https://bugs.documentfoundation.org/show_bug.cgi?id=104992
Bug ID: 104992
Summary: Unintended information disclosure via Safe Mode
Product: LibreOffice
Version: 5.4.0.0.alpha0+ Master
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: critical
Priority: medium
Component: framework
Assignee: libreoffice-bugs@lists.freedesktop.org
Reporter: kelem...@ubuntu.com
I got a bit worried about the possibility of unintended information disclosure
via Safe Mode.
Safe Mode gives an option to create a backup of the whole user profile, which
can be uploaded to this Bugzilla.
Although the user is warned on the UI like this:
"You can also include relevant parts of your user profile in the bugreport (be
aware it might contain personal data)."
I don't think this warning alone is enough. Scrubbing the sensitive data would
be a minimum.
In a test profile I set up a master password, a CMIS service, and a mail
account for mail merge, and all their data is included in the zip, for "further
analysis". In particular I see:
<item oor:path="/org.openoffice.Office.Common/Misc"><prop
oor:name="FilePickerPlacesNames" oor:op="fuse"><value><it>WebDAV -
CENSORED</it></value></prop></item>
<item oor:path="/org.openoffice.Office.Common/Misc"><prop
oor:name="FilePickerPlacesUrls"
oor:op="fuse"><value><it>https://CENSORED.gov.hu:443/</it></value></prop></item>
<item oor:path="/org.openoffice.Office.Common/Passwords"><prop
oor:name="HasMaster" oor:op="fuse"><value>true</value></prop></item>
<item oor:path="/org.openoffice.Office.Common/Passwords"><prop
oor:name="Master"
oor:op="fuse"><value>nehbfmdepkkdhbfjjflielklejpgjdbdgkpnnkcjglhimnnlmjfkbbdneplcipkclg</value></prop></item>
<item oor:path="/org.openoffice.Office.Common/Passwords/Store"><node
oor:name="https_3a_2f_2fCENSORED2egov_2ehu_2f__kelemeng" oor:op="replace"><prop
oor:name="Password" oor:op="fuse"><value>CENSORED</value></prop></node></item>
So an attacker can know I have access to CENSORED.gov.hu with user kelemeng.
Also my master passwords hash, and the passwords hash for
kelem...@censored.gov.hu.
Also bug #96672 is still not fixed, so you can have all my mail details
including the password, in plain text:
<item oor:path="/org.openoffice.Office.Writer/MailMergeWizard"><prop
oor:name="MailAddress"
oor:op="fuse"><value>kelem...@ubuntu.com</value></prop></item>
<item oor:path="/org.openoffice.Office.Writer/MailMergeWizard"><prop
oor:name="MailDisplayName" oor:op="fuse"><value>Gabor
Kelemen</value></prop></item>
<item oor:path="/org.openoffice.Office.Writer/MailMergeWizard"><prop
oor:name="MailPassword"
oor:op="fuse"><value>lofasznehogymatevagyabladerunner</value></prop></item>
<item oor:path="/org.openoffice.Office.Writer/MailMergeWizard"><prop
oor:name="MailServer" oor:op="fuse"><value>smtp.gmail.com</value></prop></item>
<item oor:path="/org.openoffice.Office.Writer/MailMergeWizard"><prop
oor:name="MailUserName"
oor:op="fuse"><value>censo...@gmail.com</value></prop></item>
Finally my personal details from the Options - User Data panel, which I might
want to share to people I share documents with, but probably not with the whole
world:
<item oor:path="/org.openoffice.UserProfile/Data"><prop oor:name="c"
oor:op="fuse"><value>Hungary</value></prop></item>
<item oor:path="/org.openoffice.UserProfile/Data"><prop
oor:name="facsimiletelephonenumber"
oor:op="fuse"><value>foo</value></prop></item>
<item oor:path="/org.openoffice.UserProfile/Data"><prop oor:name="fathersname"
oor:op="fuse"><value></value></prop></item>
<item oor:path="/org.openoffice.UserProfile/Data"><prop oor:name="givenname"
oor:op="fuse"><value></value></prop></item>
<item oor:path="/org.openoffice.UserProfile/Data"><prop oor:name="homephone"
oor:op="fuse"><value>foo</value></prop></item>
<item oor:path="/org.openoffice.UserProfile/Data"><prop oor:name="initials"
oor:op="fuse"><value>GK</value></prop></item>
<item oor:path="/org.openoffice.UserProfile/Data"><prop oor:name="l"
oor:op="fuse"><value>foo</value></prop></item>
<item oor:path="/org.openoffice.UserProfile/Data"><prop oor:name="mail"
oor:op="fuse"><value></value></prop></item>
<item oor:path="/org.openoffice.UserProfile/Data"><prop oor:name="o"
oor:op="fuse"><value>ACME INC</value></prop></item>
<item oor:path="/org.openoffice.UserProfile/Data"><prop oor:name="position"
oor:op="fuse"><value>foo</value></prop></item>
<item oor:path="/org.openoffice.UserProfile/Data"><prop oor:name="postalcode"
oor:op="fuse"><value>foo</value></prop></item>
<item oor:path="/org.openoffice.UserProfile/Data"><prop oor:name="sn"
oor:op="fuse"><value>Gabor Kelemen</value></prop></item>
<item oor:path="/org.openoffice.UserProfile/Data"><prop oor:name="st"
oor:op="fuse"><value>foo</value></prop></item>
<item oor:path="/org.openoffice.UserProfile/Data"><prop oor:name="street"
oor:op="fuse"><value>foo</value></prop></item>
<item oor:path="/org.openoffice.UserProfile/Data"><prop
oor:name="telephonenumber" oor:op="fuse"><value>foo</value></prop></item>
<item oor:path="/org.openoffice.UserProfile/Data"><prop oor:name="title"
oor:op="fuse"><value>foo</value></prop></item>
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs