several plugins use insecure http in account setup
Bug #1037169 reported by
Jamie Strandboge
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Online Accounts: Account plugins |
Fix Released
|
Undecided
|
Unassigned | ||
account-plugins (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Running a packet sniffer (tcpcump or wireshark would do) on traffic going to port 80 I discovered the following account-plugins are using http to fetch the login page when setting up an account:
- account-
- account-plugin-sina
- account-plugin-sohu
As a result, these pages can be used in a MITM attack. Please adjust these to use an https url instead.
Related branches
lp:~ken-vandine/account-plugins/lp_1037169
- Alberto Mardegan (community): Approve
- jenkins (community): Approve (continuous-integration)
-
Diff: 18 lines (+3/-3)1 file modifiedsrc/flickr.vala (+3/-3)
description: | updated |
Changed in account-plugins (Ubuntu): | |
status: | Invalid → Confirmed |
Changed in online-accounts-account-plugins: | |
status: | New → Confirmed |
assignee: | nobody → David King (amigadave) |
Changed in online-accounts-account-plugins: | |
assignee: | David King (amigadave) → nobody |
milestone: | none → 0.6 |
Changed in online-accounts-account-plugins: | |
status: | Confirmed → Fix Released |
To post a comment you must log in.
I had already asked about sina and sohu, those require http. I don't know about flickr off hand.