heybuddy bypasses certificate checking when verifying credentials
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
heybuddy |
Fix Released
|
Critical
|
jezra |
Bug Description
Inspired by http://
1. Start heybuddy
2. Provide some invented username and password and "badcert.
3. Submit
4. Watch heybuddy connecting and failing "Service Not Found" (as said, there is no StatusNet instance)
Look in the logfile of my apache:
my.ip.addr.ess - - [16/Jun/
The requests comes from Communicator.
et voila, my password would have been sent to someone who could hijack my connection/
Python's urllib is sadly not the best thing to handle that stuff :(
Changed in heybuddy: | |
status: | Confirmed → Fix Committed |
Changed in heybuddy: | |
status: | Fix Committed → Fix Released |
Thanks for bringing this to my attention. I have a feeling this is going to be a difficult fix for the Maemo version.