Ubuntu
gnome-gmail-notifier package

Doesn't go to gmail on click, major security flaw

Bug #574062 reported by higgs.timmy@googlemail.com
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Gnome Gmail Notifier
Unknown
Unknown
gnome-gmail-notifier (Ubuntu)
Confirmed
High
Unassigned

Bug Description

Binary package hint: gnome-gmail-notifier

When I click on the applet in the notification area, rather than redirecting the browser to gmail, it tries to go to a web address which looks like:
https://www.google.com/accounts/ServiceLoginAuth?ltmpl=default&ltmplcache=2&continue=https://mail.google.com/mail/%3F&service=mail&rm=false&Email=MYEMAILADDRESS&Passwd=MYPASSWORD&rmShown=1&signIn=Sign+in
to me, this either means it is broadcasting my password for all to see (VERY MAJOR SECURITY PROBLEM) or someone only has to click on the applet whilst im not looking and they have access to pretty much everything.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: gnome-gmail-notifier 0.10.1-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.32-21.32-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-21-generic i686
Architecture: i386
CheckboxSubmission: 06e2e821c599a7e6a6d0dffe7ed519f8
CheckboxSystem: 669b662da410063cc918e0f60cf6cddf
Date: Mon May 3 00:08:29 2010
ProcEnviron:
 LANG=en_GB.utf8
 SHELL=/bin/bash
SourcePackage: gnome-gmail-notifier

See original description
Revision history for this message
higgs.timmy@googlemail.com (higgs-timmy) wrote :
higgs.timmy@googlemail.com (higgs-timmy)
description: updated
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Upstream bug: http://code.google.com/p/gnome-gmail-notifier/issues/detail?id=65

visibility: private → public
Changed in gnome-gmail-notifier (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Hartog de Mik (hartog-de-mik) wrote :

Leaving your screen unlocked and unattended is always a security risk.

And granted; it would be nicer if the applet just brought you to http://gmail.com/ without adding your password in the URL for all proxies to log

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.