"setup-data.conf" is saved as plaintext
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Boxes |
Confirmed
|
Undecided
|
|||
| gnome-boxes (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
gnome-boxes saves "setup-data.conf" and all it's containing info - such as usernames, passwords, and private license codes - as plaintext.
This can be considered a security risk and can allow leakage of such content much easier to get into the wrong hands.
File location: '/home/
ProblemType: Bug
DistroRelease: Ubuntu 18.10
Package: gnome-boxes (not installed)
ProcVersionSign
Uname: Linux 4.18.0-
ApportVersion: 2.20.10-0ubuntu13
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Thu Nov 8 08:34:50 2018
InstallationDate: Installed on 2018-08-17 (83 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
ProcEnviron:
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: gnome-boxes
UpgradeStatus: Upgraded to cosmic on 2018-10-19 (19 days ago)
| Jeb E. (jebeld17) wrote | #1 |
| Changed in gnome-boxes (Ubuntu): | |
| status: | New → Confirmed |
| description: | updated |
| information type: | Private Security → Public Security |
| description: | updated |
| Alex Murray (alexmurray) wrote | #2 |
| Jeb E. (jebeld17) wrote | #3 |
| Jeb E. (jebeld17) wrote | #4 |
| Changed in gnome-boxes: | |
| status: | New → Confirmed |
Looks like upstream used to store the password as plaintext but changed this a while ago to instead store it in the keyring - https:/
I suggest filing an issue directly upstream if you believe the current behaviour is not secure so that it can be discussed directly with the developers https:/
Thanks