Ubuntu
epiphany-browser package

Saved passwords for HTTPS sites can be accessed by HTTP sites

Bug #1661805 reported by Jeremy Bícha
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Epiphany Browser
Fix Released
High
epiphany-browser (Ubuntu)
Fix Released
High
Unassigned
Xenial
Fix Released
High
Unassigned
Yakkety
Fix Released
High
Unassigned

Bug Description

Impact
======
Saved passwords are accessible by HTTP sites in epiphany 3.18.10-0ubuntu1 for Ubuntu 16.04 LTS, 3.22.5-0ubuntu0.1 for 16.10 and older versions. This means that a man-in-the-middle fake version of a website could capture your password by presenting say a fake http://facebook.com/

This is made worse because Javascript can be used to collect filled-in form data even if the user has not clicked Submit yet.

This is made worse because Epiphany doesn't yet respect the HSTS headers which force sites that have opted in to be only available via HTTPS.

Test Case
=========
osnews.com is an example of an http-only website that you can log in to.
What will happen upon upgrading is that your http password will only be associated with the https version of the site.

To get your old password, open the app menu at the top left of the screen. Click Preferences. Switch to the Privacy tab and click Manage Passwords. You can right click on the site to copy your password and then manually paste it into your site.

Regression Potential
====================
Moderate but acceptable. The fix for the security bug means that users will have to do more work to get their saved password for an http only website.

Epiphany 3.24 (only available for Ubuntu 17.04+) gives a prominent warning about logging in to http websites, as do Firefox and Google Chrome as of January 2017. So a bit more work is acceptable since users should now be more cautious about logging into http sites.

Other distros shipped these new versions weeks ago.

Testing Done
============
I built these updates and successfully ran them in Ubuntu 16.04 LTS and 16.10. I verified that my osnews.com account was converted to https in the password manager and was not auto-filled in the site. I then was able to manually enter my password to osnews.com and the password was now remembered as http.

Other Info
==========
Fixed upstream in 3.18.11 and 3.22.6:
https://git.gnome.org/browse/epiphany/tree/NEWS?h=gnome-3-18
https://git.gnome.org/browse/epiphany/log/?h=gnome-3-18

https://git.gnome.org/browse/epiphany/tree/NEWS?h=gnome-3-22
https://git.gnome.org/browse/epiphany/log/?h=gnome-3-22

https://mail.gnome.org/archives/distributor-list/2017-February/msg00000.html

Unfortunately the fix is spread out over several git commits. The new upstream release is minimal enough I think it would be easier and safer to just take the new version. The new version also fixes the critical LP: #1668704 for xenial and a bug breaking twitter for yakkety (see https://bugzilla.gnome.org/777714 )

See original description
Tags: xenial yakkety
Jeremy Bícha (jbicha)
summary: - Saved passwords can be accessed by HTTP sites
+ Saved passwords for HTTPS sites can be accessed by HTTP sites
description: updated
Adolfo Jayme Barrientos (fitojb)
Changed in epiphany-browser (Ubuntu):
importance: Undecided → High
Changed in epiphany-browser (Ubuntu Yakkety):
importance: Undecided → High
Changed in epiphany-browser (Ubuntu Xenial):
importance: Undecided → High
Bug Watch Updater (bug-watch-updater)
Changed in epiphany-browser:
importance: Unknown → High
status: Unknown → Fix Released
Revision history for this message
Jeremy Bícha (jbicha) wrote :

Fixed in zesty: https://launchpad.net/ubuntu/+source/epiphany-browser/3.22.6-1ubuntu1

Changed in epiphany-browser (Ubuntu):
status: New → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in epiphany-browser (Ubuntu):
status: Fix Released → Incomplete
Changed in epiphany-browser (Ubuntu Xenial):
status: New → Incomplete
Changed in epiphany-browser (Ubuntu Yakkety):
status: New → Incomplete
Revision history for this message
Jeremy Bícha (jbicha) wrote :

I used the simpler 3.22.6-0ubuntu1 version number since 3.22 is yakkety only (and does not conflict with zesty). Similar for xenial with 3.18.

description: updated
Changed in epiphany-browser (Ubuntu):
status: Incomplete → New
Changed in epiphany-browser (Ubuntu Xenial):
status: Incomplete → New
Changed in epiphany-browser (Ubuntu Yakkety):
status: Incomplete → New
tags: added: xenial yakkety
Revision history for this message
Jeremy Bícha (jbicha) wrote :
Changed in epiphany-browser (Ubuntu Xenial):
status: New → Confirmed
Changed in epiphany-browser (Ubuntu Yakkety):
status: New → Confirmed
Changed in epiphany-browser (Ubuntu):
status: New → Confirmed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Jeremy, I had trouble building these packages locally before uploading. I downloaded new tarballs from https://download.gnome.org/sources/epiphany/ and renamed them as needed, applied your debdiffs, and got the following errors when trying to build:

