https://bugs.kde.org/show_bug.cgi?id=404750
Bug ID: 404750
Summary: Thumbnails of files in vaults are unencrypted
Product: Plasma Vault
Version: unspecified
Platform: Other
OS: Linux
Status: REPORTED
Severity: grave
Priority: NOR
Component: general
Assignee: ivan.cu...@kde.org
Reporter: inf...@openaliasbox.org
Target Milestone: ---
SUMMARY
The thumbnails of files in KDE vaults (or any other encrypted folders and
files) should not be stored in an unencrypted folder like ~/.cache/thumbnails,
or if so, should be deleted after vault's unmount.
There's little point in keeping our private files in secure folders safe from
eavesdropper eyes if in the end they all are "microfilmed" in the thumbnails
folder, especially those in ~/.cache/thumbnails/large, which have a rather
generous size. In the case of plain texts the thumbnail only shows the first
lines, but images and other content are fully thumbnailed.
STEPS TO REPRODUCE
1. Mount some vault
2. Browse it with Dolphin, Gwenview, whatever program that makes thumbnails.
3. Close the vault
OBSERVED RESULT
In ~/.cache/thumbnails new thumbnails of the vault's content have been created
and are stored unencrypted.
EXPECTED RESULT
Actually this is not a malfunction but a design flaw. But I guess that a nice
expected result would be that
these thumbnails were saved in the vault, perhaps a /thumbnails subfolder
inside the vault's mount folder, so they are invisible until the vault gets
mounted. Or maybe said thumbnails subfolder could be mounted also in
~/.cache/thumbnails -so the user could purge his image caché as easily as
always- perhaps inside an mount subfolder with the same name of the vault -If
vault "SecretCoffin" is mounted, then the folder
~/.cache/thumbnails/SecretCoffin is created and shows the encripted thumbnails.
If "SuperSecretCoffin" gets unmounted, ~/.cache/thumbnails/SuperSecretCoffin
becomes an empty directory or is deleted.
This would have the disadvantage of having this hypothetical encrypted
thumbnails folder mounted twice, and the clarity gained on one side could add
confusion on the other. I don't really know. I hope you, devs, will probably
figure better solutions.
SOFTWARE/OS
Linux/KDE Plasma: Gentoo, Plasma 5.15.1
(available in About System)
KDE Plasma Version: 5.15.1
KDE Frameworks Version: 5.55
Qt Version: 5.12.1
ADDITIONAL INFORMATION
I think this issue should be taken rather seriously and urgently. It surprises
me that nobody has reported this security flaw yet, which means that every user
of Plasma's vaults who enables thumbnails is ignorant that they in reality have
many of their encrypted information easily accessible to anyone who has access
to their PC.
--
You are receiving this mail because:
You are watching all bug changes.
