Bug#981520: minigalaxy: Shows a browser login window without any proof of origin (no URL, no HTTPS indicator, no chance to review SSL certificate, etc.)
Hi Axel, Le 03/02/2021 02:09, Axel Beckert a écrit : Hi Stephen and Stephan, Stephen Kitt wrote: On Tue, 02 Feb 2021 11:02:58 +, Stephan Lachnit wrote: > > On startup it shows a login window which looks suspiciously like a GOG > > login window in a web browser, but without without any possibility to > > check its origin: It has no location bar, i.e. shows no URL, it doesn't > > indicate if the entered credentials are transmitted encrypted via HTTPS > > or not, and it offers no chance to review the HTTPS TLS certificate if > > present. > > Since Minigalaxy is open source, it's very easy to check if it connects > actually to GOG via https. I checked the code and it is fine. I had checked it before sponsoring the initial upload too. This is one of those things I tend to assume from Debian: that the packages provided in the archives are safe. Ack. But MITM attacks happen outside of the software. Think DNS spoofing. Before I enter a password anywhere, I should be able to check at least the certificate. Ah yes, that is a good point! > This problem actually isn't solved by showing an address bar or the > certificate, since that can easily be spoofed. Indeed. But here Stephen's argument fits: I tend to assume that the packages provided in the Debian archives are safe. I just can't assume that the network I'm in is safe. Agreed, we can’t trust the network. > > Possible solution: Don't use an embedded browser windows but call > > sensible-browser or so to use the browser which the user is probably > > already logged in to GOG anyways. > > In the forwarded bug report the maintainer states that an external > browser is not a solution at the moment. Their argumentation sounds > reasonable to me. Feared that. > However, I will look into adding the address, as it probably is not a > bad idea. But this is more of a wishlist thing, not an actual security > concern (at least to me). As mentioned, I haven't got Stephan's mail. I now see that this has been downgraded to wishlist with that mail. I disagree. This is a clear issue. I though must admit that the login window at least says "Unacceptable TLS certificate" if I try to do a MITM attack on auth.gog.com. I am nevertheless still of the opinion that this is not a feature request but a security issue. See also lgogdownloader which does pretty much the same thing. Actually I tried that one first as it was in Debian first. Horrible user experience: It's a Qt written tool according to its dependencies (i.e. a GUI) which asks me "E-Mail:" on the commandline (!) without any context, which e-mail address is wanted and for what it is used. I assume it's the e-mail address used in the GOG account, but that UI is inacceptable. (Didn't write a bug report for that. Just uninstalled it. But this one has security impact.) Hmm, right, I must just be unlucky and always hit the reCAPTCHA... The GUI pops up then. Perhaps it would be useful to provide an option to always use the GUI. Regards, Stephen
Bug#981520: minigalaxy: Shows a browser login window without any proof of origin (no URL, no HTTPS indicator, no chance to review SSL certificate, etc.)
Hi Stephen and Stephan, (JFYI: I only got Stephen's mail.) Stephen Kitt wrote: > On Tue, 02 Feb 2021 11:02:58 +, Stephan Lachnit > wrote: > > > On startup it shows a login window which looks suspiciously like a GOG > > > login window in a web browser, but without without any possibility to > > > check its origin: It has no location bar, i.e. shows no URL, it doesn't > > > indicate if the entered credentials are transmitted encrypted via HTTPS > > > or not, and it offers no chance to review the HTTPS TLS certificate if > > > present. > > > > Since Minigalaxy is open source, it's very easy to check if it connects > > actually to GOG via https. I checked the code and it is fine. > > I had checked it before sponsoring the initial upload too. > > This is one of those things I tend to assume from Debian: that the > packages provided in the archives are safe. Ack. But MITM attacks happen outside of the software. Think DNS spoofing. Before I enter a password anywhere, I should be able to check at least the certificate. > > This problem actually isn't solved by showing an address bar or the > > certificate, since that can easily be spoofed. Indeed. But here Stephen's argument fits: I tend to assume that the packages provided in the Debian archives are safe. I just can't assume that the network I'm in is safe. > > > Possible solution: Don't use an embedded browser windows but call > > > sensible-browser or so to use the browser which the user is probably > > > already logged in to GOG anyways. > > > > In the forwarded bug report the maintainer states that an external > > browser is not a solution at the moment. Their argumentation sounds > > reasonable to me. Feared that. > > However, I will look into adding the address, as it probably is not a > > bad idea. But this is more of a wishlist thing, not an actual security > > concern (at least to me). As mentioned, I haven't got Stephan's mail. I now see that this has been downgraded to wishlist with that mail. I disagree. This is a clear issue. I though must admit that the login window at least says "Unacceptable TLS certificate" if I try to do a MITM attack on auth.gog.com. I am nevertheless still of the opinion that this is not a feature request but a security issue. > See also lgogdownloader which does pretty much the same thing. Actually I tried that one first as it was in Debian first. Horrible user experience: It's a Qt written tool according to its dependencies (i.e. a GUI) which asks me "E-Mail:" on the commandline (!) without any context, which e-mail address is wanted and for what it is used. I assume it's the e-mail address used in the GOG account, but that UI is inacceptable. (Didn't write a bug report for that. Just uninstalled it. But this one has security impact.) Regards, Axel -- ,''`. | Axel Beckert , https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Bug#981520: minigalaxy: Shows a browser login window without any proof of origin (no URL, no HTTPS indicator, no chance to review SSL certificate, etc.)
