Remmina drops clear text password in target desktop

Bug #1307872 reported by Xhococat
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
remmina (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

I tried to report this to the developers, but there has been no action for months. Since Remmina is being touted as the primary RDP client for Ubuntu, I thought you all needed to be warned. I have since switched to KRDC, by the way.

The bug is logged on:

https://github.com/FreeRDP/Remmina/issues/218

The haiku version:

Your Windows password
Has just been typed in clear text
Into some window.

Basically, if you are logging into an existing Windows session using RDP under Remmina, the application passes the Windows login password - in clear text - to whatever window has focus in the Windows session. I found that this worked for several types of windows, including UNIX windows being emulated with an X server (Exceed). The passing of plaintext password keystrokes in the system, to say nothing of the password sitting in some window, clearly defeats quite a bit of Windows security.

I do not believe that Remmina is under active development, so it looks like it's up to you all to either get this fixed or switch the default RDP client to something safer, IMO.

I'm using 13.10, although I believe that I saw this originally on 13.04 (no work has been done on this bug as far as I know). I did try to report this bug automatically, but my connection would not let me get into the descriptive part before losing contact with the server.

information type: Private Security → Public Security
Changed in remmina (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.