Hello everybody, I have been wondering for some time now, why the account manager lets account passwords be exported to all applications over dbus? Hasn't anybody ever thought this is a security risk? I think that in this way, it is too easy for a malicious application to get the password and do nasty things with private data.
Let's consider some possible scenarios. Let's suppose that you use the same password everywhere. A malicious application in your computer wants to gain access to your computer as root, so, it connects to dbus, gets the password from the account manager and it has access to anything. Even if you don't use the same password for your root account, most IM accounts have an email address associated with them that use the same password. Let's suppose that there is a spyware/trojan running on your computer, it gets the password and then it can use your email account for anything you can imagine. One even more common case (as I have seen it happening with windows live messenger) is the case where some adware gets the password and then connects to your IM account and starts sending spam to all your contacts (well, with telepathy this can also be done without getting the password, but at least it is will not cause any harm to private data...). Of course you could argue that in unix systems the chance of getting such malicious software running on your computer is very low, but what about windows? Telepathy also runs (or should run) under windows, so that is perfectly possible. And it is even more easy if you have some dbus tools installed in your PATH. For example, let's say you have installed Qt. Then you have this cool "qdbus" tool in your PATH, which is the easiest way to get a password. For example, I can get my password with: $ qdbus org.freedesktop.Telepathy.AccountManager /org/freedesktop/Telepathy/Account/gabble/jabber/kiagiadakis_2egeorge_40gmail_2ecom0 Get org.freedesktop.Telepathy.Account Parameters | grep password And this utility of course runs also under windows and is included in the default kde-windows installations (which concerns me as a KDE developer)... No other program I know exports passwords like that. And I wonder what is the purpose of saving the passwords in gnome-keyring if mission-control can get them out of keyring and give them to anybody... You could also argue that telepathy is not safe anyway, as everything is exported on dbus and any malicious application can do all kinds of strange things. But, there is a difference. Having access to program functionality is not a security risk. When a malicious application starts calling random functions, the application may start behaving weird or crash, but at least data will be safe. Having access to a password possibly grants the attacker access to private and possibly important data, which is more serious than an application crashing. At least that's my opinion. Proposed solution: ----------------------------- My proposed solution to this problem is to make the password parameter write- only. Nobody needs to read the password from the account manager. The account management GUI needs to set or change the password (which means write only), and the account manager then needs to set this password to a connection manager in order to put it online. The account manager has access to the password internally anyway and nobody else needs to be able to read the password. This should make things much safer. And in the future, if needed, we could have access to the password from gnome-keyring / kwallet directly, as afaik they are going to develop a common dbus-based API so that they are interchangeable. What do you think? Best regards, George _______________________________________________ telepathy mailing list telepathy@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/telepathy