We talked about this on IRC. Here is the breakdown:
* when user adds an account to online accounts, the online accounts session
gets a cookie from the site and stores it in a cookie jar specific to this
account
* when a webapp asks to use the account, online accounts will prompt the user
for access (when bug #1230091 is fixed)
* if the user says 'yes, this webapp can use this online account', only then
will the webapp-container use cookiesForIdentity to grab the cookies and
prepopulate the webapp's cookie jar with the cookies online accounts has for
this site
This is all fine. The question then becomes, can a malicious site attack
the webapp-container or Unity APIs that are exposed to webapps to use
cookiesForIdentity on other accounts that the user has setup but not
authorized the access to (eg, badbook requests access to facebook, the
user says 'ok', and badbook tries to get the cookies for twitter). At
this point, there is no API for a malicious app to use so the malicious
app would have to exploit a vulnerability in the webapp-container or
webapp APIs. As such, I will add the access to the ubuntu-webapp
template, but I think it would be a useful hardening measure to add an
ACL check to the SignonUi implementation of the API , so that it checks
whether the caller has been granted access to the account. (as Alberto
mentioned).
** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
Status: Incomplete => In Progress
** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1278934
Title:
ubuntu-webapps template needs access to SignonUi API
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor-easyprof-ubuntu/+bug/1278934/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
