Ubuntu
pidgin package

Pidgin stores passwords in plain text

Bug #226974 reported by Brewster Malevich
278
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Pidgin
Won't Fix
Unknown
pidgin (Ubuntu)
Won't Fix
Wishlist
Unassigned

Bug Description

Binary package hint: pidgin

home/<username>/.purple/accounts.xml

This file has unencrypted passphrases for all the accounts used in Pidgin. Isn't this a security risk?

See original description
Brewster Malevich (brews)
description: updated
Revision history for this message
Magnus S (magnuss) wrote :

Yes, thats a security issue.
http://brainstorm.ubuntu.com/idea/10065/

Changed in pidgin:
status: New → Confirmed
Revision history for this message
Julian Alarcon (julian-alarcon) wrote :

Mentioned again here:
http://www.ubuntu-unleashed.com/2007/08/howto-local-password-encryption-for.html

I check my accounts and I can't belive it.. Plain text, anyone can read this info, take control of, for example.. my Gmail account -> Launchpad -> Google Reader -> University Account -> Microbloggins -> Private Works -> etc..

Please fix this bug, here is one fix for that:
http://www.ubuntu-unleashed.com/2007/08/howto-local-password-encryption-for.html

Revision history for this message
Julian Alarcon (julian-alarcon) wrote :

Las idea from brainstorm is a duplicate of:
http://brainstorm.ubuntu.com/idea/4728/

Please take care of this.

Revision history for this message
Magnus S (magnuss) wrote :

Thanks for the ping Julián.

Upstream doesn't seem to be interested in fixing this. Read http://developer.pidgin.im/wiki/PlainTextPasswords.
There is also a patch in http://developer.pidgin.im/ticket/5872.

Bug Watch Updater (bug-watch-updater)
Changed in pidgin:
status: Unknown → Won't Fix
Marc Deslauriers (mdeslaur)
Changed in pidgin (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Hadmut Danisch (hadmut) wrote :

Any progress? Any intention to move to a more secure messenger?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Upstream has indicated in their bug that they will not fix this. As we will not diverge fro upstream on this point, closing as "Won't Fix".

Changed in pidgin (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.