An alleged privacy issue with the Unity Reddit Scope in Ubuntu has been reported.
First highlighted by a Reddit admin and subsequently investigated by FOSS stalwart Benjamin Kerensa, it is claimed that search terms typed into the Unity Dash search box are being logged in the server records of the popular user-generated link sharing site Reddit.
Kerensa, who duly reported the bug to Canonical, says the flaw centres around the use of a non-SSL (Secure Socket Layer) URL through which users’ queries are sent. Search terms are instead delivered through HTTP Plain Text and, thus, subsequently logged by the server.
The issue first came to light when Reddit admin alienth noticed an application installation request lodged in the server logs of the site. Reporting the find in a post titled ‘Turns out the unity scope for reddit will send us most anything‘, alienth explains:
“I saw an interesting request hitting the site this evening. I thought someone was trying to perform some lame remote-execution attack until I noticed the user agent. Kinda amusing.”
The user agent in question reads:
And was tailed by an ‘apt-get install’ command that one user had mistakingly or naively entered into the Unity Dash, as Ubuntu Security Engineer Marc Deslauriers clarified in a follow up post to the thread:
“Looks like someone typed “sudo apt-get install startupmanager” in the global search box of the dash instead of in a terminal.”
It’s as yet unclear to what extent the supposed flaw reaches or which versions of Ubuntu are affected.
Panic At The Dash!
Inadvertent sending of search terms to a third-party server without encryption is not fantastic news. While Reddit is unlikely to do anything nefarious.
More of a theoretical issue than one to get too stressed about. But in light of previous privacy concerns with the handling of Amazon product result listings — an issue that won Canonical an infamous ‘Big Brother’ award — this latest drama will only serve to add ammo to the arguments of Unity’s detractors.
But there is at least an iota of solace in this issue – if it turns out to be more wide reaching than the (so far) one reported log entry – it’s that queries being punted over to Reddit (and Reddit alone, not Big Evil Corp™) contain no identifiable data. Search terms cannot be tracked, tied or otherwise traced back to the person who made them.
Fix On The Way
David Callé, author of the Reddit scopes, told me in an e-mail that a fix is already on its way and should be pushed to the Smart Scopes Server early this week. Issues with the Reddit SSL as a whole mean that this may not be enough.
In this scenario Callé says the Reddit scope would be disabled by default; it would not search the service even if a query matching it would usually trigger it, adding:
“Which means that to query Reddit, you will have to do it explicitly (with a keyword, like “r:ubuntu” or “reddit:ubuntu”, or by activating the Reddit filter). This is what is already done with, for example, the SoundCloud scope.”
While Reddit do provide detailed API documentation explaining how to send queries using SSL it is, as Kerensa notes, fairly hidden.
If you’re using the scope and worried about the leak you can disable the Reddit Scope through the Application Scope until the fix lands on the Smart Scopes Server. Doing this will prevent the fetching of Reddit results on your behalf.
Remote searches can be switched off off entirely through the Privacy pane in System Settings.
- The issue will only affect you if you have the Reddit Scope enabled
- Some search queries made in the Dash are sent from the SmartScopes Server to Reddit using a non-encrypted URL
- Data sent from the user to the Smarts Scopes Server, and vice verse, is secure
- No user-identifiable data is sent (e.g., IP) to Reddit
- Search terms cannot be traced/tied back to you
- The issue only occurs between the Smart Scopes Server and Reddit