Ubuntu
tumbler package

Tumbler privacy issues

Bug #1334469 reported by Matiss Treinis
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tumbler (Ubuntu)
New
Undecided
Unassigned

Bug Description

By default Tumbler is not limited to user's home directory nor there is expiry mechanism for thumbnails to expire automatically. Tumbler also saves all the thumbnails from removable drives by default.

This functionality should be addressed as a security and privacy concern, because by evaluating contents of the .thumbnails one is able to get an idea on what's is and have been stored on the computer, and even remote media.

Revision history for this message
Seth Arnold (seth-arnold) wrote : Bug is not a security issue

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

information type: Private Security → Public
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Note that if you want tumbler, or any other program, to have fewer privileges, you can always prepare an AppArmor profile to allow only the accesses you want.

I suspect if we were to distribute a profile as restrictive as you would wish, it would break features that other people rely upon.

Thanks

Revision history for this message
Matiss Treinis (mrtreinis) wrote :

Thank you for reviewing this issue, Seth!

I believe that AppArmor profile would not solve this issue, only changing Tumbler default behavior would, for example, to have thumbnails expire after certain time.

This might not be a issue for every-day users storing family photos, however we use Ubuntu in our corporate environment, and upon reviewing our desktops we found that Tumblr has stored thumbnails for files from removable drives, some in quite large resolutions and on close inspection they could let attacker imply and deduce things, even after they are wiped from drives or not even present on the computer itself. This is why I believe this default functionality is partially flawed, because a non-expert user would never know that such cache of thumbnails exists.

Revision history for this message
Thaddaeus Tintenfisch (thad-fisch-deactivatedaccount) wrote :

Please forward this issue upstream by filing a report on the Xfce bug tracker. Thanks in advance.

https://bugzilla.xfce.org

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.