group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1661805] Re: Saved passwords for HTTPS sites can be accessed by HTTP sites

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1661805@xxxxxxxxxxxxxxxxxx>
Date: Thu, 30 Mar 2017 21:44:41 -0000
Reply-to: Bug 1661805 <1661805@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package epiphany-browser - 3.22.6-0ubuntu1

---------------
epiphany-browser (3.22.6-0ubuntu1) yakkety-security; urgency=medium

  * SECURITY UPDATE: Saved passwords were viewable by a man-in-the-middle
    attack website. This has been mitigated by moving all existing saved
    http passwords to https. If a website you use is http-only, you can
    find your old password in Preferences>Privacy>Manage Passwords.
    - Fixed in new upstream security release 3.22.6 (LP: #1661805)
      + New upstream release also fixes adblocker being too aggressive
        and breaking Twitter

 -- Jeremy Bicha <jbicha@xxxxxxxxxx>  Sun, 19 Mar 2017 18:46:17 -0400

** Changed in: epiphany-browser (Ubuntu Yakkety)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1661805

Title:
  Saved passwords for HTTPS sites can be accessed by HTTP sites

Status in Epiphany Browser:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Confirmed
Status in epiphany-browser source package in Xenial:
  Fix Released
Status in epiphany-browser source package in Yakkety:
  Fix Released

Bug description:
  Impact
  ======
  Saved passwords are accessible by HTTP sites in epiphany 3.18.10-0ubuntu1 for Ubuntu 16.04 LTS, 3.22.5-0ubuntu0.1 for 16.10 and older versions. This means that a man-in-the-middle fake version of a website could capture your password by presenting say a fake http://facebook.com/

  This is made worse because Javascript can be used to collect filled-in
  form data even if the user has not clicked Submit yet.

  This is made worse because Epiphany doesn't yet respect the HSTS
  headers which force sites that have opted in to be only available via
  HTTPS.

  Test Case
  =========
  osnews.com is an example of an http-only website that you can log in to.
  What will happen upon upgrading is that your http password will only be associated with the https version of the site.

  To get your old password, open the app menu at the top left of the
  screen. Click Preferences. Switch to the Privacy tab and click Manage
  Passwords. You can right click on the site to copy your password and
  then manually paste it into your site.

  Regression Potential
  ====================
  Moderate but acceptable. The fix for the security bug means that users will have to do more work to get their saved password for an http only website.

  Epiphany 3.24 (only available for Ubuntu 17.04+) gives a prominent
  warning about logging in to http websites, as do Firefox and Google
  Chrome as of January 2017. So a bit more work is acceptable since
  users should now be more cautious about logging into http sites.

  Other distros shipped these new versions weeks ago.

  Testing Done
  ============
  I built these updates and successfully ran them in Ubuntu 16.04 LTS and 16.10. I verified that my osnews.com account was converted to https in the password manager and was not auto-filled in the site. I then was able to manually enter my password to osnews.com and the password was now remembered as http.

  Other Info
  ==========
  Fixed upstream in 3.18.11 and 3.22.6:
  https://git.gnome.org/browse/epiphany/tree/NEWS?h=gnome-3-18
  https://git.gnome.org/browse/epiphany/log/?h=gnome-3-18

  https://git.gnome.org/browse/epiphany/tree/NEWS?h=gnome-3-22
  https://git.gnome.org/browse/epiphany/log/?h=gnome-3-22

  https://mail.gnome.org/archives/distributor-
  list/2017-February/msg00000.html

  Unfortunately the fix is spread out over several git commits. The new
  upstream release is minimal enough I think it would be easier and
  safer to just take the new version. The new version also fixes the
  critical LP: #1668704 for xenial and a bug breaking twitter for
  yakkety (see https://bugzilla.gnome.org/777714 )

To manage notifications about this bug go to:
https://bugs.launchpad.net/epiphany-browser/+bug/1661805/+subscriptions

References

[Bug 1661805] [NEW] Saved passwords for HTTPS sites can be accessed by HTTP sites
From: Jeremy Bicha, 2017-02-04