[Secure-testing-team] Bug#631422: does not use SSL on identi.ca / ignores SSL certificates on Twitter

Evgeni Golov evgeni at debian.org
Thu Jun 23 17:55:37 UTC 2011 

Package: turpial
Version: 1.5.0-1
Severity: grave
Tags: security

Hi,

Inspired by the same bug in gwibber (https://bugs.launchpad.net/gwibber/+bug/705363),
heybuddy (https://bugs.launchpad.net/heybuddy/+bug/798300) and pino
(http://code.google.com/p/pino-twitter/issues/detail?id=339) I checked turpial
and it failed the same way :(

For identi.ca HTTPS is not even used (username/password are sent as plaintext
to the server). Editing api/protocols/identica/identica.py to use
https://identi.ca/api as API endpoint does not help much, SSL is used but
certificates aren't checked, making man in the middle attacks possible.

For Twitter HTTPS is used, but the same no-cert-verify flaw applies here.

regards
Evgeni Golov

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-rc3+ (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages turpial depends on:
ii  gstreamer0.10-plugins-base  0.10.34-1    GStreamer plugins from the "base" 
ii  python                      2.6.6-14     interactive high-level object-orie
ii  python-gst0.10              0.10.21-2+b1 generic media-playing framework (P
ii  python-gtk2                 2.24.0-2     Python bindings for the GTK+ widge
ii  python-gtkspell             2.25.3-10    Python bindings for the GtkSpell l
ii  python-notify               0.1.1-2+b3   Python bindings for libnotify
ii  python-oauth                1.0.1-3      Python library implementing of the
ii  python-pkg-resources        0.6.16-1     Package Discovery and Resource Acc
ii  python-simplejson           2.1.6-1      simple, fast, extensible JSON enco
ii  python-webkit               1.1.8-2      WebKit/Gtk Python bindings
ii  python2.6                   2.6.7-1      An interactive high-level object-o
ii  python2.7                   2.7.2-1      An interactive high-level object-o

turpial recommends no packages.

turpial suggests no packages.

-- no debconf information

More information about the Secure-testing-team mailing list