On app removal, account access permissions persist

Bug #1417261 reported by Niklas Wenzel
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Online Accounts setup for Ubuntu Touch
Confirmed
Low
Alberto Mardegan
ubuntu-system-settings-online-accounts (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

How to reproduce:

1) Install an app which uses online accounts.
2) Uninstall it.
3) Reinstall the application OR ANOTHER APP WITH THE SAME NAMESPACE and it will still be able to access the online account.

I could see this being used for phishing when the user is asked to manually install a click package with the same namespace as another app, which would then allow bad entities to have access to the online accounts of the original app.
It could either be presented as a completely seperate app when the user has removed the original one or as an "official version" by the people doing the phishing.

Therefore, I vote for removing account information from apps when they are uninstalled.

Revision history for this message
Alberto Mardegan (mardy) wrote :

Hi Niklas, I agree that removing all apps information when they are deleted is the right thing to do (also to clean up things).
However, I'm not sure what you mean by "another app with the same namespace": by "namespace", do you mean the <package>_<application> combination, or what?

Revision history for this message
Niklas Wenzel (nikwen) wrote : Re: [Bug 1417261] Re: On app removal, account access permissions persist

Hi Alberto,

Yes, that's what I mean. I heard people refer to that as the
"namespace" so I thought it would be the proper word to use here.

Am Di, 3. Feb, 2015 um 2:17 schrieb Alberto Mardegan
<email address hidden>:
> Hi Niklas, I agree that removing all apps information when they are
> deleted is the right thing to do (also to clean up things).
> However, I'm not sure what you mean by "another app with the same
> namespace": by "namespace", do you mean the <package>_<application>
> combination, or what?
>
> --
> You received this bug notification because you are subscribed to the
> bug
> report.
> https://bugs.launchpad.net/bugs/1417261
>
> Title:
> On app removal, account access permissions persist
>
> Status in ubuntu-system-settings-online-accounts package in Ubuntu:
> New
>
> Bug description:
> How to reproduce:
>
> 1) Install an app which uses online accounts.
> 2) Uninstall it.
> 3) Reinstall the application OR ANOTHER APP WITH THE SAME NAMESPACE
> and it will still be able to access the online account.
>
> I could see this being used for phishing when the user is asked to
> manually install a click package with the same namespace as another
> app, which would then allow bad entities to have access to the online
> accounts of the original app.
> It could either be presented as a completely seperate app when the
> user has removed the original one or as an "official version" by the
> people doing the phishing.
>
> Therefore, I vote for removing account information from apps when
> they
> are uninstalled.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/ubuntu-system-settings-online-accounts/+bug/1417261/+subscriptions

Alberto Mardegan (mardy)
Changed in ubuntu-system-settings-online-accounts (Ubuntu):
status: New → Confirmed
Changed in ubuntu-system-settings-online-accounts:
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Alberto Mardegan (mardy)
Alberto Mardegan (mardy)
Changed in webapps-sprint:
assignee: nobody → Alberto Mardegan (mardy)
status: New → Confirmed
importance: Undecided → High
no longer affects: webapps-sprint
Revision history for this message
Alberto Mardegan (mardy) wrote :

Actually, I implemented the fix for this in the new JSON "accounts" hook. We can indeed backport the changes to the old-style hooks, but since they are going to be deprecated (they'll trigger a click-review alert since 16.10) I don't see this as a priority.

Changed in ubuntu-system-settings-online-accounts:
importance: High → Low
Changed in ubuntu-system-settings-online-accounts (Ubuntu):
importance: Undecided → Low
Revision history for this message
Niklas Wenzel (nikwen) wrote :

Thanks, Alberto. :)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.