Welcome to the Onshape forum! Ask questions and join in the discussions about everything Onshape.
First time visiting? Here are some places to start:- Looking for a certain topic? Check out the categories filter or use Search (upper right).
- Need support? Ask a question to our Community Support category.
- Please submit support tickets for bugs but you can request improvements in the Product Feedback category.
- Be respectful, on topic and if you see a problem, Flag it.
If you would like to contact our Community Manager personally, feel free to send a private message or an email.
Rendering of PDFs in Onshape re-enabled
jakeramsley
Member, Moderator, Onshape Employees, Developers, csevp Posts: 661
EDIT:
We've pushed a change to help restore critical workflows with PDFs. PDF viewing has been restored for users that are signed in. People who are viewing an Onshape document while not signed in will see the behavior below.
original:
As a result of recent activity, we are disabling rendering of PDFs inside of the product. PDFs will now show as a file available for download when viewing inside of Onshape. In order to view the PDF, users will have to download the file and open on their own system. This is being done in order to protect the safety and security of our users. It is strongly advised to only download files from sources that you trust. It is strongly advised to only click on links from sources that you trust.
ex. PDFs will now appear in the product the same way other data types do, like STLs.
We've pushed a change to help restore critical workflows with PDFs. PDF viewing has been restored for users that are signed in. People who are viewing an Onshape document while not signed in will see the behavior below.
original:
As a result of recent activity, we are disabling rendering of PDFs inside of the product. PDFs will now show as a file available for download when viewing inside of Onshape. In order to view the PDF, users will have to download the file and open on their own system. This is being done in order to protect the safety and security of our users. It is strongly advised to only download files from sources that you trust. It is strongly advised to only click on links from sources that you trust.
ex. PDFs will now appear in the product the same way other data types do, like STLs.
While we understand this is an inconvenience and disruptive to workflows, the safety and security of our users is of the utmost importance.
As a reminder:
* Only download files from sources that you trust
* Only click on links from sources that you trust
Jake Ramsley
Director of Quality Engineering & Release Manager onshape.com
0
Comments
Hi shawn_crocker,
Yes, this is for real. We understand that PDFs are critical for many users and workflows. Those workflows are something we are looking to continue to support, but they have to be done in a secure manner.
As for the urgency of this change, this is not a response to customer requests. This is a decision made based off of knowledge of phishing attempts. The security, safety, and privacy of our users are important to us and that expands beyond the Onshape service.
Some users don't even get the option to download.
even though they have export permission
We apologize for any inconvenience this may have caused but the security, safety, and privacy of our users are paramount.
Can you clarify anything else about why this was a security risk in the first place? Was the situation that someone would phish with a fake version of the Onshape site and a dangerous PDF which somehow exploited the browser? Or was the issue that the PDF viewer in Onshape is not secure enough to view malicious PDFs? I had assumed that the PDF viewing within Onshape was just leveraging the browser's PDF display technology.
On Thursday, we became aware of an attacker sending a large volume of emails to random engineering and design companies that contained links to a PDF tab in public, anonymously shared Onshape documents. Neither the sender accounts nor the recipients were associated with Onshape. These PDFs resembled engineering invoices with a button that linked to an external phishing website which asked victims for their credentials. Not Onshape credentials, but another, popular authentication service.
Knowing that the attackers were trying to use Onshape as part of their exploit, we disabled the automatic display of PDFs. We understood the impact on workflows, but we needed to interrupt the initial attack. Since then, we have developed, tested, and deployed the more targeted change that you see now. We're optimistic that this minimizes the workflow disruption and discourages attempts to try to exploit Onshape in the future. If your workflow continues to be impacted by this change, please open a support ticket and we will work with you on it as soon as possible.
To be clear with everyone, at no point was Onshape compromised. This was merely a sophisticated attempt to leverage Onshape to steal credentials for another service.
CAD Engineering Manager
We are not aware of any vulnerabilities in sharing JPEGs, so we are willing to revisit this decision for a few image file types. Please open a support ticket if this is blocking a workflow for you.
chadstoltzfus@premiercb.com
I don't understand why this applies to our Enterprise domain. I'm no expert, but the attack described above should not be repeatable from an Enterprise domain (unless we are hacked) as the Enterprise by design is natively not public and all anonymous link shares from our domain are under our control. I could turn them all off through our analytics right now if I wanted.
This has seriously hampered our customer side collaboration and design reviews using Onshape for browser previewed Blob data alongside CAD data. The previewed Blob data is as important as the CAD data. If not more so in some cases.
I get security is paramount and appreciate the intermediate improvement for signed in users, but we have customer Documents and Publication anonymous links with live customers right now on live projects, that do not have Export permissions, and have effectively just gone dark. This totally changes our design review workflow with Onshape and our customers.
I look forward to Onshape having confidence to open this up again for Enterprise customers who are not on the cad.onshape.com domain.
The goal is to have the minimal impact to your workflows while still not allowing our service (and our good reputation) to be used for delivering malware.