ubuntu-privacy team mailing list archive

Thread
Date

[Bug 1055952] [NEW] Direct data leaking to Amazon

To: ubuntu-privacy@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1055952@xxxxxxxxxxxxxxxxxx>
Date: Fri, 26 Oct 2012 21:17:34 -0000
Reply-to: Bug 1055952 <1055952@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

You have been subscribed to a public bug by Nicolas Müller (nicolas-mue):

Despite claims from Mark Shuttleworth that data is not sent to Amazon
(http://www.markshuttleworth.com/archives/1182), a quick look at
Wireshark reveals that all images resulting from search results are
downloaded directly from Amazon (see attached picture).

Worse still, the request are over plain HTTP, even though Amazon offers
an SSL service for images (ssl-images-amazon.com).

So while it's technically true that the search terms are not sent to
Amazon, the search results are, and that's just as bad. From this,
Amazon and any third-party on the line (ISP etc.) gets the user's IP,
date, time, and can deduce the search terms through correlation with
recent searches or by looking at the name of the products in the result
set.

Additionally, the requests contains a fairly unique user-agent: gvfs/1.13.9, which seems to be tied to Gnome. I would imagine that there's not a lot of requests that would hit amazon.com with that user agent without originating from the Unity Dash. So now Amazon gets to know that I use the Unity Dash to search it, and how often.
The query also shows an Accept-Language header; I haven't experimented with other language packs, but it should be relatively obvious that leaking the user's language is not necessary, since those are just static images and the products' names have already been downloaded from productsearch.ubuntu.com.

How to reproduce:
- Open Wireshark, start capture
- Press the Windows/Meta key
- Type anything
- Check Wireshark output

** Affects: unity-lens-shopping
     Importance: High
     Assignee: John Lenton (chipaca)
         Status: Confirmed

** Affects: unity-lens-shopping (Ubuntu)
     Importance: High
         Status: Confirmed


** Tags: privacy quantal
-- 
Direct data leaking to Amazon
https://bugs.launchpad.net/bugs/1055952
You received this bug notification because you are a member of Ubuntu Privacy Team, which is subscribed to the bug report.