[Bug 189774] Re: seahorse shows passwords without verification
To clarify: I mean that when I log in the first time, I get asked for the password to my gnome-keyring so that nm-applet can retrieve the wireless network password, and so by the time I open seahorse I've already authenticated with gnome-keyring. -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
Thank you for taking the time to report this bug and helping to make Ubuntu better. The issue has been reported Upstream. You can track the status and make comments here: http://bugzilla.gnome.org/show_bug.cgi?id=551036 ** Bug watch added: GNOME Bug Tracker #551036 http://bugzilla.gnome.org/show_bug.cgi?id=551036 ** Also affects: seahorse via http://bugzilla.gnome.org/show_bug.cgi?id=551036 Importance: Unknown Status: Unknown ** Changed in: seahorse (Ubuntu) Assignee: (unassigned) => Ubuntu Desktop Bugs (desktop-bugs) Status: Confirmed => Triaged -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
** Changed in: seahorse Status: Unknown => New -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
GNOME is probably not going to fix this - it's not just the GNOME Way. I'd like to see Ubuntu address this, though. Today, if I walk up to any Ubuntu user's unlocked computer I can see any of their passwords in just a few keystrokes: Super + P + A + S + Enter starts Seahorse, then I can double click any password I want and click Show Password. From the comments above, I can see I'm not alone in being wary of this. Ubuntu, would you take a patch to require the user to enter their login password to use the Show Password feature? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/189774 Title: seahorse shows passwords without verification To manage notifications about this bug go to: https://bugs.launchpad.net/seahorse/+bug/189774/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
I just placed a bounty on this bug at Bountysource: https://www.bountysource.com/issues/3849352-seahorse-shows-passwords- without-verification It will be paid to anyone who provides a patch that Ubuntu accepts. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/189774 Title: seahorse shows passwords without verification To manage notifications about this bug go to: https://bugs.launchpad.net/seahorse/+bug/189774/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
Yes Adam, it looks like something having a distro patch for seems reasonable ** Changed in: seahorse (Ubuntu) Assignee: Ubuntu Desktop Bugs (desktop-bugs) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/189774 Title: seahorse shows passwords without verification To manage notifications about this bug go to: https://bugs.launchpad.net/seahorse/+bug/189774/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
I concur with Igor's last comment. I've recently started using an extension for Mozilla Firefox which integrates Firefox's password cache with the GNOME keyring and I was shocked to find that one could open seahorse and browse all of the passwords therein (within any unlocked keyring; I use the default login keyring) as plain text. It's one thing to unlock a key ring and allow a programme to access these passwords for the entire session (though it would be nice to see options to re-lock a keyring after x minutes and/or every time the screen locks), it's quite another to allow any interloper to access those passwords as plain text. I hope that this gets fixed soon. This seems like a fairly old/established bug, and one would have hoped a security issue like this would have been fixed by now. I don't mean to be patronising, condescending or a back-seat driver mind. I was just startled that such an obvious security hole existed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/189774 Title: seahorse shows passwords without verification To manage notifications about this bug go to: https://bugs.launchpad.net/seahorse/+bug/189774/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
For anyone who's interested, have a look at this thread: http://ubuntuforums.org/showthread.php?t=1302342 -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
This is my idea to solve the problem quoted from the forums; he way I see it Ubuntu is almost there, seahorse does ask permission just no confirmation. And we do have the tools like gconf. And policykit, witch can handle non-root permissions and IMO is way under used. Here's my idea, create a sane list of default apps that can access seahorse. The ability to change that list through gconf, and permission checks through policykit for unexpected apps, changing info or viewing passwords. And finally come up with a unified personal security policy for the desktop as a whole. (See above post 182; you need your password to change your password and about me does not display clear text.) -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
@Corey: that sounds great to me. Perhaps you should add your comments to the gnome-bug (https://bugzilla.gnome.org/show_bug.cgi?id=551036)? It's a Gnome issue and I think the Ubuntu devs are waiting for it to be solved upstream. -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
