Ubuntu

Communicates with server in plaintext

Reported by Iain Lane on 2012-09-22
404
This bug affects 33 people
Affects Status Importance Assigned to Milestone
unity-lens-shopping (Ubuntu)
Undecided
Unassigned

Bug Description

If we look into the source, we can see

  private const string OFFERS_BASE_URI = "http://productsearch.ubuntu.com";

and no further mangling to actually use HTTPS. Meaning that my searches in the dash are sent over the internet in plain text by default. Please could we get these encrypted?

Thanks.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity-lens-shopping (Ubuntu):
status: New → Confirmed
Jeremy Bicha (jbicha) wrote :

I'm not a security expert but I think this could also open the door to a MITM phishing attack. A user could click a link (sent from a server pretending to be productsearch.ubuntu.com) thinking they are buying from amazon.com but instead the login information is being read by a malicious third party before being somewhat transparently passed on to amazon for order completion.

security vulnerability: no → yes
Jeremy Bicha (jbicha) wrote :

So we need HTTPS with certificate validation.

Fred (eldmannen+launchpad) wrote :

Also, the string doesn't end with a slash as it should. It should be .com/ with the slash at the end to make the domain fully-qualified to prevent a domain from being suffixed, such as ubuntu.com.evil.example.com

Sami Jaktholm (sjakthol) wrote :

If we look at build_search_uri function in scope.vala, we see that the scope actually looks the product search server URI from environment variable OFFERS_URI first. If there's no OFFERS_URI environment variable only then the OFFERS_BASE_URI is used.

So basically you just need to set the OFFERS_URI environment variable to point to your favorite productsearch.ubuntu.com look-a-like and you're ready to go.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers