Bug 1296263

Summary: Security issue in Nuvola Player 2 - no SSL certificate verification
Product: [Fedora] Fedora Reporter: Jiří Janoušek (fenryxo) <janousek.jiri>
Component: nuvolaplayerAssignee: MartinKG <mgansser>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: mgansser
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-21 18:51:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jiří Janoušek (fenryxo) 2016-01-06 18:24:10 UTC 
WebKitGTK+ library, used by Nuvola Player 2, comes with a disabled validation of SSL certificates by default. Since Nuvola Player 2 doesn't explicitly turn certificate verification on, it is vulnerable to Man in the middle attack, which may result in a theft of passwords to streaming services or linked third-party accounts (e.g. Facebook if the "Login with Facebook" feature has been used). Nuvola Player team recommends upgrading to Nuvola Player 3, which is not affected by this issue.

Affected versions: All Nuvola Player 2 releases
Fixed in: Nuvola Player 3