Have a patch here; how do you want it? All of the documentation I see for distro patches uses Bazaar, and this definitely isn't making it upstream. Attached output of `git format-patch`, let me know if you want something else. ** Patch added: "0001-Require-login-password-to-view-plaintext-secrets.patch" https://bugs.launchpad.net/ubuntu/+source/seahorse/+bug/189774/+attachment/4690242/+files/0001-Require-login-password-to-view-plaintext-secrets.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/189774 Title: seahorse shows passwords without verification To manage notifications about this bug go to: https://bugs.launchpad.net/seahorse/+bug/189774/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
The attachment "0001-Require-login-password-to-view-plaintext- secrets.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/189774 Title: seahorse shows passwords without verification To manage notifications about this bug go to: https://bugs.launchpad.net/seahorse/+bug/189774/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
I agree with comment #21 This is a high risk security issue, please do something about it. Keyring should have a sudo password or a master password like firefox has to view stored passwords. My opinion is that it's logical to have this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/189774 Title: seahorse shows passwords without verification -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
When i mean logical, i point to the comment #3 "... even if the keychain is unlocked." -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/189774 Title: seahorse shows passwords without verification -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
I am digging a hole here. I would like to stop, so i want to say this is a wish, not to see passwords in plain text when the keyring is unlocked, but to be able to see them when a master password is typed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/189774 Title: seahorse shows passwords without verification -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
I don't agree with Comment #20: * The problem exists sice 2 years * The importance is more than medium: eg. in case of a vpn password, a single signon corporate password is showed! * So it is a HIGH RISK SECURITY ISSUE and the UBUNTU TEAM should ATTENT TO THAT PROBLEM (patch itself or replace the Seahorse UI)!!! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/189774 Title: seahorse shows passwords without verification -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
Indeed. I want also to stress that this is a very serious security issue (e.g. when working in environments with multiple working people, in the train, etc). Before ending here, I just figured out that I could display my login passwd in seahorse without any security barrier as well. It basically takes 10 secs for anybody to read one's login passwd in clear text. Please do something !!! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/189774 Title: seahorse shows passwords without verification -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
Current seahorse security bug: http://goo.gl/6oF7f -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/189774 Title: seahorse shows passwords without verification -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
** Changed in: seahorse Importance: Unknown => Medium -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
I've noticed this problem also with Ubuntu 10.04 I don't know the motivations about the choose, but I think it is dangerous because a lot of password are used for many services. Think people that have got hotmail account, with the same password you could open your msn account and your email account... I hope that this will change in a few time. Sorry for my English Regards Antonio -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
Yes, please make seahorse ask again for the keyring-passwort befor showing all passworts, really ALL PASSWORTS, in plaintext ! -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
PLEASE... the next person who wants to add a comment of consolidarity here. DON'T. This log has been TRIAGED. This means that the bug has been posted to the website responsible for developing this software. If you agree that this is important... then take the time to post it on their website. Posting it here, won't have any effect on getting it done. http://bugzilla.gnome.org/show_bug.cgi?id=551036 -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
from a theoretical, scientific, cryptographical point of view it might be (and probably is) no problem to display the passwords without restriction once the keyring has been unlocked as anyone really interested can retrieve them anyways. not having to retype the password[1] dramatically lowers the amount of both knowledge and malice needed, however. contra: having to retype the password might create the false illusion of a security and users might believe passwords are secure when they are not. pro: on the other hand, it might stop your buddy from looking at all your passwords when you show him the wlan password he needs when your kids playing in the same room accidentally throw a basketball against your chair, a leg breaks, you fall down, spill your cup of coffee. now you go to the kitchen to clean up the mess, to the bathroom to clean up some more mess and change clothes. and then you remember: "damn! i forgot to lock the keyring..." this user story is purely fictional. i don't even have kids :) but i think having to enter your password before displaying passwords in plain text (or not allowing that at all) would stop most opportunistic/accidental password leakage. [1] the keyring manager in firefox uses this approach and i think is a sound approach... -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
