Today, while I was trying to create a SIP Presence account for VoIPBuster, Pidgin kept crashing. I had to find its settings in my personal folder in order to manually edit the accounts.xml file and remove the entry (so Pidgin could start up again normally instead of keep crashing on load). When I opened the accounts.xml file with a plain text editor, all the passwords of all my accounts were listed out in the open in plain text. This is not a new issue, it was discussed many times before, but it can still be a surprise for most users.Sean Egan, primary developer of Gaim/Pidgin replied:
“Here is the official response: basically if people are snooping around your personal configuration files, you probably have bigger problems than your IM passwords.
That said, there have been a few mailing list threads and even patches about it, which you can find with some Googlng.. You may additionally add that we have no problems at all accepting a patch that would encrypt passwords with a keyring, but are very much against tying to any one particular keyring implementation, a requirement nobody has managed yet to meet.
This is the beginning of the most recent thread on the issue. If you want a quote from me, please quote me from there, especially the “Certainly, if done right, nobody objects to this feature,” line :)”
While on Linux this might not be a major concern as there isn’t enough malware (even if Pidgin does not use the Gnome keychain to authenticate as it’s available at least on Ubuntu), this can be a huge problem in the Windows world. Now, this is not necessarily worse than malware reading cookies just about as easily from web browsers, but still, some encryption should be present to at least protect us from the less… capable malware or even admins who snoop on their user’s PCs, or users who allow fellow-workers to use their PC under the same user account (this happens rather often for a variety of reasons, especially in marketing environments where companies don’t have enough licenses for expensive graphics software for all their PCs). A quick look at Miranda and Trillian showed that both of these apps are encrypting their passwords.
Jabber enthusiast and hacker Robert Quattlebaum (also known for Synfig) tells us that “I agree that some minimal encoding should be performed to prevent shoulder snooping if the contents of those files were displayed. ROT13 would be adequate. [But] adding something more complicated that still doesn’t authenticate the user is just going to give you a false sense of security.”
We can only hope that at least for the Unix version Sean will accept the Gnome-Keyring patch, and for Windows he will at least employ some form of encryption in the next version of Pidgin.