Just to add some more information in order to have a more clear idea of the seriousness of this bug: accounts which are created when the signon- apparmor-extension is installed will work fine: apps won't be able to abuse them.
This bug only affects the accounts which were created when the extension was not installed: even if the extension gets installed later on, the ACL checks will be bypassed and any app can get access to any account. Fixing this bug will make all accounts (regardless of when they were created) be protected by the ACL once the signon-apparmor-extension is installed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to signon in Ubuntu. https://bugs.launchpad.net/bugs/1392380 Title: OA gives out all tokens to any app Status in “signon” package in Ubuntu: Confirmed Bug description: The attached app will steal all your tokens. All it takes is the "accounts" permission in the apparmor file. Here's the code: https://pastebin.canonical.com/120398/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/signon/+bug/1392380/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