Hi Axel, On Tue, 02 Feb 2021 11:02:58 +, Stephan Lachnit wrote: > > On startup it shows a login window which looks suspiciously like a GOG > > login window in a web browser, but without without any possibility to > > check its origin: It has no location bar, i.e. shows no URL, it doesn't > > indicate if the entered credentials are transmitted encrypted via HTTPS > > or not, and it offers no chance to review the HTTPS TLS certificate if > > present. > > Since Minigalaxy is open source, it's very easy to check if it connects > actually to GOG via https. I checked the code and it is fine. I had checked it before sponsoring the initial upload too. This is one of those things I tend to assume from Debian: that the packages provided in the archives are safe. > This problem actually isn't solved by showing an address bar or the > certificate, since that can easily be spoofed. It could just connect > to GOG to show the certificate but also connect to a different, similar > looking website and show it to the user. This applies to all browsers, > that is why open source is important. Yup, exactly, it would be quite easy for a malicious client to present a reassuring UI; having such a UI wouldn’t prove anything. > > Possible solution: Don't use an embedded browser windows but call > > sensible-browser or so to use the browser which the user is probably > > already logged in to GOG anyways. > > In the forwarded bug report the maintainer states that an external > browser is not a solution at the moment. Their argumentation sounds > reasonable to me. > > However, I will look into adding the address, as it probably is not a > bad idea. But this is more of a wishlist thing, not an actual security > concern (at least to me). See also lgogdownloader which does pretty much the same thing. Regards, Stephen pgpKCaDo6CQ42.pgp Description: OpenPGP digital signature
Bug#981520: minigalaxy: Shows a browser login window without any proof of origin (no URL, no HTTPS indicator, no chance to review SSL certificate, etc.)
Control: severity -1 wishlist Control: forwarded -1 https://github.com/sharkwouter/minigalaxy/issues/282 Control: tags -1 upstream Hi, thanks for your bug report. I've taken a look into it and I reduced the severity for a couple of reasons. > On startup it shows a login window which looks suspiciously like a GOG > login window in a web browser, but without without any possibility to > check its origin: It has no location bar, i.e. shows no URL, it doesn't > indicate if the entered credentials are transmitted encrypted via HTTPS > or not, and it offers no chance to review the HTTPS TLS certificate if > present. Since Minigalaxy is open source, it's very easy to check if it connects actually to GOG via https. I checked the code and it is fine. This problem actually isn't solved by showing an address bar or the certificate, since that can easily be spoofed. It could just connect to GOG to show the certificate but also connect to a different, similar looking website and show it to the user. This applies to all browsers, that is why open source is important. > Possible solution: Don't use an embedded browser windows but call > sensible-browser or so to use the browser which the user is probably > already logged in to GOG anyways. In the forwarded bug report the maintainer states that an external browser is not a solution at the moment. Their argumentation sounds reasonable to me. However, I will look into adding the address, as it probably is not a bad idea. But this is more of a wishlist thing, not an actual security concern (at least to me). Regards, Stephan
Bug#981520: minigalaxy: Shows a browser login window without any proof of origin (no URL, no HTTPS indicator, no chance to review SSL certificate, etc.)
Package: minigalaxy Version: 1.0.1-1 Severity: grave Tags: security Justification: introduces a security hole allowing access to the accounts of users who use the package Hi, thanks for packaging minigalaxy. Unfortunately it's unusable as you can't conscientiously login to GOG: On startup it shows a login window which looks suspiciously like a GOG login window in a web browser, but without without any possibility to check its origin: It has no location bar, i.e. shows no URL, it doesn't indicate if the entered credentials are transmitted encrypted via HTTPS or not, and it offers no chance to review the HTTPS TLS certificate if present. Proof that it actually is a browser window: It has "Back, Forward, Reload, etc. in the right click context menu and I see two "WebKit" processes being forked from minigalaxy: abe 24326 2.6 0.1 86076304 113572 pts/16 Sl+ 00:12 0:10 \_ /usr/bin/python3 /usr/games/minigalaxy abe 24799 7.1 0.2 86563632 160396 pts/16 SLl+ 00:12 0:27 \_ /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess 7 16 abe 24802 0.0 0.0 86442844 59232 pts/16 SLl+ 00:12 0:00 \_ /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitNetworkProcess 8 16 Possible solution: Don't use an embedded browser windows but call sensible-browser or so to use the browser which the user is probably already logged in to GOG anyways. Or just show the location bar of the browser window which lets the user have a look at the URL and certificates being used. -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 'buildd-experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-1-amd64 (SMP w/4 CPU threads) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages minigalaxy depends on: ii gir1.2-gtk-3.0 3.24.24-1 ii gir1.2-webkit2-4.0 2.30.4-1 ii python3 3.9.1-1 ii python3-gi 3.38.0-1+b2 ii python3-gi-cairo3.38.0-1+b2 ii python3-requests2.25.1+dfsg-2 ii unzip 6.0-26 ii xdg-utils 1.1.3-4 minigalaxy recommends no packages. Versions of packages minigalaxy suggests: ii dosbox0.74-3-2 ii scummvm 2.2.0+dfsg1-4 pn wine32 | wine32-development | wine-stable-i386 | wine-devel- -- no debconf information