Star Insecure Passwords on Gaim/Pidgin
Linked by Eugenia Loli-Queru on Wed 23rd May 2007 00:46 UTC
Privacy, Security, Encryption Today, while I was trying to create a SIP Presence account for VoIPBuster, Pidgin kept crashing. I had to find its settings in my personal folder in order to manually edit the accounts.xml file and remove the entry (so Pidgin could start up again normally instead of keep crashing on load). When I opened the accounts.xml file with a plain text editor, all the passwords of all my accounts were listed out in the open in plain text. This is not a new issue, it was discussed many times before, but it can still be a surprise for most users.
E-mail Print r 0   · Read More · 106 Comment(s) http://osne.ws/dv0
Thread beginning with comment 242527
To read all comments associated with this story, please click here.
VManOfMana
by VManOfMana on Wed 23rd May 2007 02:36 UTC
VManOfMana
Member since:
2006-11-01

I don't really see what is the point you are trying to bring in here.

This is not a security problem where someone on the outside can gain access to your computers or data like we see in web browser security threats and the like. From the OSNews description, the problem is that the password information is stored locally in an insecured way, but that does not mean that they are exposed to the outside. You are safe while you don't let someone else use your computer or get access to it thru another application's security hole (which can or cannot be an open source application). Looking at the Pidgin code will reveal where the file is written, how it is written, and how it is parsed, but it is no way a gateway to access the file's data.

The fact that the passwords are stored in an non-encrypted file is a problem, but do not make things up by spinning the whole thing.

Reply Bookmark Score: 5

RE: VManOfMana
by rhyder on Wed 23rd May 2007 06:41 in reply to "VManOfMana"
rhyder Member since:
2005-09-28

In all fairness, I suppose there is a class of casual snooper who might walk over to someone's workstation and look in the settings file to try and get some passwords.

If someone had ten minutes to snoop around, having the passwords ROT13ed might protect you. If someone with the technical skills has physical access to your machine for as long as they need, simple ROT13 wont be enough to deter them.

As it it stands, with that program, anyone who has the sense to walk over to the machine and do a text search on all files for the word "password" is going to hit gold.

Reply Parent Bookmark Score: 3