>From a security PoV this is basic security by obscurity and effectively pointless - they are simply XORing each byte with a fixed value and then base64 encoding it - since the source code is public anyone can easily find this out and hence easily decode it - the only way to do this securely would be to have the DBus peers negotiate a session key and encrypt it properly using this - so I don't think there is any point adding this faux-encryption in this case.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to evolution-data-server in Ubuntu. https://bugs.launchpad.net/bugs/1828124 Title: org.gnome.evolution.dataserver.Source completely unveils account credentials in plain text while using dbus-monitor Status in evolution-data-server: New Status in evolution-data-server package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Install Ubuntu 16.04 LTS 2. Install Evolution 3. Set-up Google account with default settings (this will end with e-mail and calendar) 4. Reboot 5. Open evolution Calendar and/or indicator-datetime 6. Launch `dbus-monitor` Expected results: * Evolution does not show account credentials in plain text in `dbus-monitor` output Actual results: * Evolution shows account credentials in plain text in `dbus-monitor` output: method call time=1557268474.383095 sender=:1.74 -> destination=:1.40 serial=939 path=/org/gnome/evolution/dataserver/SourceManager/Source_17; interface=org.gnome.evolution.dataserver.Source; member=InvokeAuthenticate array [ string "password:myrealpassword" string "ssl-trust:" ] method return time=1557268474.383686 sender=:1.40 -> destination=:1.74 serial=366 reply_serial=939 signal time=1557268474.389206 sender=:1.40 -> destination=(null destination) serial=367 path=/org/gnome/evolution/dataserver/SourceManager/Source_17; interface=org.gnome.evolution.dataserver.Source; member=Authenticate array [ string "password:myrealpassword" string "ssl-trust:" ] signal time=1557268520.956861 sender=:1.40 -> destination=(null destination) serial=408 path=/org/gnome/evolution/dataserver/SourceManager/Source_19; interface=org.gnome.evolution.dataserver.Source; member=Authenticate array [ string "password:myrealpassword" string "ssl-trust:" string "username:real@email" ] signal time=1557268520.960443 sender=:1.40 -> destination=(null destination) serial=409 path=/org/gnome/evolution/dataserver/SourceManager/Source_18; interface=org.gnome.evolution.dataserver.Source; member=Authenticate array [ string "password:myrealpassword" string "ssl-trust:" string "username:real@email" ] signal time=1557268520.964374 sender=:1.40 -> destination=(null destination) serial=410 path=/org/gnome/evolution/dataserver/SourceManager/Source_20; interface=org.gnome.evolution.dataserver.Source; member=Authenticate array [ string "password:myrealpassword" string "ssl-trust:" string "username:real@email" ] ----- This is huge security flaw. The malicious script can parse `dbus-monitor` output... Not sure about more recent Ubuntu and Evolution versions. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: evolution-data-server-common 3.18.5-1ubuntu1.1 ProcVersionSignature: Ubuntu 4.4.0-143.169-generic 4.4.170 Uname: Linux 4.4.0-143-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed May 8 01:40:27 2019 InstallationDate: Installed on 2018-01-04 (488 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) PackageArchitecture: all SourcePackage: evolution-data-server UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/evolution-data-server/+bug/1828124/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp