← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #93135

[Bug 1479747] [NEW] An app can see whether you have an account without permission

  Thread PreviousDate PreviousThread Next 
*** This bug is a security vulnerability ***

Public security bug reported:

Ubuntu 15.04 r74

1. In Online Accounts, set up a Google account.
2. Install the Calendar app.
3. From the Calendar app's kebab menu, choose "Calendars".

What you see: Your Google account is already listed as a calendar.

What you should see: The Google account is not listed, because you
haven't given permission for the app to know that it exists.

This is a privacy violation: it means that a service can see whether you
have an account with a competing service when that's none of their
business. For example, it means that a Facebook app could tell whether
you have a Twitter account, or vice versa; a Flickr app could tell
whether you have an Instagram account, or vice versa; a Strava app could
tell whether you have a Fitbit account, and so on.

<https://wiki.ubuntu.com/OnlineAccounts#App_access>: "An app should have
no idea whether you have any accounts of a particular type stored in
Online Accounts. It should merely ask for access to an account of a
particular type."

** Affects: ubuntu-system-settings-online-accounts (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-system-settings-
online-accounts in Ubuntu.
https://bugs.launchpad.net/bugs/1479747

Title:
  An app can see whether you have an account without permission

Status in ubuntu-system-settings-online-accounts package in Ubuntu:
  New

Bug description:
  Ubuntu 15.04 r74

  1. In Online Accounts, set up a Google account.
  2. Install the Calendar app.
  3. From the Calendar app's kebab menu, choose "Calendars".

  What you see: Your Google account is already listed as a calendar.

  What you should see: The Google account is not listed, because you
  haven't given permission for the app to know that it exists.

  This is a privacy violation: it means that a service can see whether
  you have an account with a competing service when that's none of their
  business. For example, it means that a Facebook app could tell whether
  you have a Twitter account, or vice versa; a Flickr app could tell
  whether you have an Instagram account, or vice versa; a Strava app
  could tell whether you have a Fitbit account, and so on.

  <https://wiki.ubuntu.com/OnlineAccounts#App_access>: "An app should
  have no idea whether you have any accounts of a particular type stored
  in Online Accounts. It should merely ask for access to an account of a
  particular type."

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-system-settings-online-accounts/+bug/1479747/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next