand this is an inconvenience and disruptive to workflows, the safety and security of our users is of the utmost importance.

As a reminder:

* Only download files from sources that you trust

* Only click on links from sources that you trust

shawn_crocker

Is this for real? Where is this sudden thought of rendering PDF a security risk coming from? Have the customers been requesting this functionality to be removed?  I don't really rely on this as an implement into a workflow but there has got to be many that do.

jakeramsley

shawn_crocker said:

Is this for real? Where is this sudden thought of rendering PDF a security risk coming from? Have the customers been requesting this functionality to be removed?  I don't really rely on this as an implement into a workflow but there has got to be many that do.

Hi shawn_crocker,

Yes, this is for real.  We understand that PDFs are critical for many users and workflows.  Those workflows are something we are looking to continue to support, but they have to be done in a secure manner.

As for the urgency of this change, this is not a response to customer requests.  This is a decision made based off of knowledge of phishing attempts.  The security, safety, and privacy of our users are important to us and that expands beyond the Onshape service.

shawn_crocker

I see. I hadn't picked up on that there have been attempts on security breaches

shawn_crocker

I don't really no the ins and outs of a Phishing attack. Just read a bit and I'm not certain how rendering PDF and phishing attack go together here. Has phishing hijacked some peoples pdfs and redirected them to a malicious site or something? I'm really just curious to know more about this issue.

fnxf

@jakeramsley If a PDF is already in an Onshape document, how could that be a source I don't trust? Is there a CVE to this?

Jbohrer88

Is this a permanent change? Or will there be efforts to bring back this functionality in the near future?

I don't know the specifics, but this seems like more of a security threat. At least before a fake, downloadable file with a .PDF would show like it is now, tipping someone off that it may not be a real pdf file. Now we have to download the file to see that.

john_mcclary

This f**ing sucks to put it mildly...

Some users don't even get the option to download.
even though they have export permission

Standard_Bits

this is rubbish, workers on the floor need to view the PDF , but we dont want them to download the document,

marshall_cannon246

The beauty of having a pdf in onshape was to have the latest version viewable always.  With making it mandatory that its downloaded now will add risk that a previously download version may be used because they will be using a different app .   This a big issue that should be updated asap.    

Theo_R

Quite frankly, this is unacceptable for us. We would happily contribute our time in finding an alternative or resolution with Onshape. If we can be of assistance in solving this, let us know.

robert_johnston

This is a big issue for me, I keep reference PDF documents with the relevent parts. Needs to be fixed asap. Can you provide more information about how the phishing attempts are happening? Like the banks with security bulletin where they show screenshots of the scam websites and emails? Shows what people may need to look out for. 

kate_leipold_rit

We're using pdfs in the classroom for sharing design documentation and instructions with in an assignment!  This is a serious disruption. 😕

jakeramsley

We've pushed a change to help restore critical workflows with PDFs.  PDF viewing has been restored for users that are signed in.  People who are viewing an Onshape document while not signed in will see the behavior outlined in the original post.

We apologize for any inconvenience this may have caused but the security, safety, and privacy of our users are paramount.

robert_johnston

jakeramsley said:

We've pushed a change to help restore critical workflows with PDFs.  PDF viewing has been restored for users that are signed in.  People who are viewing an Onshape document while not signed in will see the behavior outlined in the original post.

We apologize for any inconvenience this may have caused but the security, safety, and privacy of our users are paramount.

Great thanks, Appreciate it!

S1mon

jakeramsley said:

We've pushed a change to help restore critical workflows with PDFs.  PDF viewing has been restored for users that are signed in.  People who are viewing an Onshape document while not signed in will see the behavior outlined in the original post.

We apologize for any inconvenience this may have caused but the security, safety, and privacy of our users are paramount.

This seems like a very reasonable compromise.

Can you clarify anything else about why this was a security risk in the first place? Was the situation that someone would phish with a fake version of the Onshape site and a dangerous PDF which somehow exploited the browser? Or was the issue that the PDF viewer in Onshape is not secure enough to view malicious PDFs? I had assumed that the PDF viewing within Onshape was just leveraging the browser's PDF display technology.

john_rousseau

On Thursday, we became aware of an attacker sending a large volume of emails to random engineering and design companies that contained links to a PDF tab in public, anonymously shared Onshape documents. Neither the sender accounts nor the recipients were associated with Onshape. These PDFs resembled engineering invoices with a button that linked to an external phishing website which asked victims for their credentials. Not Onshape credentials, but another, popular authentication service. 

