Comment 4 for bug 296682

I just discovered this security issue on my own after deciding to inspect my "~/.tsclient/last.tsc" file and couldn't believe this hadn't been reported before. So I decided to do a google search which lead me here.

Guys, this is bad news! As mentioned by clovepower the password is stored *in the clear* even if the user doesn't save the connection settings. All that it's required is that the user enters his/her password on the tsclient window, as opposed to the remote server's login screen. Plus, "~/.tsclient/last.tsc" has world-readable permissions (as mentioned by Alex)!

I'm surprised this issue hasn't been fixed by now since it was first reported back on 11th Nov 2008. That's more than 9 months ago! How come this hasn't been fixed by now? Ubuntu Security Team? Shouldn't the importance of this bug be changed from "Wishlist" to "Medium"?

For now, I guess the only protection against this issue is to NOT enter passwords on the tsclient Logon Settings screen. Instead, users should type their credentials on the *remote server*'s login screen.

$ grep -e username -e password\:b -e address -e domain ~/.tsclient/last.tsc
domain:s:test
full address:s:ts.domain.foo:3389
password:b:mysecretpass
username:s:ap

$ ls -l ~/.tsclient/last.tsc
-rw-r--r-- 1 ap ap 873 2009-08-26 17:46 /home/ap/.tsclient/last.tsc

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 8.04.3 LTS
Release: 8.04
Codename: hardy

$ apt-cache policy tsclient
tsclient:
  Installed: 0.150-1ubuntu1
  Candidate: 0.150-1ubuntu1
  Version table:
 *** 0.150-1ubuntu1 0
        500 http://gb.archive.ubuntu.com hardy/main Packages
        100 /var/lib/dpkg/status