April 23, 2019

Potential Security Flaw In KDE's Krusader And Akregator Remain Unfixed In KDE Applications 19.04

A potential security risk has come to light from a few interconnected bug reports over on the KDE bug tracker website. These bug reports indicate that a user using either Konqeror or Akregator may be subject to tracking and / or fingerprinting across the web, even when steps are taken to implicitly prevent this from happening.

It should be noted here that as of this writing, In the case of Kubuntu and KDE Neon, Konqeror is not available for installation via Plasma Discover, although it is installable via the command line, synaptic, or the Muon package manager.

The issue appears to be related to the applications (sometimes option, sometimes not) usage of the Qt Webengine back end.

In the report, the bug's author states the following:

"Despite proxy settings pointing to Privoxy, as well as Easylist+Easylist Privacy, Easylist Germany, Fanboy List and quite some other lists enabled in the ad blocker settings according to https://panopticlick.eff.org/ neither Konqueror 17.08 nor Akregator 17.08 block trackers or protect against fingerprinting"

Since the bug is still open, we can assume this is the case still today, even though the bug reports are nearing  1 1/2 years old now.

The report also states that perhaps Falkon web browser is affected, but this has not been confirmed. Further, since Falkon comes with adBlock pre-installed, this is not likely to be a factor.

A follow-up comment on the bug report states that Konqeror5 gives the option of using different back-ends including KHTML and / or QtWebkit. However, this would be hit or miss depending on the distribution being used. Also, a user could not be expected to know this or how to go about changing backends. Further, in the case of Akregator, the user is not given a choice in the settings as to which backend to use.

For now, security-conscious users may want to stay clear of using Konqeror for general web browsing. In the case of Akregator, hopefully this will be addressed in an upcoming release, although the lack of activity on the bug report(s) may indicate otherwise.

The relevant bug reports can be found here for Konqeror and here for Akregator, although they are essentially exactly the same.

No comments:

Post a Comment