Knowing that the attackers were trying to use Onshape as part of their exploit, we disabled the automatic display of PDFs. We understood the impact on workflows, but we needed to interrupt the initial attack. Since then, we have developed, tested, and deployed the more targeted change that you see now. We're optimistic that this minimizes the workflow disruption and discourages attempts to try to exploit Onshape in the future. If your workflow continues to be impacted by this change, please open a support ticket and we will work with you on it as soon as possible. 

To be clear with everyone, at no point was Onshape compromised. This was merely a sophisticated attempt to leverage Onshape to steal credentials for another service. 

Theo_R

Thank you Onshape team!

adrian_vlzkz

Outstanding! 

Urs_Egger_REACT

Hi, i wanted to linkshare a publication with product renderings (jpg) made in onshape. But jpg's are not rendered in the link-shared publication as well. Is this also affected by the pdf issue?

john_rousseau

Yes, we have blocked rendering of all image types for anonymously shared documents. Is it possible to have your recipients sign up for a Free Onshape account? 

We are not aware of any vulnerabilities in sharing JPEGs, so we are willing to revisit this decision for a few image file types. Please open a support ticket if this is blocking a workflow for you.

chadstoltzfus

john_rousseau said:

Yes, we have blocked rendering of all image types for anonymously shared documents. Is it possible to have your recipients sign up for a Free Onshape account? 

We are not aware of any vulnerabilities in sharing JPEGs, so we are willing to revisit this decision for a few image file types. Please open a support ticket if this is blocking a workflow for you.

To my knowledge, this solution does not work if you have an Enterprise account, since the free Onshape account is on cad.onshape.com and not (your company domain).onshape.com. You could add them as guest/light users but that's a cost. Currently we are enabling link sharing and turning on exporting permissions but for more sensitive documents that will not be an option. 

john_allen289

I've put a ticket into support for this.

I don't understand why this applies to our Enterprise domain. I'm no expert, but the attack described above should not be repeatable from an Enterprise domain (unless we are hacked) as the Enterprise by design is natively not public and all anonymous link shares from our domain are under our control. I could turn them all off through our analytics right now if I wanted.

This has seriously hampered our customer side collaboration and design reviews using Onshape for browser previewed Blob data alongside CAD data. The previewed Blob data is as important as the CAD data. If not more so in some cases.

I get security is paramount and appreciate the intermediate improvement for signed in users, but we have customer Documents and Publication anonymous links with live customers right now on live projects, that do not have Export permissions, and have effectively just gone dark. This totally changes our design review workflow with Onshape and our customers.

I look forward to Onshape having confidence to open this up again for Enterprise customers who are not on the cad.onshape.com domain.

john_rousseau

We are definitely listening to the feedback here. We are designing the next round of changes. We don't want to keep changing the behavior and repeatedly impact your workflows. We also don't want to open up an exploit and need to make unannounced changes again.

The goal is to have the minimal impact to your workflows while still not allowing our service (and our good reputation) to be used for delivering malware.

james_chandler459

Is there a relationship between adobe and onshape? could there be a cloud connected solution with them?

aidan_cunningham762

jakeramsley said:

We've pushed a change to help restore critical workflows with PDFs.  PDF viewing has been restored for users that are signed in.  People who are viewing an Onshape document while not signed in will see the behavior outlined in the original post.

We apologize for any inconvenience this may have caused but the security, safety, and privacy of our users are paramount.

This has been implemented already, right? Does this feature exclude education accounts? When signed in, I am still not able to view PDFs. Should I open a support ticket to look into this further?

paolo_cianci

The same, I am still not able to view PDFs

stg434

The same, Iam still not able to view PDFs.

john_rousseau

We've pushed an additional change that should restore PDF visibility for almost all users. This was the intent with the last change, but we didn't get it quite right. Our sincere apologies. Only documents owned by certain plans and shared via Link Sharing should have PDFs and other image types not display.