Don't require email and password in hubic backend except for first time
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Duplicity |
New
|
Undecided
|
Unassigned |
Bug Description
When you configure Duplicity using Hubic backend you are required to create ~/.hubic_
More info here: http://
The first time you run duplicity, it will generate a ~/.hubic_tokens file with two new values named access_token and refresh_token.
Since now you email and password are not used anymore but they are still present in the configuration file. This is insecure because a malicious user could read this file and compromise your whole hubic account.
Proposed workaround:
Once duplicity has obtained the tokens, set email and password to blank or random data