An app can see whether you have an account without permission
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ubuntu-system-settings-online-accounts (Ubuntu) |
In Progress
|
High
|
Alberto Mardegan | ||
Bug Description
Ubuntu 15.04 r74
1. In Online Accounts, set up a Google account.
2. Install the Calendar app.
3. From the Calendar app's kebab menu, choose "Calendars".
What you see: Your Google account is already listed as a calendar.
What you should see: The Google account is not listed, because you haven't given permission for the app to know that it exists.
This is a privacy violation: it means that a service can see whether you have an account with a competing service when that's none of their business. For example, it means that a Facebook app could tell whether you have a Twitter account, or vice versa; a Flickr app could tell whether you have an Instagram account, or vice versa; a Strava app could tell whether you have a Fitbit account, and so on.
<https:/
| Changed in ubuntu-system-settings-online-accounts (Ubuntu): | |
| status: | New → In Progress |
| assignee: | nobody → Alberto Mardegan (mardy) |
| importance: | Undecided → High |
| Alberto Mardegan (mardy) wrote | #1 |
The OA API is designed in such a way that hiding this information is far from being a trivial task.
We are working on a new version of the API, which doesn't have these shortcomings. That will be the only accounts API provided with framework 15.10 and later.
Unfortunately, in order not to break compatibility for apps using older frameworks, we cannot simply remove the old API; if this bug is considered worth it, we can work on turning the old API into a wrapper for the new one, so that it will still continue working but it won't provide any info about the accounts which the application cannot access.