Bug 1296263 - Security issue in Nuvola Player 2 - no SSL certificate verification
Summary: Security issue in Nuvola Player 2 - no SSL certificate verification
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: nuvolaplayer
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: MartinKG
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-06 18:24 UTC by Jiří Janoušek (fenryxo)
Modified: 2016-09-21 18:51 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-09-21 18:51:48 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Jiří Janoušek (fenryxo) 2016-01-06 18:24:10 UTC
WebKitGTK+ library, used by Nuvola Player 2, comes with a disabled validation of SSL certificates by default. Since Nuvola Player 2 doesn't explicitly turn certificate verification on, it is vulnerable to Man in the middle attack, which may result in a theft of passwords to streaming services or linked third-party accounts (e.g. Facebook if the "Login with Facebook" feature has been used). Nuvola Player team recommends upgrading to Nuvola Player 3, which is not affected by this issue.

Affected versions: All Nuvola Player 2 releases
Fixed in: Nuvola Player 3


Note You need to log in before you can comment on or make changes to this bug.