** Changed in: evolution-data-server Status: Unknown => New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution-data-server in Ubuntu. https://bugs.launchpad.net/bugs/1828124
Title: org.gnome.evolution.dataserver.Source completely unveils account credentials in plain text while using dbus-monitor Status in evolution-data-server: New Status in evolution-data-server package in Ubuntu: Incomplete Bug description: Steps to reproduce: 1. Install Ubuntu 16.04 LTS 2. Install Evolution 3. Set-up Google account with default settings (this will end with e-mail and calendar) 4. Reboot 5. Open evolution Calendar and/or indicator-datetime 6. Launch `dbus-monitor` Expected results: * Evolution does not show account credentials in plain text in `dbus-monitor` output Actual results: * Evolution shows account credentials in plain text in `dbus-monitor` output: method call time=1557268474.383095 sender=:1.74 -> destination=:1.40 serial=939 path=/org/gnome/evolution/dataserver/SourceManager/Source_17; interface=org.gnome.evolution.dataserver.Source; member=InvokeAuthenticate array [ string "password:myrealpassword" string "ssl-trust:" ] method return time=1557268474.383686 sender=:1.40 -> destination=:1.74 serial=366 reply_serial=939 signal time=1557268474.389206 sender=:1.40 -> destination=(null destination) serial=367 path=/org/gnome/evolution/dataserver/SourceManager/Source_17; interface=org.gnome.evolution.dataserver.Source; member=Authenticate array [ string "password:myrealpassword" string "ssl-trust:" ] signal time=1557268520.956861 sender=:1.40 -> destination=(null destination) serial=408 path=/org/gnome/evolution/dataserver/SourceManager/Source_19; interface=org.gnome.evolution.dataserver.Source; member=Authenticate array [ string "password:myrealpassword" string "ssl-trust:" string "username:real@email" ] signal time=1557268520.960443 sender=:1.40 -> destination=(null destination) serial=409 path=/org/gnome/evolution/dataserver/SourceManager/Source_18; interface=org.gnome.evolution.dataserver.Source; member=Authenticate array [ string "password:myrealpassword" string "ssl-trust:" string "username:real@email" ] signal time=1557268520.964374 sender=:1.40 -> destination=(null destination) serial=410 path=/org/gnome/evolution/dataserver/SourceManager/Source_20; interface=org.gnome.evolution.dataserver.Source; member=Authenticate array [ string "password:myrealpassword" string "ssl-trust:" string "username:real@email" ] ----- This is huge security flaw. The malicious script can parse `dbus-monitor` output... Not sure about more recent Ubuntu and Evolution versions. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: evolution-data-server-common 3.18.5-1ubuntu1.1 ProcVersionSignature: Ubuntu 4.4.0-143.169-generic 4.4.170 Uname: Linux 4.4.0-143-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed May 8 01:40:27 2019 InstallationDate: Installed on 2018-01-04 (488 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) PackageArchitecture: all SourcePackage: evolution-data-server UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/evolution-data-server/+bug/1828124/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp