Ubuntu
unity-lens-shopping package

Communicates with server in plaintext

Bug #1054677 reported by Iain Lane on 2012-09-22

This bug report is a duplicate of: Bug #1055649: [FFE] Change from http to https and verify cert. Edit Remove

404

This bug affects 33 people

Affects		Status	Importance	Assigned to	Milestone
	unity-lens-shopping (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

If we look into the source, we can see

private const string OFFERS_BASE_URI = "http://productsearch.ubuntu.com";

and no further mangling to actually use HTTPS. Meaning that my searches in the dash are sent over the internet in plain text by default. Please could we get these encrypted?

Thanks.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-09-22:

#1

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity-lens-shopping (Ubuntu):
status:	New → Confirmed

Revision history for this message

Jeremy Bícha (jbicha) wrote on 2012-09-23:

#2

I'm not a security expert but I think this could also open the door to a MITM phishing attack. A user could click a link (sent from a server pretending to be productsearch.ubuntu.com) thinking they are buying from amazon.com but instead the login information is being read by a malicious third party before being somewhat transparently passed on to amazon for order completion.

security vulnerability:

no → yes

Revision history for this message

Jeremy Bícha (jbicha) wrote on 2012-09-23:

#3

So we need HTTPS with certificate validation.

Revision history for this message

Fred (eldmannen+launchpad) wrote on 2012-09-23:

#4

Also, the string doesn't end with a slash as it should. It should be .com/ with the slash at the end to make the domain fully-qualified to prevent a domain from being suffixed, such as ubuntu.com.evil.example.com

Revision history for this message

Sami Jaktholm (sjakthol) wrote on 2012-09-23:

#5

If we look at build_search_uri function in scope.vala, we see that the scope actually looks the product search server URI from environment variable OFFERS_URI first. If there's no OFFERS_URI environment variable only then the OFFERS_BASE_URI is used.

So basically you just need to set the OFFERS_URI environment variable to point to your favorite productsearch.ubuntu.com look-a-like and you're ready to go.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #1055649 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.