Account authentication spawning oauth2callback to mardy.it

Bug #1047588 reported by Nicholas Skaggs
204
This bug affects 43 people
Affects Status Importance Assigned to Milestone
Online Accounts: Account plugins
Fix Released
High
Unassigned

Bug Description

Shotwell is causing firefox to open pages for oauth2callbacks to mardy.it:

Example:

http://www.mardy.it/oauth2callback?code=4/BIzdeVFsf1rM....

What's up with this?

https://code.launchpad.net/~mardy/shotwell/update-uoa/+merge/121556

ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: shotwell (not installed)
ProcVersionSignature: Ubuntu 3.5.0-13.14-generic 3.5.3
Uname: Linux 3.5.0-13-generic x86_64
ApportVersion: 2.5.1-0ubuntu7
Architecture: amd64
Date: Fri Sep 7 15:34:20 2012
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
SourcePackage: shotwell
UpgradeStatus: Upgraded to quantal on 2012-08-17 (20 days ago)

Revision history for this message
Nicholas Skaggs (nskaggs) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in shotwell (Ubuntu):
status: New → Confirmed
Revision history for this message
Clint Rogers (clinton-yorba) wrote :

Hi, and thank you for reporting this.

When you're seeing this, are you building Shotwell from trunk yourself, or are you installing it from the repositories? The reason I ask is because the repository version in 12.10 has been vendor-patched to handle authentication in a different manner than what trunk uses, or, more specifically, the repo version uses Ubuntu Online Accounts, while a trunk build does not.

Revision history for this message
Clint Rogers (clinton-yorba) wrote :

Ah, I retract the question; I see that this is specifically due to a UOA-specific patch. My mistake.

Revision history for this message
Ben Howard (darkmuggle-deactivatedaccount) wrote :

I am seeing this with the unity-lens-photos package installed. I filed a security bug thinking that something nefarious was going on. IMHO, this needs fixing ASAP as it looks like something is misbaving.

Changed in shotwell (Ubuntu):
importance: Undecided → High
Revision history for this message
Keith Drummond (kd353) wrote :

For me Chrome will launch will multiple instance of this callback after login (running Ubuntu 12.10 beta 1, currently up-to-date)

Revision history for this message
Alberto Mardegan (mardy) wrote :

Hi all, and sorry for the mess!
  This bug is caused by a change in the online-accounts-signon-ui, which is now more strict about the URLs it handles; in particular, all non-https URLs (such as "http://www.mardy.it/oauth2callback") are opened in the default browser.
At the same time, we updated the account plugins (source package is online-accounts-account-plugins) not to use that URL; however, all Online Accounts which you might have already created are not automatically updated to use the new settings.

The bug for tracking this is bug 1047191.

*SHORT TERM SOLUTION*

Delete all your accounts from Online Accounts (which is found in the System Settings), and re-create them. Don't worry, this won't cause any data loss.
Sorry again for the inconvenience!

summary: - Shotwell spawning oauth2callback to mardy.it
+ Account authentication spawning oauth2callback to mardy.it
affects: shotwell (Ubuntu) → online-accounts-account-plugins
Revision history for this message
Andrea Corbellini (andrea.corbellini) wrote :

Hi Alberto and thanks for your feedback,

I have some questions about the issue, I would appreciate if you could answer my concerns.

First of all, why is mardy.it used for authentication? This is a domain that has nothing to do with Google, Facebook, Twitter or Ubuntu. Also, its use seems to be totally undocumented. People may think that the 'online accounts' feature is lacking information.

Secondly, I still see mardy.it in online-accounts-account-plugins:

http://bazaar.launchpad.net/~online-accounts/online-accounts-account-plugins/trunk/view/head:/tools/google.sh
http://bazaar.launchpad.net/~online-accounts/online-accounts-account-plugins/trunk/view/head:/tools/google-login.sh

In particular, google.sh is included in the account-plugin-tools Ubuntu package (source: account-plugins). Are there any plans to remove mardy.it from such tools?

Thanks again,
Andrea C.

Revision history for this message
Alberto Mardegan (mardy) wrote :

Hi Andrea!
  "mardy.it" *is not used for authentication* anymore; it's what I've been using while developing on the project, but it's been substituted with another URL with the latest version (I'm using "wiki.ubuntu.com" now). Anyway, this URL is used as final URL during the OAuth authentication process: it's called "callback URL", and it's the URL that the OAuth server will redirect your browser to when the authentication is finished. This URL can be any URL (even a static HTML page, as I was using in my website), we need it just to know when the authentication is finished.
It should be possible to not even load the callback URL (this would definitely address all security concerns); I just created bug 1048177 not to forget about it.

About the google{,-login}.sh scripts, thanks for pointing them out; we'll remove them, as they are not useful anymore (we were using them while the Online Accounts applet was not ready for use).

Revision history for this message
Uri (urisharf) wrote :

I'm still seeing this happening on 12.10 (beta 1) updated today.

Revision history for this message
Andrea Corbellini (andrea.corbellini) wrote :

Alberto,

Many thanks for your feedback, you have addressed my concerns. Also thanks for filing bug #1048177!

Revision history for this message
Alberto Mardegan (mardy) wrote :

@manager: please read comment #7: the issue is not fixed yet, but there's a workaround.

Revision history for this message
mmxbass (mmxbass) wrote :

This bug makes me want to punch myself in the face repeatedly but I can confirm that the workaround in #7 definitely works.

Revision history for this message
Blair Chasteen (darkstormyrain) wrote :

well I think I might mark the bug I filed the other day a duplicate but I need a 2nd opinion.
https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/1048192

This goes beyond google for me. I actually loose authorization to google / aim and now yahoo as of an hour ago plus it freezes the online accounts window after a couple mouse clicks and makes me force close it.

 I only found out about the marty.it auth was linked to shotwell when I was researching its safety just now. Its odd tho I have not used shotwell since before my clean install of alpha 3 and instead use f-spot

Revision history for this message
Blair Chasteen (darkstormyrain) wrote :

and btw I just realized http://www.mardy.it/oauth2callback?code=4/....... opened 27 tabs in my browser most likely while I was using the calculator lens doing some quick math :/

Changed in online-accounts-account-plugins:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.