dpkg-source: info: using source format '3.0 (quilt)'
dpkg-source: info: building epiphany-browser using existing ./epiphany-browser_3.18.11.orig.tar.xz
dpkg-source: info: local changes detected, the modified files are:
 epiphany-browser-3.18.11/ChangeLog
 epiphany-browser-3.18.11/NEWS
 epiphany-browser-3.18.11/configure
 epiphany-browser-3.18.11/configure.ac
 epiphany-browser-3.18.11/embed/web-extension/ephy-web-extension.c
 epiphany-browser-3.18.11/lib/ephy-file-helpers.c
 epiphany-browser-3.18.11/lib/ephy-file-helpers.h
 epiphany-browser-3.18.11/lib/ephy-form-auth-data.c
 epiphany-browser-3.18.11/lib/ephy-profile-migrator.c
 epiphany-browser-3.18.11/lib/ephy-profile-utils.c
 epiphany-browser-3.18.11/lib/ephy-profile-utils.h
 epiphany-browser-3.18.11/lib/ephy-uri-helpers.c
 epiphany-browser-3.18.11/lib/ephy-uri-helpers.h
 epiphany-browser-3.18.11/lib/ephy-web-app-utils.c
 epiphany-browser-3.18.11/src/ephy-shell-search-provider-generated.c
 epiphany-browser-3.18.11/src/ephy-shell-search-provider-generated.h
 epiphany-browser-3.18.11/src/ephy-window.c
 epiphany-browser-3.18.11/src/passwords-dialog.c
dpkg-source: error: aborting due to unexpected upstream changes, see /tmp/epiphany-browser_3.18.11-0ubuntu1.diff.HHjmVM
dpkg-source: info: you can integrate the local changes with dpkg-source --commit
dpkg-buildpackage: error: dpkg-source -b epiphany-browser-3.18.11 gave error exit status 2
debuild: fatal error at line 1376:
dpkg-buildpackage -rfakeroot -d -us -uc -S -sa failed
Could not spawn schroot. Result is: None.

Any advice appreciated.

Also, could you paste in the sha256 sums from the tarballs that you used? Without signatures on the upstream packages it's difficult to ensure we're testing the same things.

Thanks

Revision history for this message
Jeremy Bícha (jbicha) wrote :

de7ea87dc450702bde620033f9e2ce807859727d007396d86b09f2b82397fcc2 epiphany-browser_3.22.6.orig.tar.xz
81c4219cb68e45af7729c78faa557d93a6b9520f289aef24b6d67e3a96dfcc82 epiphany-browser_3.18.11.orig.tar.xz

Revision history for this message
Jeremy Bícha (jbicha) wrote :

I just used a bzr packaging only branch and ran 'bzr diff' to produce the diffs I posted.

Grab the tarball of the debian/ directory and extract it.
bzr init
echo -e '[BUILDDEB]\nmerge = True' > .bzr-builddeb/default.conf
bzr add
bzr commit -m "Existing packaging'
Apply the diff

You can then build with 'bzr bd' or you can look around the upstream sources and use quilt with 'bzr bd-do' (and then 'exit' when you're done with 'bzr bd-do'). Either 'bzr bd' or 'bzr bd-do'will automatically download the upstream tarball for you.

In my ~/.bazaar/builddeb.conf, I have this:
[BUILDDEB]
builder = sbuild -d zesty

My workflow is derived from https://wiki.ubuntu.com/DesktopTeam/Bzr

git-buildpackage should also work except that I normally don't normally use a packaging-only workflow there.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package epiphany-browser - 3.18.11-0ubuntu1

---------------
epiphany-browser (3.18.11-0ubuntu1) xenial-security; urgency=medium

  * SECURITY UPDATE: Saved passwords were viewable by a man-in-the-middle
    attack website. This has been mitigated by moving all existing saved
    http passwords to https. If a website you use is http-only, you can
    find your old password in Preferences>Privacy>Manage Passwords.
    - Fixed in new upstream security release 3.18.11 (LP: #1661805)
      + New upstream release also fixes inability to enter text in
        websites, a regression introduced in 3.18.10 (LP: #1668704)

 -- Jeremy Bicha <email address hidden> Sun, 19 Mar 2017 18:24:58 -0400

Changed in epiphany-browser (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package epiphany-browser - 3.22.6-0ubuntu1

---------------
epiphany-browser (3.22.6-0ubuntu1) yakkety-security; urgency=medium

  * SECURITY UPDATE: Saved passwords were viewable by a man-in-the-middle
    attack website. This has been mitigated by moving all existing saved
    http passwords to https. If a website you use is http-only, you can
    find your old password in Preferences>Privacy>Manage Passwords.
    - Fixed in new upstream security release 3.22.6 (LP: #1661805)
      + New upstream release also fixes adblocker being too aggressive
        and breaking Twitter

 -- Jeremy Bicha <email address hidden> Sun, 19 Mar 2017 18:46:17 -0400

Changed in epiphany-browser (Ubuntu Yakkety):
status: Confirmed → Fix Released
Jeremy Bícha (jbicha)
Changed in epiphany-browser (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.