© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
9199653
demo site
(Get the code!)
Confirming this bug. Example scenario:
User 'attacker' (/~attacker) sets up a website that secretly steals the login keys of other Ubuland users (say he stole the cookie of /~saj0577). From this he could forge a new cookie, with the stolen login key, which would trick the current system into thinking he was Saj0577 and therefor would have access to Saj's account.
If there is a way for new cookies to be forged (i am not very knowledgable about this) this is definately a big problem. Otherwise it still isnt ideal for users to know other users' current Ubuland login keys, just in case there are other ways this can be exploited.