Headless Chrome and SSRF
CloudSync allows enterprise users to generate PDF reports from dynamic HTML dashboards. OdiVex identified that the backend rendering engine (a headless Chromium instance) does not restrict internal network routing.
The Metadata Extraction
By injecting a hidden iframe containing a redirect to the AWS IMDSv2 metadata IP (169.254.169.254) into the dashboard payload, the headless browser is forced to query the cloud environment.
<iframe src="http://169.254.169.254/latest/meta-data/iam/security-credentials/production-role"></iframe>
While the response is blind to the attacker in the web interface, the resulting PDF document visually renders the extracted JSON containing the AccessKeyId, SecretAccessKey, and Token.
Remediation
Cloud providers have introduced IMDSv2 (requiring PUT requests and tokens), but the headless browser natively passed the required headers due to a misconfigured proxy. CloudSync has patched the rendering container by dropping all outbound packets destined for the 169.254.169.254 block via iptables.