OA gives out all tokens to any app

Do you have signon-apparmor-extension installed?

I did not have that package installed. I installed it now, rebooted the phone but there's no change. The app still prints all the tokens.

Is the app "authorized" to use those accounts, in System Settings > OA > Google Account > "badhat" ON|OFF ?

To verify that the extension is properly activated, you can use the account tester application, at the bottom of the test plan:
https://wiki.ubuntu.com/Process/Merges/TestPlan/ubuntu-system-settings-online-accounts

In particular, once the extensions is active, you cannot retrieve the token (password in the case of the dummy account type used for testing).

No, the badapp does not show up in the accounts settings at all.

I installed the account-tester application and followed the test case (button background was red and then turned green once I granted access to the test app).

I realized that there is actually a difference after installing the signon-apparmor-extension. For password-based accounts like Ubuntu One, or the test account I do get Authentication failures after installing it. Before I didn't get them. However, even after installing the extension, the app gets access to token based accounts like my Evernote account and my Fitbit account.

This is not a duplicate, it's a bug affecting signond and/or the authentication plugins, which shouldn't block the seeding of the signon-apparmor-extension.

I can confirm this bug, and I understand why it happens. I still need to determine if the right place to fix it is signond or the signon-plugin-oauth2.
Indeed, only accounts using the oauth plugin are affected.

Is there any point keeping this private due to the lack of signon-apparmor-extension on devices?

This is CVE-2014-1423

This will need an update to utopic-security as well (for when rtm syncs back up).

Just to add some more information in order to have a more clear idea of the seriousness of this bug: accounts which are created when the signon-apparmor-extension is installed will work fine: apps won't be able to abuse them.

This bug only affects the accounts which were created when the extension was not installed: even if the extension gets installed later on, the ACL checks will be bypassed and any app can get access to any account.

Fixing this bug will make all accounts (regardless of when they were created) be protected by the ACL once the signon-apparmor-extension is installed.

Adding rtm14 ota-1 touch-2014-11-27. This needs to be fixed for RTM branch when bug #1376445 is fixed, but bug #1376445 is targeted for ota-1.

Confirming as this security issue was agreed to be fixed in first update

To finish the landing of the fix, I think we need :
- a backport of signon-apparmor-extension to rtm-14.09
- the addition of the package to the corresponding touch seed

Thanks

This bug was fixed in the package ubuntu-touch-meta - 1.200

---------------
ubuntu-touch-meta (1.200) 14.09; urgency=medium

  * Refreshed dependencies (LP: #1413622), (LP: #1392380)
  * Added signon-apparmor-extension
  * Added ubuntu-keyboard-azerbaijani
  * Added ubuntu-keyboard-bosnian
  * Added ubuntu-keyboard-catalan
  * Added ubuntu-keyboard-croatian
  * Added ubuntu-keyboard-emoji
 -- Oliver Grawert <email address hidden> Fri, 23 Jan 2015 22:04:23 +0100

FYI, after talking with David Barth, it looks like all the pieces landed in ubuntu-rtm, but signon-apparmor-extension is not installed yet on the images so the bug isn't quite fixed yet.

This bug was fixed in the package ubuntu-touch-meta - 1.202

---------------
ubuntu-touch-meta (1.202) 14.09; urgency=medium

  * Refreshed dependencies (LP: #1392380)
  * Added signon-apparmor-extension
 -- Ricardo Salveti de Araujo <email address hidden> Tue, 17 Feb 2015 19:04:51 -0200