I'm in agreement with comments #6 and #12. This is a VERY serious security issue. The quick allow dialog protects the passwords stored in the wallet from network intruders or malware, but if someone happens to have access to your computer when you forget to lock the screen, they can easily see all of your passwords in plain text. I'm personally not opposed to the ability to see these passwords once you've gained access, but for security it is critical that this access be protected by a password prompt even if the keyring has been unlocked. There is a big difference between allowing a program to access a stored password with the quick allow dialog, and giving a user access to the full list of passwords in plain text. Having a quick allow dialog in this context is a major oversight, and IMHO it should be considered a serious bug. -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
RULE NÂș1 IN SECURITY: Never, never, never store or display passwords in plaintext. Seriously devs, are you joking? Give someone the possibility of read all my passwords in plaintext while I'm in the toilet is a feature? Oh my god... -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
I think so too! It's very unsafe! It is not better than the sticker with passwords on your monitor! Sorry for my English =( -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
Thank you for taking the time to report this bug and helping to make Ubuntu better. It appears as this isn't a bug though... If you are prompted to enter a password (or allowed to choose to always allow access to the keyring) then you will be able to access the wireless password without anymore prompts. ** Changed in: seahorse (Ubuntu) Status: New => Invalid -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
Perhaps the dialog granting a program the right to read a password should require you to confirm with the master password, even if the keychain is unlocked. As of now, all you have to do is click a button - seems like the barrier is too low. -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
it's a wishlist bug and confirmed in comment #3 ** Changed in: seahorse (Ubuntu) Importance: Undecided => Wishlist Status: Invalid => Confirmed -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
Okay, didn't know what triaged meant. I've posted my comments on the bugzilla bug for GnomeKeyring. -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
I see this as a VERY serious security flaw!
Given that Empathy Instant Messenger is going to be the default
messenger in the next Ubuntu Release, I thought I'd check it out. While
setting up my gmail and msn accounts I noticed that it was saving the
passwords in the public keyring. It was also giving the familiar
quickAllow ("Deny","Allow Once", "AllowAll") dialog when starting up the
program and connecting to these accounts. No prompting for any password
to protect the keyring.
Given that this was being stored in a public keyring, I wanted to see
how easy it was to find these password. I open up sea horse, and hey
presto! My passwords to gmail and msn are available for all to see for
someone who might be strolling around my workstation/laptop while i'm
not there, (if I forget to log out or lock)... using the quickAllow
dialog.
Now if someone finds my wireless network key, I don't really care in the
scheme of things, even if they use my network to commit bad acts, it
happens often enough that I'm unlikely to be penalized. However! I and
most people have very sensitive information in our webmail accounts and
easy access to them is definitely something I'd like to avoid.
It looks like the quickAllow dialog is from some common library that
both applications call into. Please can this prompt for a password, the
same way as critical updates do!!!
Thank you.
--
seahorse shows passwords without verification
https://bugs.launchpad.net/bugs/189774
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
Apparently it is a "design decision" and therefore not a bug. -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
My view is that this as a very serious design flaw. The bottom line is that passwords should never be displayed in plain text by any application, for any reason. -- seahorse shows passwords without verification https://bugs.launchpad.net/bugs/189774 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
Is this underway, or what? First reported *eight years ago*, last update one year ago, and right now I can still open seahorse and see plaintext of all my passwords. How hard can it be to do exactly what Chrome or many other implementations do, and just ask for a master password before allowing the user to view the plaintext of saved passwords? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/189774 Title: seahorse shows passwords without verification To manage notifications about this bug go to: https://bugs.launchpad.net/seahorse/+bug/189774/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 189774] Re: seahorse shows passwords without verification
Sorry, the "how hard can it be" phrasing is bit snarky. Just a bit disappointed that after eight years no time has been made for this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/189774 Title: seahorse shows passwords without verification To manage notifications about this bug go to: https://bugs.launchpad.net/seahorse/+bug/189774/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
