*** This bug is a security vulnerability *** Public security bug reported:
Impact ====== Saved passwords are accessible by HTTP sites in epiphany 3.18.10-0ubuntu1 for Ubuntu 16.04 LTS, 3.22.5-0ubuntu0.1 for 16.10 and older versions. This means that a man-in-the-middle fake version of a website could capture your password by presenting say a fake http://facebook.com/ This is made worse because Javascript can be used to collect filled-in form data even if the user has not clicked Submit yet. This is made worse because Epiphany doesn't yet respect the HSTS headers which force sites that have opted in to be only available via HTTPS. Test Case ========= Regression Potential ==================== Low. The fix is to move all already saved passwords to be associated with https. Users will need to enter this password in again if the site is HTTP only. This is disruptive if the only place the user has saved the password is in Epiphany. Websites should allow password reset. However, both Firefox and Chrome as of January 2017 warn users before entering passwords for http sites. Epiphany 3.24 will add that warning in its March 2017 release. Other Info ========== Fixed upstream in 3.18.11 and 3.22.6: https://git.gnome.org/browse/epiphany/tree/NEWS?h=gnome-3-18 https://git.gnome.org/browse/epiphany/log/?h=gnome-3-18 https://git.gnome.org/browse/epiphany/tree/NEWS?h=gnome-3-22 https://git.gnome.org/browse/epiphany/log/?h=gnome-3-22 https://mail.gnome.org/archives/distributor- list/2017-February/msg00000.html ** Affects: epiphany-browser Importance: Unknown Status: Unknown ** Affects: epiphany-browser (Ubuntu) Importance: Undecided Status: New ** Affects: epiphany-browser (Ubuntu Xenial) Importance: Undecided Status: New ** Affects: epiphany-browser (Ubuntu Yakkety) Importance: Undecided Status: New ** Summary changed: - Saved passwords can be accessed by HTTP sites + Saved passwords for HTTPS sites can be accessed by HTTP sites ** Also affects: epiphany-browser (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: epiphany-browser (Ubuntu Yakkety) Importance: Undecided Status: New ** Bug watch added: GNOME Bug Tracker #752738 https://bugzilla.gnome.org/show_bug.cgi?id=752738 ** Also affects: epiphany-browser via https://bugzilla.gnome.org/show_bug.cgi?id=752738 Importance: Unknown Status: Unknown ** Description changed: Impact ====== Saved passwords are accessible by HTTP sites in epiphany 3.18.10-0ubuntu1 for Ubuntu 16.04 LTS, 3.22.5-0ubuntu0.1 for 16.10 and older versions. This means that a man-in-the-middle fake version of a website could capture your password by presenting say a fake http://facebook.com/ This is made worse because Javascript can be used to collect filled-in form data even if the user has not clicked Submit yet. This is made worse because Epiphany doesn't yet respect the HSTS headers which force sites that have opted in to be only available via HTTPS. Test Case ========= Regression Potential ==================== Low. The fix is to move all already saved passwords to be associated with https. Users will need to enter this password in again if the site is HTTP only. This is disruptive if the only place the user has saved the password is in Epiphany. Websites should allow password reset. However, both Firefox and Chrome as of January 2017 warn users before entering passwords for http sites. Epiphany 3.24 will add that warning in its March 2017 release. Other Info ========== + Fixed upstream in 3.18.11 and 3.22.6: + https://git.gnome.org/browse/epiphany/tree/NEWS?h=gnome-3-18 https://git.gnome.org/browse/epiphany/log/?h=gnome-3-18 + + https://git.gnome.org/browse/epiphany/tree/NEWS?h=gnome-3-22 https://git.gnome.org/browse/epiphany/log/?h=gnome-3-22 + + https://mail.gnome.org/archives/distributor- + list/2017-February/msg00000.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1661805 Title: Saved passwords for HTTPS sites can be accessed by HTTP sites To manage notifications about this bug go to: https://bugs.launchpad.net/epiphany-browser/+bug/1661805/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
