1296263 – Security issue in Nuvola Player 2 - no SSL certificate verification

Bug 1296263 - Security issue in Nuvola Player 2 - no SSL certificate verification

Summary: Security issue in Nuvola Player 2 - no SSL certificate verification

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	nuvolaplayer
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	MartinKG
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-01-06 18:24 UTC by Jiří Janoušek (fenryxo)
Modified:	2016-09-21 18:51 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-09-21 18:51:48 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jiří Janoušek (fenryxo) 2016-01-06 18:24:10 UTC

WebKitGTK+ library, used by Nuvola Player 2, comes with a disabled validation of SSL certificates by default. Since Nuvola Player 2 doesn't explicitly turn certificate verification on, it is vulnerable to Man in the middle attack, which may result in a theft of passwords to streaming services or linked third-party accounts (e.g. Facebook if the "Login with Facebook" feature has been used). Nuvola Player team recommends upgrading to Nuvola Player 3, which is not affected by this issue.

Affected versions: All Nuvola Player 2 releases
Fixed in: Nuvola Player 3

Note You need to log in before you can comment on or make changes to this bug.