Pidgin stores passwords in plain text

Bug #226974 reported by Brewster Malevich on 2008-05-05
278
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Pidgin
Won't Fix
Unknown
pidgin (Ubuntu)
Wishlist
Unassigned

Bug Description

Binary package hint: pidgin

home/<username>/.purple/accounts.xml

This file has unencrypted passphrases for all the accounts used in Pidgin. Isn't this a security risk?

description: updated
Magnus S (magnuss) wrote :

Yes, thats a security issue.
http://brainstorm.ubuntu.com/idea/10065/

Changed in pidgin:
status: New → Confirmed
Julian Alarcon (alarconj) wrote :

Mentioned again here:
http://www.ubuntu-unleashed.com/2007/08/howto-local-password-encryption-for.html

I check my accounts and I can't belive it.. Plain text, anyone can read this info, take control of, for example.. my Gmail account -> Launchpad -> Google Reader -> University Account -> Microbloggins -> Private Works -> etc..

Please fix this bug, here is one fix for that:
http://www.ubuntu-unleashed.com/2007/08/howto-local-password-encryption-for.html

Julian Alarcon (alarconj) wrote :

Las idea from brainstorm is a duplicate of:
http://brainstorm.ubuntu.com/idea/4728/

Please take care of this.

Magnus S (magnuss) wrote :

Thanks for the ping Julián.

Upstream doesn't seem to be interested in fixing this. Read http://developer.pidgin.im/wiki/PlainTextPasswords.
There is also a patch in http://developer.pidgin.im/ticket/5872.

Changed in pidgin:
status: Unknown → Won't Fix
Changed in pidgin (Ubuntu):
importance: Undecided → Wishlist
Hadmut Danisch (hadmut) wrote :

Any progress? Any intention to move to a more secure messenger?

Jamie Strandboge (jdstrand) wrote :

Upstream has indicated in their bug that they will not fix this. As we will not diverge fro upstream on this point, closing as "Won't Fix".

Changed in pidgin (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.