Reddit Scope Leaking User Queries


Screen Shot 2014 04 27 at 12.57.12 AM 300x111 Reddit Scope Leaking User QueriesIf you are currently using the Reddit Unity Scope on Ubuntu, you should consider disabling it. The reason for this is that a Reddit admin pointed out that Ubuntu user dash searches were ending up in Reddit’s server logs.

This is happening because the Reddit Unity Scope uses a URL that does not have SSL configured so instead redirects those queries to HTTP plain text. The good news is a fix is already under way on a bug I filed and Reddit’s API documentation explains how to properly use SSL when making queries.

But until then, please consider disabling the Reddit Scope so your dash searches do not end up on a third party server or better yet eavesdropped by someone using wireshark on the same network as you.

For what it’s worth Reddit should probably do a better job of linking to their API Documentation and that this was just a small oversight but not really anyone’s fault in particular

Edit: I did not realize scopes are no longer local but instead on Canonical’s server because of this any potential eavesdropping locally is unlikely. The security bug is still valid though as it leaks queries to Reddit and the scope does not do certificate validation in any case which would allow a MITM Attack.