← Back to team overview

unity-design team mailing list archive

Re: Possible security risk with update-manager

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paulo J. S. Silva wrote on 18/11/09 20:58:
>...
> There is a huge "Won't fix" bug concerning the pop-up/under behavior
> of update manager since 9.04:
>
> https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/332945
>
> Recently one of the people that insist to keep the bug alive (like
> me), made a dirty simple mockup of a page that would present itself as
> the update manager and ask for the administration password. See
>
> https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/332945/comments/456
>
> Note that even though this mockup is very crude and can easily be
> recognized due to the outer browser window in the pop-up, it should
> raise some eye browns. Just imagine a more sophisticated page using
> flash to draw a windowless fake update-manager window and capture the
> password (can flash send information to a server?).

As I wrote in <http://launchpad.net/bugs/370248>: "For several years Web
browsers have insisted on showing the address bar, or the status bar, or
both, in any popup window as a way of distinguishing it from native
application windows. Can you provide a demo which avoids this security
measure?"

In both Firefox and Chromium, the demo you have pointed to has not just
the browser's address bar *and* status bar, but also two title bars
rather than one. If you can provide a more convincing demo, please
attach it to the bug report.

> I now truly believe that the behavior of having a administration
> window popping up (or under) without the explicit user request may be
> viewed as a possible security flaw. Naive users, once used to this
> behavior, can start accepting fake window that appear during browsing.
> It would be much easier to tell the user: never give a password unless
> you started a workflow where you already knew that a password would be
> required. This sounds like common sense. With the new update-manager
> we can not say that to the users anymore.
>...

As I wrote in <http://launchpad.net/bugs/332945>: "...assuming that
people will see a window that looks like the updates window, and behaves
like the updates window, but be able to tell that it's fake solely
because it opened automatically. I think that's quite unrealistic,
because it would require a much better memory for past actions than
people usually have. For example, if you open Update Manager yourself
but get a phone call and have to switch to another task in a hurry, and
don't return to Update Manager until the next day, you may have no
memory of opening it the previous day. (Expecting people to then close
it and reopen it, *just in case* the already-open instance was a fake
one, would be even less realistic.)"

Cheers
- --
Matthew Paul Thomas
http://mpt.net.nz/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksmOBYACgkQ6PUxNfU6ecpwjQCcD6J2bd/3ejH+0DjLALUgydZD
uuAAoJn9Qv9OJNKKwosRfZBI9l1bVM3X
=/Eli
-----END PGP SIGNATURE-----




Follow ups

References