desktop-packages team mailing list archive

Thread
Date

[Bug 1469548] Re: one-click installation of software is a security risk

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
Date: Thu, 02 Jul 2015 21:00:25 -0000
Reply-to: Bug 1469548 <1469548@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug. I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to unity-firefox-extension in Ubuntu.
https://bugs.launchpad.net/bugs/1469548

Title:
one-click installation of software is a security risk

Status in unity-firefox-extension package in Ubuntu:
New

Bug description:
since upgrading to ubuntu 14.04 LTS release i have noticed that, in
firefox (38.0+build3-0ubuntu0.14.04.1), i am offered to install
software for sites i visit, including launchpad and facebook
(messenger). this software can be installed with one click and
without any user authentication. this seems like a huge security risk
to me. what's more, after installing the software, if i want to
remove it i am required to enter my password. this process makes no
sense to me and there should be at least a password required to
install the software in the first place.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unity-firefox-extension/+bug/1469548/+subscriptions