Skip to content

Disable or fix Pastebin function in debug window to protect user data

Submitted by GN @gnome-nuclearsunshine

Link to original bug (#732286)

Description

See my comments at https://bugzilla.gnome.org/show_bug.cgi?id=658724#c19 and https://bugzilla.gnome.org/show_bug.cgi?id=658724#c20 on the bug for original implementation of this button.

At present the button:

  • Doesn't warn the user/confirm before sending.
  • Posts as a guest user, publicly, with no expiry, allowing only a manual abuse takedown request, which takes up to 24 hours, by which time the page in my case was already crawled by both Google and another bot designed to trawl for sensitive data.
  • Goes against Pastebin's AUP regarding the posting of sensitive data. In my case it submitted the SIP number I was trying to call, and my SIP user account and endpoint, as well as my local user account name.

Additionally, some bug somehow triggered the button immediately on my opening the debug window, without my clicking it.

I have asked Pastebin to revoke the API key used in Empathy (as mentioned in the other bug) as it is being used in released versions in an inappropriate manner per their AUP. I'd suggest that the responsible thing to do would be for the API key owner (Chandni I believe) to revoke it herself anyway and for a new key to be obtained as and when this feature is modified to fix the above problems.

Version: 3.12.x