Bug#843645: Username unconditionally checked
Andrey Gursky
andrey.gursky at e-mail.ua
Tue Nov 8 14:31:41 UTC 2016
Source: ring
Version: 20161104.4.17a0616~dfsg1-2
Severity: important
Dear maintainer,
by clicking on "Create Ring Account" the system account username is
automatically checked for availability. In this window there is no
statement, that this is performed locally and nothing is sent away,
thus it is a security leak.
And indeed, wireshark reveals that the check is a simple (even not
encrypted) HTTP GET request, e.g. http://ns.ring.cx/name/123
Hopefully, Savoir-faire Linux will setup https soon?
Please, disable this check for now. For a real fix, I'd suggest to
introduce a button ("check now") instead. Additionally, a key press
handler should be registered for the TextEntry widget in order to
quickly check the name (typed/enter/altered/enter/altered/enter/...).
Thanks,
Andrey
More information about the Pkg-voip-maintainers
mailing list