26306 – MissionControl deliver clear text password through Account.Parameters

Bug 26306 - MissionControl deliver clear text password through Account.Parameters

Summary: MissionControl deliver clear text password through Account.Parameters

Status:	RESOLVED NOTABUG

Alias:	None

Product:	Telepathy
Classification:	Unclassified
Component:	mission-control (show other bugs)
Version:	git master
Hardware:	All All

Importance:	medium major
Assignee:	Telepathy bugs list
QA Contact:	Telepathy bugs list

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-01-28 16:26 UTC by Nicolas Dufresne
Modified:	2010-01-29 06:34 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Nicolas Dufresne 2010-01-28 16:26:52 UTC

The MissionControl delivers clear text password through the org.freedesktop.Telepathy.Account.Parameters objects. This is a severe security issue since any application can retrieve the password without the user being notified by the keyring.

Comment 1 Will Thompson 2010-01-29 00:36:43 UTC

As we discussed on IRC, this isn't a “severe security issue” on any normal system:

• if an application can access the session bus;
• then it is running as the same user as the keyring;
• so it can ptrace the keyring or the connection manager and find out your password anyway.

The spec. work being done to allow non-CM processes to respond to authentication challenges will allow the password not to be passed around like this, and even not to be stored (instead requiring the user to type it in at login), as side-effects of being able to use Kerberos etc.

Comment 2 Nicolas Dufresne 2010-01-29 05:59:29 UTC

You are mixing thread here. We spoke on IRC about real-time sniffing of communication between MC and CMs at login and Client and MC on account management. While this should (I hope) be protected it's not the subject of this bug.

The BUG is there because the TP spec for account bypass the keyring. MC obtain right to read password in the keyring and allow (without user being informed) all other processes to obtain them.

The goal of the keyring is to make sure that a process won't have access to a password without user authorization. The TP Spec for account is in complete opposite of this and thus TP Spec is security broken, no matter what opinion you have on security.

This bug may not be fixed in short term, but an archive of it is really important. It's a matter of month before respectable distros like RedHat or Suse reject our software because of that.

Comment 3 Will Thompson 2010-01-29 06:34:57 UTC

(In reply to comment #2)
> The BUG is there because the TP spec for account bypass the keyring. MC obtain
> right to read password in the keyring and allow (without user being informed)
> all other processes to obtain them.

If a process can access the bus, then the process can do whatever the keyring does to read your passwords from disk, because it is running as your user. It's the same non-issue.

> This bug may not be fixed in short term, but an archive of it is really
> important. It's a matter of month before respectable distros like RedHat or
> Suse reject our software because of that.

Oh, right, just like "respectable distros" rejected Pidgin for storing your passwords in plain text for the last ten years.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.