[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ayatana] Possible security risk with update-manager



Hello,

I am coming back to an old subject, but with new information.

There is a huge "Won't fix" bug concerning the pop-up/under behavior
of update manager since 9.04:

https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/332945

Recently one of the people that insist to keep the bug alive (like
me), made a dirty simple mockup of a page that would present itself as
the update manager and ask for the administration password. See

https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/332945/comments/456

Note that even though this mockup is very crude and can easily be
recognized due to the outer browser window in the pop-up, it should
raise some eye browns. Just imagine a more sophisticated page using
flash to draw a windowless fake update-manager window and capture the
password (can flash send information to a server?).

I now truly believe that the behavior of having a administration
window popping up (or under) without the explicit user request may be
viewed as a possible security flaw. Naive users, once used to this
behavior, can start accepting fake window that appear during browsing.
It would be much easier to tell the user: never give a password unless
you started a workflow where you already knew that a password would be
required. This sounds like common sense. With the new update-manager
we can not say that to the users anymore.

I know that this is not a exactly a usability problem but it was
caused by a usability decision. Shouldn't we ask some security experts
in canonical at least to comment on this?

best,

Paulo

Obs: I have sent this email before using my gmail address and it seems
it did not pass through, I am resending it now using the email address
that I use in launchpad. If a double post happens, please I beg your
pardon.

--
Paulo José da Silva e Silva
Professor Associado, Dep. de Ciência da Computação
(Associate Professor, Computer Science Dept.)
Universidade de São Paulo - Brazil

e-mail: pjssilva@xxxxxxxxxx         Web: http://www.ime.usp.br/~pjssilva

-- 
Paulo José da Silva e Silva
Professor Associado, Dep. de Ciência da Computação
(Associate Professor, Computer Science Dept.)
Universidade de São Paulo - Brazil

e-mail: pjssilva@xxxxxxxxxx         Web: http://www.ime.usp.br/~pjssilva