** Changed in: evolution-data-server
Status: Unknown => New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evolution-data-server in Ubuntu.
https://bugs.launchpad.net/bugs/1828124
Title:
org.gnome.evolution.dataserver.Source completely unveils account
credentials in plain text while using dbus-monitor
Status in evolution-data-server:
New
Status in evolution-data-server package in Ubuntu:
Incomplete
Bug description:
Steps to reproduce:
1. Install Ubuntu 16.04 LTS
2. Install Evolution
3. Set-up Google account with default settings (this will end with e-mail and
calendar)
4. Reboot
5. Open evolution Calendar and/or indicator-datetime
6. Launch `dbus-monitor`
Expected results:
* Evolution does not show account credentials in plain text in `dbus-monitor`
output
Actual results:
* Evolution shows account credentials in plain text in `dbus-monitor` output:
method call time=1557268474.383095 sender=:1.74 -> destination=:1.40
serial=939 path=/org/gnome/evolution/dataserver/SourceManager/Source_17;
interface=org.gnome.evolution.dataserver.Source; member=InvokeAuthenticate
array [
string "password:myrealpassword"
string "ssl-trust:"
]
method return time=1557268474.383686 sender=:1.40 -> destination=:1.74
serial=366 reply_serial=939
signal time=1557268474.389206 sender=:1.40 -> destination=(null destination)
serial=367 path=/org/gnome/evolution/dataserver/SourceManager/Source_17;
interface=org.gnome.evolution.dataserver.Source; member=Authenticate
array [
string "password:myrealpassword"
string "ssl-trust:"
]
signal time=1557268520.956861 sender=:1.40 -> destination=(null destination)
serial=408 path=/org/gnome/evolution/dataserver/SourceManager/Source_19;
interface=org.gnome.evolution.dataserver.Source; member=Authenticate
array [
string "password:myrealpassword"
string "ssl-trust:"
string "username:real@email"
]
signal time=1557268520.960443 sender=:1.40 -> destination=(null destination)
serial=409 path=/org/gnome/evolution/dataserver/SourceManager/Source_18;
interface=org.gnome.evolution.dataserver.Source; member=Authenticate
array [
string "password:myrealpassword"
string "ssl-trust:"
string "username:real@email"
]
signal time=1557268520.964374 sender=:1.40 -> destination=(null destination)
serial=410 path=/org/gnome/evolution/dataserver/SourceManager/Source_20;
interface=org.gnome.evolution.dataserver.Source; member=Authenticate
array [
string "password:myrealpassword"
string "ssl-trust:"
string "username:real@email"
]
-----
This is huge security flaw. The malicious script can parse `dbus-monitor`
output...
Not sure about more recent Ubuntu and Evolution versions.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: evolution-data-server-common 3.18.5-1ubuntu1.1
ProcVersionSignature: Ubuntu 4.4.0-143.169-generic 4.4.170
Uname: Linux 4.4.0-143-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.18
Architecture: amd64
CurrentDesktop: Unity
Date: Wed May 8 01:40:27 2019
InstallationDate: Installed on 2018-01-04 (488 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64
(20160420.1)
PackageArchitecture: all
SourcePackage: evolution-data-server
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/evolution-data-server/+bug/1828124/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
