Gwibber saves readable passwords

Bug #400120 reported by Leo Iannacone on 2009-07-16
60
This bug affects 11 people
Affects Status Importance Assigned to Milestone
Gwibber
Undecided
Ryan Paul
gwibber (Ubuntu)
High
Ken VanDine
Lucid
High
Ken VanDine

Bug Description

Using gconf, gwibber saves clear informations about accounts.

For example, this is the xml represents one of my accounts:

<?xml version="1.0"?>
<gconf>
 <entry name="search_enabled" mtime="1247302421" type="bool" value="true"/>
 <entry name="public_enabled" mtime="1247418084" type="bool" value="false"/>
 <entry name="send_enabled" mtime="1247550059" type="bool" value="true"/>
 <entry name="receive_enabled" mtime="1247300287" type="bool" value="true"/>
 <entry name="password" mtime="1247300286" type="string">
  <stringvalue>PASSWORD</stringvalue>
 </entry>
 <entry name="username" mtime="1247300284" type="string">
  <stringvalue>USER</stringvalue>
 </entry>
 <entry name="message_color" mtime="1247300282" type="string">
  <stringvalue>#72729f9fcfcf</stringvalue>
 </entry>
 <entry name="protocol" mtime="1247300281" type="string">
  <stringvalue>identica</stringvalue>
 </entry>
</gconf>

This is just an example with the identica protocol. I'm seeing that gwibber do the same with the twitter protocol.

As you can see on your workstation, gwibber saves clear password of any accounts.

Is there someway to preserve these informations from "curious eyes" ??

Ryan Paul (segphault) wrote :

Gwibber has built-in support for using the GNOME keyring, but it is disabled in developer builds. You can manually enable it yourself by uncommenting the "import gnomekeyring" line in gwp.py and config.py.

GNOME recently transitioned its keyring to using D-Bus as the communication protocol. This introduced some technical defects that make the keyring work poorly with Gwibber's configuration abstraction layer. If you attempt to enable keyring support in Gwibber on the latest stable version of GNOME, there is a chance that the keyring daemon will crash.

Martin Meyer (elreydetodo) wrote :

FYI the version of gwibber included in Ubuntu Karmic has keyring support disabled. I was pretty disturbed when I was trying to find something in the gconf tree and stumbled across one of my passwords..

Is this being worked on? By "disabled in developer builds", I thought the devs meant "will be back in time for Ubuntu Karmic". This, along with Bug #421728 creates a very annoying security hole in Ubuntu Karmic, though I don't know if I should complain here or to the Karmic package maintainers (filed a bug in Ubuntu as well).

Conscious User (conscioususer) wrote :

As of Lucid Alpha 3, this bug still exists, only now it's not in a GConf key but in ~/.local/share/desktop-couch/gwibber_accounts.couch.

Together with Bug #421728, this is a security flaw that should not ship with Lucid.

summary: - Gwibber saves readable passwords in gconf
+ Gwibber saves readable passwords
Victor Vargas (kamus) wrote :

I checked this in "~/.local/share/desktop-couch/" (I opened couchdb.html and navigating into db via browser) and I can confirm at least in twitter account my password are in text plain and permissions for this file are rw-r-r so in theory anyone could read him. If some gwibber develop can check this would be great! Thanks

Changed in gwibber (Ubuntu):
importance: Undecided → Medium
status: New → Incomplete
Ryan Paul (segphault) wrote :

Gwibber stores passwords as plain text in CouchDB by design. It's intentional and it's not a bug. The passwords are stored as plain text so that they can be synchronized between the user's computers. Canonical's desktopcouch doesn't support synchronizing the keyring yet, so we can't store the passwords there.

Conscious User (conscioususer) wrote :

Ryan, if keyring usage is not possible for now, then the correct procedure would be to either solve Bug #421728 or at the very least make users aware that their passwords will be readable. I know that a Twitter account is not exactly as critical as a bank account, but that doesn't change the fact that readable passwords are a security flaw.

Conscious User (conscioususer) wrote :

Also, why the current status is "Incomplete"? I think "Triaged" would make more sense.

Changed in gwibber (Ubuntu):
assignee: nobody → Ken VanDine (ken-vandine)
Changed in gwibber:
assignee: nobody → Ryan Paul (segphault)
milestone: none → 2.30.0
status: New → Triaged
Changed in gwibber (Ubuntu):
milestone: none → ubuntu-10.04-beta-2
status: Incomplete → Triaged
Victor Vargas (kamus) on 2010-03-18
Changed in gwibber (Ubuntu):
milestone: ubuntu-10.04-beta-2 → none
Victor Vargas (kamus) wrote :

Well, Ken Vandine said me in pm that they are actually working on this and is agree for marking as triaged. Thanks!

Changed in gwibber (Ubuntu):
status: Triaged → Fix Committed
Changed in gwibber:
status: Triaged → Fix Committed
Changed in gwibber (Ubuntu):
milestone: none → ubuntu-10.04-beta-2
Changed in gwibber (Ubuntu):
status: Fix Committed → New
Ken VanDine (ken-vandine) wrote :

The is a slight UI change, but there are no documentation that is affected. When your account is synced to an additional computer, the password will not exist in the keyring. When that occurs, the existing accounts dialog will be raised and the accounts that need attention are highlighted in pink. No string changes, just an indication of what needs to be corrected.

Martin Pitt (pitti) wrote :

Approving the "new keyring dialog" change, since it's necessary to fix the cleartext passwords.

Please do check with the design team about the pink background, though. Can't it just use the standard gnome-keyring dialog?

Changed in gwibber (Ubuntu Lucid):
importance: Medium → High
status: New → Triaged
Ken VanDine (ken-vandine) wrote :

I'll talk to design. I avoided using that dialog for 2 reasons:

1) If you have several accounts that needed the password set for at once, I didn't want to spam you with dialogs.
2) Different types of accounts request different types of secret information, password, api key, etc. The accounts dialog already has guide text explaining what should be entered and provides links to help users find the information they need.

So what is currently implemented raises the window and will highlight all the accounts that need attention.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gwibber - 2.29.94-0ubuntu1

---------------
gwibber (2.29.94-0ubuntu1) lucid; urgency=low

  * New upstream release
    - Use the keyring to store private account fields (LP: #400120)
    - Store window state information in gconf instead of desktopcouch
      to prevent syncing
  * debian/control
    - Added depends on python-gnomekeyring
  * debian/patches/lp_report_to_ubuntu.patch
    - Updated to also point translations and questions to
      downstream (LP: #551535)
 -- Ken VanDine <email address hidden> Tue, 30 Mar 2010 22:14:41 -0400

Changed in gwibber (Ubuntu Lucid):
status: Triaged → Fix Released
Changed in gwibber:
status: Fix Committed → Fix Released
mikbini (mikbini) wrote :

Uhm, I still see cleartext passwords in gwibber: should I re-create the accounts using gwibber >= 2.29.94?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers