Bug 26306

Summary: MissionControl deliver clear text password through Account.Parameters
Product: Telepathy Reporter: Nicolas Dufresne <nicolas>
Component: mission-controlAssignee: Telepathy bugs list <telepathy-bugs>
Status: RESOLVED NOTABUG QA Contact: Telepathy bugs list <telepathy-bugs>
Severity: major    
Priority: medium    
Version: git master   
Hardware: All   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Nicolas Dufresne 2010-01-28 16:26:52 UTC 
The MissionControl delivers clear text password through the org.freedesktop.Telepathy.Account.Parameters objects. This is a severe security issue since any application can retrieve the password without the user being notified by the keyring.
Comment 1 Will Thompson 2010-01-29 00:36:43 UTC 
As we discussed on IRC, this isn't a “severe security issue” on any normal system:

• if an application can access the session bus;
• then it is running as the same user as the keyring;
• so it can ptrace the keyring or the connection manager and find out your password anyway.

The spec. work being done to allow non-CM processes to respond to authentication challenges will allow the password not to be passed around like this, and even not to be stored (instead requiring the user to type it in at login), as side-effects of being able to use Kerberos etc.
Comment 2 Nicolas Dufresne 2010-01-29 05:59:29 UTC 
You are mixing thread here. We spoke on IRC about real-time sniffing of communication between MC and CMs at login and Client and MC on account management. While this should (I hope) be protected it's not the subject of this bug.

The BUG is there because the TP spec for account bypass the keyring. MC obtain right to read password in the keyring and allow (without user being informed) all other processes to obtain them.

The goal of the keyring is to make sure that a process won't have access to a password without user authorization. The TP Spec for account is in complete opposite of this and thus TP Spec is security broken, no matter what opinion you have on security.

This bug may not be fixed in short term, but an archive of it is really important. It's a matter of month before respectable distros like RedHat or Suse reject our software because of that.
Comment 3 Will Thompson 2010-01-29 06:34:57 UTC 
(In reply to comment #2)
> The BUG is there because the TP spec for account bypass the keyring. MC obtain
> right to read password in the keyring and allow (without user being informed)
> all other processes to obtain them.

If a process can access the bus, then the process can do whatever the keyring does to read your passwords from disk, because it is running as your user. It's the same non-issue.

> This bug may not be fixed in short term, but an archive of it is really
> important. It's a matter of month before respectable distros like RedHat or
> Suse reject our software because of that.

Oh, right, just like "respectable distros" rejected Pidgin for storing your passwords in plain text for the last ten years.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.