SECURITY: email credentials (address and password) available and stored in plain text
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Xfce4 Mailwatch Plugin |
Confirmed
|
Medium
|
|||
| xfce4-mailwatch-plugin (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
I use Xubuntu Trusty 14.04 LTS with the xfce4-mailwatch
During maintainance, I noticed that ALL the credentials of all mailboxes to "watch" are stored non-encrypted, in plain text, for everybody to read, copy, and alter in file /home/<
The contents of this file looks like this:
[mailwatch-plugin]
click_command=
new_messages_
normal_
new_mail_
log_lines=500
show_log_
auto_open_
[mailwatch]
nmailboxes=2
mailbox0=imap
mailbox_name0=John Joe
mailbox1=imap
mailbox_name1=Bill Gates
[mailbox0]
host=imap.apple.com
<email address hidden>
password=
auth_type=1
server_directory=
use_standard_port=0
nonstandard_port=0
timeout=480
n_newmail_boxes=1
newmail_box_0=INBOX
[...]
This means that everybody that can easily retrieve ALL the email credentials of an user of xfce4-mailwatch
I've seen discussions here about SSL and so forth, but...
Shouldn't the info in the /home/<
IMHO as it is now is frankly similar to taking a yellow Post-It, writing ones email address and password on it, and sticking it on the monitor of your box...
| Seth Arnold (seth-arnold) wrote | #1 |
| Changed in xfce4-mailwatch-plugin (Ubuntu): | |
| status: | New → Incomplete |
| information type: | Private Security → Public Security |
| Changed in xfce4-mailwatch-plugin (Ubuntu): | |
| status: | Incomplete → New |
| Changed in xfce4-mailwatch-plugin: | |
| importance: | Unknown → Medium |
| status: | Unknown → Confirmed |
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in xfce4-mailwatch-plugin (Ubuntu): | |
| status: | New → Confirmed |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/
I wouldn't be surprised if upstream decides this isn't a security flaw: they need access to the plaintext password to do their task. If it were encrypted, it would need to be encrypted with a passphrase that would require prompting the user. At that point you may as well just prompt the user for their mail server passwords directly. They could also use the keychain but I believe those are also available unencrypted for all processes to use when they are unlocked, so the keychain may actually be less secure than just putting the passwords into a mode 0600 file.
If the permissions on the file and all containing directories are too permissive, that might be a reasonable security issue, and one that's easy enough to address.
Thanks