I see this as a VERY serious security flaw!
Given that Empathy Instant Messenger is going to be the default
messenger in the next Ubuntu Release, I thought I'd check it out. While
setting up my gmail and msn accounts I noticed that it was saving the
passwords in the public keyring. It was also giving the familiar
quickAllow ("Deny","Allow Once", "AllowAll") dialog when starting up the
program and connecting to these accounts. No prompting for any password
to protect the keyring.
Given that this was being stored in a public keyring, I wanted to see
how easy it was to find these password. I open up sea horse, and hey
presto! My passwords to gmail and msn are available for all to see for
someone who might be strolling around my workstation/laptop while i'm
not there, (if I forget to log out or lock)... using the quickAllow
dialog.
Now if someone finds my wireless network key, I don't really care in the
scheme of things, even if they use my network to commit bad acts, it
happens often enough that I'm unlikely to be penalized. However! I and
most people have very sensitive information in our webmail accounts and
easy access to them is definitely something I'd like to avoid.
It looks like the quickAllow dialog is from some common library that
both applications call into. Please can this prompt for a password, the
same way as critical updates do!!!
Thank you.
--
seahorse shows passwords without verification
https://bugs.launchpad.net/bugs/189774
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
