[security] update-notifier auto popups maybe spoofed by the webbrowser
Bug #370248 reported by
Peter Cooper
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| update-notifier (Ubuntu) |
Expired
|
Low
|
Unassigned | ||
Bug Description
The current Update Notifier opens an unsolicited window, with an expectation that the user should enter his password to perform an update. This could be copied by a malware applet running in Firefox.
e.g. The user is running firefox (or any other web browser), he minimises the browser and finds a look-alike window asking him to perform an update, as part of this process he will need to enter his password. With the current proposals this is an expected activity for the user and he may then do as requested, thus giving away his password.
| visibility: | private → public |
| Changed in ubuntu: | |
| importance: | Undecided → Low |
| affects: | ubuntu → update-notifier (Ubuntu) |
| Changed in update-notifier (Ubuntu): | |
| status: | New → Confirmed |
| summary: |
- Update Notifier Security Issue + [security] update-notifier popup maybe spoofed by the webbrowser |
| summary: |
- [security] update-notifier popup maybe spoofed by the webbrowser + [security] update-notifier auto popups maybe spoofed by the webbrowser |
Revision history for this message
| Matthew Paul Thomas (mpt) wrote | #1 |
| Changed in update-notifier (Ubuntu): | |
| status: | Confirmed → Incomplete |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in update-notifier (Ubuntu): | |
| status: | Incomplete → Expired |
To post a comment you must log in.
I think this bug report is invalid. For several years Web browsers have insisted on showing the address bar, or the status bar, or both, in any popup window as a way of distinguishing it from native application windows. Can you provide a demo which avoids this security measure?
If it was possible to fake the gksudo window in this way it would also be possible to fake the PolicyKit dialog, or Seahorse's Change Password dialog, or the password dialogs from Evolution or Thunderbird or Pidgin or any other program that uses passwords, in exactly the same way. So the problem would still need to be fixed in the Web browser.