seahorse shows passwords without verification

Bug #189774 reported by Rocko on 2008-02-06
180
This bug affects 37 people
Affects Status Importance Assigned to Milestone
seahorse
New
Medium
seahorse (Ubuntu)
Wishlist
Unassigned

Bug Description

Binary package hint: seahorse

When I log in the first time, I get asked for my password to access the wireless network.

Then any time later I can run seahorse (without authentication) and go and look at my wireless password (password tab / passphrase for wireless network / properties). It just asks me 'Do you want to allow access?' and if I say yes (ie 'Allow Once' or 'Allow Always'), it doesn't ask for authentication or anything, it just shows the password.

Isn't this a security problem?

If I reboot just X with CTRL-ALT-BS and log in again, when I run seahorse it asks me for authentication to run it, but after a full reboot it doesn't ask for any authentication.

I have automatic login enabled (so on full reboot I don't need to login via the X login window) if that makes any difference.

Version info:

distro: hardy alpha 4

kernel: 2.6.24-5-generic

seahorse: 2.21.4-0ubuntu2

gnu-pg: 1.4.6-2ubuntu5

python-gnupginterface: 0.3.2-9ubuntu1

Rocko (rockorequin) wrote :

To clarify: I mean that when I log in the first time, I get asked for the password to my gnome-keyring so that nm-applet can retrieve the wireless network password, and so by the time I open seahorse I've already authenticated with gnome-keyring.

Richard Seguin (sectech) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It appears as this isn't a bug though... If you are prompted to enter a password (or allowed to choose to always allow access to the keyring) then you will be able to access the wireless password without anymore prompts.

Changed in seahorse:
status: New → Invalid
Yashka Oreza (yashka) wrote :

Perhaps the dialog granting a program the right to read a password should require you to confirm with the master password, even if the keychain is unlocked. As of now, all you have to do is click a button - seems like the barrier is too low.

Markus Korn (thekorn) wrote :

it's a wishlist bug and confirmed in comment #3

Changed in seahorse:
importance: Undecided → Wishlist
status: Invalid → Confirmed
Andreas Moog (ampelbein) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. The issue has been reported Upstream. You can track the status and make comments here: http://bugzilla.gnome.org/show_bug.cgi?id=551036

Changed in seahorse:
assignee: nobody → desktop-bugs
status: Confirmed → Triaged
Changed in seahorse:
status: Unknown → New
DMG46664 (danielmgerson) wrote :

I see this as a VERY serious security flaw!

Given that Empathy Instant Messenger is going to be the default messenger in the next Ubuntu Release, I thought I'd check it out. While setting up my gmail and msn accounts I noticed that it was saving the passwords in the public keyring. It was also giving the familiar quickAllow ("Deny","Allow Once", "AllowAll") dialog when starting up the program and connecting to these accounts. No prompting for any password to protect the keyring.

Given that this was being stored in a public keyring, I wanted to see how easy it was to find these password. I open up sea horse, and hey presto! My passwords to gmail and msn are available for all to see for someone who might be strolling around my workstation/laptop while i'm not there, (if I forget to log out or lock)... using the quickAllow dialog.

Now if someone finds my wireless network key, I don't really care in the scheme of things, even if they use my network to commit bad acts, it happens often enough that I'm unlikely to be penalized. However! I and most people have very sensitive information in our webmail accounts and easy access to them is definitely something I'd like to avoid.

It looks like the quickAllow dialog is from some common library that both applications call into. Please can this prompt for a password, the same way as critical updates do!!!

Thank you.

DMG46664 (danielmgerson) wrote :

Okay, didn't know what triaged meant.

I've posted my comments on the bugzilla bug for GnomeKeyring.

Benjamin Humphrey (humphreybc) wrote :

For anyone who's interested, have a look at this thread: http://ubuntuforums.org/showthread.php?t=1302342

This is my idea to solve the problem quoted from the forums;

he way I see it Ubuntu is almost there, seahorse does ask permission just no confirmation. And we do have the tools like gconf. And policykit, witch can handle non-root permissions and IMO is way under used.

Here's my idea, create a sane list of default apps that can access seahorse. The ability to change that list through gconf, and permission checks through policykit for unexpected apps, changing info or viewing passwords. And finally come up with a unified personal security policy for the desktop as a whole. (See above post 182; you need your password to change your password and about me does not display clear text.)

Rocko (rockorequin) wrote :

@Corey: that sounds great to me. Perhaps you should add your comments to the gnome-bug (https://bugzilla.gnome.org/show_bug.cgi?id=551036)? It's a Gnome issue and I think the Ubuntu devs are waiting for it to be solved upstream.

Marc Deslauriers (mdeslaur) wrote :

Empathy stores your authentication information into your private keyring that is only accessible by you with the password you use to unlock it. There is no "public keyring". Pidgin stores your account passwords in clear text in a file with appropriate user permissions.

Dave Lillis (ishnid) wrote :

My view is that this as a very serious design flaw. The bottom line is that passwords should never be displayed in plain text by any application, for any reason.

Benjamin Humphrey (humphreybc) wrote :

Apparently it is a "design decision" and therefore not a bug.

Jack Senechal (jacksenechal) wrote :

I'm in agreement with comments #6 and #12. This is a VERY serious security issue. The quick allow dialog protects the passwords stored in the wallet from network intruders or malware, but if someone happens to have access to your computer when you forget to lock the screen, they can easily see all of your passwords in plain text.

I'm personally not opposed to the ability to see these passwords once you've gained access, but for security it is critical that this access be protected by a password prompt even if the keyring has been unlocked. There is a big difference between allowing a program to access a stored password with the quick allow dialog, and giving a user access to the full list of passwords in plain text. Having a quick allow dialog in this context is a major oversight, and IMHO it should be considered a serious bug.

Michael Nagel (nailor) wrote :

from a theoretical, scientific, cryptographical point of view it might be (and probably is) no problem to display the passwords without restriction once the keyring has been unlocked as anyone really interested can retrieve them anyways. not having to retype the password[1] dramatically lowers the amount of both knowledge and malice needed, however.

contra: having to retype the password might create the false illusion of a security and users might believe passwords are secure when they are not.

pro: on the other hand, it might stop your buddy from looking at all your passwords when you show him the wlan password he needs when your kids playing in the same room accidentally throw a basketball against your chair, a leg breaks, you fall down, spill your cup of coffee. now you go to the kitchen to clean up the mess, to the bathroom to clean up some more mess and change clothes. and then you remember: "damn! i forgot to lock the keyring..."

this user story is purely fictional. i don't even have kids :) but i think having to enter your password before displaying passwords in plain text (or not allowing that at all!!!!) would stop most opportunistic/accidental password leakage.

[1] the keyring manager in firefox uses this approach and i think is a sound approach...

Marcos Diaz (marcos-diaz) wrote :

RULE Nº1 IN SECURITY:
Never, never, never store or display passwords in plaintext.

Seriously devs, are you joking? Give someone the possibility of read all my passwords in plaintext while I'm in the toilet is a feature? Oh my god...

Legolas (aka-wood-elf) wrote :

I think so too! It's very unsafe! It is not better than the sticker with passwords on your monitor!
Sorry for my English =(

I've noticed this problem also with Ubuntu 10.04
I don't know the motivations about the choose, but I think it is dangerous because a lot of password are used for many services. Think people that have got hotmail account, with the same password you could open your msn account and your email account...
I hope that this will change in a few time.
Sorry for my English

Regards
Antonio

xcape77 (xcape77) wrote :

Yes, please make seahorse ask again for the keyring-passwort befor showing all passworts, really ALL PASSWORTS, in plaintext !

DMG46664 (danielmgerson) wrote :

PLEASE... the next person who wants to add a comment of consolidarity here. DON'T.

This log has been TRIAGED. This means that the bug has been posted to the website responsible for developing this software.
If you agree that this is important... then take the time to post it on their website.

Posting it here, won't have any effect on getting it done.

http://bugzilla.gnome.org/show_bug.cgi?id=551036

Changed in seahorse:
importance: Unknown → Medium

I don't agree with Comment #20:

* The problem exists sice 2 years
* The importance is more than medium: eg. in case of a vpn password, a single signon corporate password is showed!
* So it is a HIGH RISK SECURITY ISSUE and the UBUNTU TEAM should ATTENT TO THAT PROBLEM (patch itself or replace the Seahorse UI)!!!

csoler (cyril-soler) wrote :

Indeed. I want also to stress that this is a very serious security issue (e.g. when working in environments with multiple working people, in the train, etc). Before ending here, I just figured out that I could display my login passwd in seahorse without any security barrier as well. It basically takes 10 secs for anybody to read one's login passwd in clear text.

Please do something !!!

mkotechno (mkotechno) wrote :

Current seahorse security bug:
http://goo.gl/6oF7f

Lee Hyde (anubeon) wrote :

I concur with Igor's last comment. I've recently started using an extension for Mozilla Firefox which integrates Firefox's password cache with the GNOME keyring and I was shocked to find that one could open seahorse and browse all of the passwords therein (within any unlocked keyring; I use the default login keyring) as plain text. It's one thing to unlock a key ring and allow a programme to access these passwords for the entire session (though it would be nice to see options to re-lock a keyring after x minutes and/or every time the screen locks), it's quite another to allow any interloper to access those passwords as plain text.

I hope that this gets fixed soon. This seems like a fairly old/established bug, and one would have hoped a security issue like this would have been fixed by now. I don't mean to be patronising, condescending or a back-seat driver mind. I was just startled that such an obvious security hole existed.

Adam Dingle (adam-yorba) wrote :

GNOME is probably not going to fix this - it's not just the GNOME Way. I'd like to see Ubuntu address this, though. Today, if I walk up to any Ubuntu user's unlocked computer I can see any of their passwords in just a few keystrokes: Super + P + A + S + Enter starts Seahorse, then I can double click any password I want and click Show Password. From the comments above, I can see I'm not alone in being wary of this.

Ubuntu, would you take a patch to require the user to enter their login password to use the Show Password feature?

Adam Dingle (adam-yorba) wrote :

I just placed a bounty on this bug at Bountysource:

https://www.bountysource.com/issues/3849352-seahorse-shows-passwords-without-verification

It will be paid to anyone who provides a patch that Ubuntu accepts.

Sebastien Bacher (seb128) wrote :

Yes Adam, it looks like something having a distro patch for seems reasonable

Changed in seahorse (Ubuntu):
assignee: Ubuntu Desktop Bugs (desktop-bugs) → nobody
Julian Eden (julianeden2) wrote :

Is this underway, or what? First reported *eight years ago*, last update one year ago, and right now I can still open seahorse and see plaintext of all my passwords.

How hard can it be to do exactly what Chrome or many other implementations do, and just ask for a master password before allowing the user to view the plaintext of saved passwords?

Julian Eden (julianeden2) wrote :

Sorry, the "how hard can it be" phrasing is bit snarky. Just a bit disappointed that after eight years no time has been made for this.

Matthew R. Trower (dev-6) wrote :

Have a patch here; how do you want it? All of the documentation I see for distro patches uses Bazaar, and this definitely isn't making it upstream. Attached output of `git format-patch`, let me know if you want something else.

The attachment "0001-Require-login-password-to-view-plaintext-secrets.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.