Saved passwords for HTTPS sites can be accessed by HTTP sites
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Epiphany Browser |
Fix Released
|
High
|
|||
epiphany-browser (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Unassigned | ||
Yakkety |
Fix Released
|
High
|
Unassigned |
Bug Description
Impact
======
Saved passwords are accessible by HTTP sites in epiphany 3.18.10-0ubuntu1 for Ubuntu 16.04 LTS, 3.22.5-0ubuntu0.1 for 16.10 and older versions. This means that a man-in-the-middle fake version of a website could capture your password by presenting say a fake http://
This is made worse because Javascript can be used to collect filled-in form data even if the user has not clicked Submit yet.
This is made worse because Epiphany doesn't yet respect the HSTS headers which force sites that have opted in to be only available via HTTPS.
Test Case
=========
osnews.com is an example of an http-only website that you can log in to.
What will happen upon upgrading is that your http password will only be associated with the https version of the site.
To get your old password, open the app menu at the top left of the screen. Click Preferences. Switch to the Privacy tab and click Manage Passwords. You can right click on the site to copy your password and then manually paste it into your site.
Regression Potential
=======
Moderate but acceptable. The fix for the security bug means that users will have to do more work to get their saved password for an http only website.
Epiphany 3.24 (only available for Ubuntu 17.04+) gives a prominent warning about logging in to http websites, as do Firefox and Google Chrome as of January 2017. So a bit more work is acceptable since users should now be more cautious about logging into http sites.
Other distros shipped these new versions weeks ago.
Testing Done
============
I built these updates and successfully ran them in Ubuntu 16.04 LTS and 16.10. I verified that my osnews.com account was converted to https in the password manager and was not auto-filled in the site. I then was able to manually enter my password to osnews.com and the password was now remembered as http.
Other Info
==========
Fixed upstream in 3.18.11 and 3.22.6:
https:/
https:/
https:/
https:/
https:/
Unfortunately the fix is spread out over several git commits. The new upstream release is minimal enough I think it would be easier and safer to just take the new version. The new version also fixes the critical LP: #1668704 for xenial and a bug breaking twitter for yakkety (see https:/
summary: |
- Saved passwords can be accessed by HTTP sites + Saved passwords for HTTPS sites can be accessed by HTTP sites |
description: | updated |
Changed in epiphany-browser (Ubuntu): | |
importance: | Undecided → High |
Changed in epiphany-browser (Ubuntu Yakkety): | |
importance: | Undecided → High |
Changed in epiphany-browser (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in epiphany-browser: | |
importance: | Unknown → High |
status: | Unknown → Fix Released |
Changed in epiphany-browser (Ubuntu): | |
status: | Confirmed → Fix Released |
Fixed in zesty: https:/ /launchpad. net/ubuntu/ +source/ epiphany- browser/ 3.22.6- 1ubuntu1