2012-09-25 05:30:04 |
Etienne Perot |
bug |
|
|
added bug |
2012-09-25 05:30:04 |
Etienne Perot |
attachment added |
|
HTTP request to ecx.images-amazon.com https://bugs.launchpad.net/bugs/1055952/+attachment/3340283/+files/dataleak.png |
|
2012-09-25 05:36:27 |
Etienne Perot |
description |
Despite claims from Mark Shuttleworth that data is not sent to Amazon (http://www.markshuttleworth.com/archives/1182), a quick look at Wireshark reveals that all images resulting from search results are downloaded directly from Amazon (see attached picture).
Worse still, the request are over plain HTTP, even though Amazon offers an SSL service for images (ssl-images-amazon.com).
So while it's technically true that the search terms are not sent to Amazon, the search results are, and that's just as bad. From this, Amazon and any third-party on the line (ISP etc.) gets the user's IP, date, time, and can deduce the search terms through correlation with recent searches or by looking at the name of the products in the result set.
Additionally, the requests contains a failr unique user-agent: gvfs/1.13.9, which seems to be tied to Gnome. I would imagine that there's not a lot of requests with that user-agent that would hit amazon.com without originating from the Unity Dash. So now Amazon gets to know that I use the Unity Dash to search it.
The query also shows an Accept-Language header; I haven't experimented with other language packs, but it should be relatively obvious that leaking the user's language is not necessary, since those are just static images and the products' title language has already been downloaded from productsearch.ubuntu.com
How to reproduce:
- Open Wireshark, start capture
- Press the Windows/Meta key
- Type anything
- Check Wireshark output |
Despite claims from Mark Shuttleworth that data is not sent to Amazon (http://www.markshuttleworth.com/archives/1182), a quick look at Wireshark reveals that all images resulting from search results are downloaded directly from Amazon (see attached picture).
Worse still, the request are over plain HTTP, even though Amazon offers an SSL service for images (ssl-images-amazon.com).
So while it's technically true that the search terms are not sent to Amazon, the search results are, and that's just as bad. From this, Amazon and any third-party on the line (ISP etc.) gets the user's IP, date, time, and can deduce the search terms through correlation with recent searches or by looking at the name of the products in the result set.
Additionally, the requests contains a fairly unique user-agent: gvfs/1.13.9, which seems to be tied to Gnome. I would imagine that there's not a lot of requests that would hit amazon.com with that user agent without originating from the Unity Dash. So now Amazon gets to know that I use the Unity Dash to search it, and how often.
The query also shows an Accept-Language header; I haven't experimented with other language packs, but it should be relatively obvious that leaking the user's language is not necessary, since those are just static images and the products' names have already been downloaded from productsearch.ubuntu.com.
How to reproduce:
- Open Wireshark, start capture
- Press the Windows/Meta key
- Type anything
- Check Wireshark output |
|
2012-09-25 08:22:45 |
Launchpad Janitor |
unity-lens-shopping (Ubuntu): status |
New |
Confirmed |
|
2012-09-26 09:18:34 |
Ben Williams |
bug |
|
|
added subscriber Ben Williams |
2012-09-26 09:49:16 |
Iain Lane |
tags |
privacy quantal |
privacy quantal rls-q-incoming |
|
2012-09-26 13:21:09 |
mikelococo |
bug |
|
|
added subscriber mikelococo |
2012-09-26 14:23:07 |
Anthony Awtrey |
bug |
|
|
added subscriber Anthony Awtrey |
2012-09-26 17:43:05 |
Mario Vukelic |
bug |
|
|
added subscriber Mario Vukelic |
2012-09-26 18:04:19 |
Adam Hunt |
bug |
|
|
added subscriber Adam Hunt |
2012-09-27 11:47:13 |
John Wang |
bug |
|
|
added subscriber John Wang |
2012-09-29 10:08:46 |
Omer Akram |
bug task added |
|
unity-lens-shopping |
|
2012-09-30 10:02:44 |
Ian Higginson |
bug |
|
|
added subscriber Ian Higginson |
2012-10-01 11:58:56 |
Andi Hechtbauer |
bug |
|
|
added subscriber Andi Hechtbauer |
2012-10-01 14:58:57 |
Neil J. Patel |
unity-lens-shopping: status |
New |
Confirmed |
|
2012-10-01 14:59:00 |
Neil J. Patel |
unity-lens-shopping: importance |
Undecided |
High |
|
2012-10-01 14:59:06 |
Neil J. Patel |
unity-lens-shopping: assignee |
|
John Lenton (chipaca) |
|
2012-10-02 17:48:12 |
papukaija |
bug |
|
|
added subscriber papukaija |
2012-10-03 15:59:20 |
Omer Akram |
unity-lens-shopping (Ubuntu): importance |
Undecided |
High |
|
2012-10-09 02:20:46 |
David Vincent |
bug |
|
|
added subscriber David Vincent |
2012-10-10 16:44:17 |
Swâmi Petaramesh |
bug |
|
|
added subscriber Swâmi Petaramesh |
2012-10-12 09:27:37 |
Sebastien Bacher |
tags |
privacy quantal rls-q-incoming |
privacy quantal |
|
2012-10-19 08:01:58 |
Timo Jyrinki |
unity-lens-shopping: milestone |
|
6.12.0 |
|
2012-10-26 21:17:34 |
Nicolas Müller |
bug |
|
|
added subscriber Ubuntu Privacy Team |
2012-10-29 08:17:48 |
Adolfo Jayme Barrientos |
information type |
Public |
Public Security |
|
2012-10-30 10:02:40 |
Marcello Nuccio |
bug |
|
|
added subscriber Marcello Nuccio |
2012-11-08 00:11:37 |
Marius B. Kotsbak |
bug |
|
|
added subscriber Marius Kotsbak |
2012-12-02 03:56:36 |
Benjamin Kraus |
bug |
|
|
added subscriber Benjamin Kraus |
2012-12-08 10:03:03 |
Andrea Corbellini |
bug |
|
|
added subscriber Andrea Corbellini |
2012-12-11 19:51:04 |
Nick Andrik |
bug |
|
|
added subscriber Nick Andrik |
2012-12-14 07:01:48 |
unimatrix9 |
bug |
|
|
added subscriber unimatrix9 |
2012-12-14 07:46:16 |
Karma Dorje |
bug |
|
|
added subscriber Karma Dorje |
2013-01-08 20:51:58 |
Kerem Hadımlı |
bug |
|
|
added subscriber Kerem Hadımlı |
2013-02-01 08:01:58 |
Philippe Escarbassière |
bug |
|
|
added subscriber Philippe Escarbassière |
2013-02-09 16:58:06 |
Drey |
bug |
|
|
added subscriber Drey |
2013-02-21 19:32:02 |
oriolpont |
bug |
|
|
added subscriber oriolpont |
2013-04-10 19:30:31 |
Tv |
bug |
|
|
added subscriber Tv |
2013-04-19 11:06:06 |
papukaija |
tags |
privacy quantal |
privacy quantal raring |
|
2013-06-07 16:07:01 |
Alberto Salvia Novella |
unity-lens-shopping (Ubuntu): status |
Confirmed |
Triaged |
|
2013-06-18 16:07:43 |
mindbox |
bug |
|
|
added subscriber nemesisgus |
2013-07-08 07:52:14 |
Grant Woodford |
bug |
|
|
added subscriber Grant Woodford |
2014-04-06 07:32:29 |
Drey |
removed subscriber Drey |
|
|
|
2019-01-12 22:44:28 |
Mario Vukelic |
removed subscriber Mario Vukelic |
|
|
|