Communicates with server in plaintext

Bug #1054677 reported by Iain Lane on 2012-09-22
This bug affects 33 people
Affects Status Importance Assigned to Milestone
unity-lens-shopping (Ubuntu)

Bug Description

If we look into the source, we can see

  private const string OFFERS_BASE_URI = "";

and no further mangling to actually use HTTPS. Meaning that my searches in the dash are sent over the internet in plain text by default. Please could we get these encrypted?


Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity-lens-shopping (Ubuntu):
status: New → Confirmed
Jeremy Bicha (jbicha) wrote :

I'm not a security expert but I think this could also open the door to a MITM phishing attack. A user could click a link (sent from a server pretending to be thinking they are buying from but instead the login information is being read by a malicious third party before being somewhat transparently passed on to amazon for order completion.

security vulnerability: no → yes
Jeremy Bicha (jbicha) wrote :

So we need HTTPS with certificate validation.

Fred (eldmannen+launchpad) wrote :

Also, the string doesn't end with a slash as it should. It should be .com/ with the slash at the end to make the domain fully-qualified to prevent a domain from being suffixed, such as

Sami Jaktholm (sjakthol) wrote :

If we look at build_search_uri function in scope.vala, we see that the scope actually looks the product search server URI from environment variable OFFERS_URI first. If there's no OFFERS_URI environment variable only then the OFFERS_BASE_URI is used.

So basically you just need to set the OFFERS_URI environment variable to point to your favorite look-a-like and you're ready to go.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers