Shame on Pidgin-Plain Text Passwords 4
Today I was going through my list of files to backup on my Linux laptop and removing temporary and cache files when I came across a directory that I didn’t recognize. The files were listed as changed with the last 3 days.
changed .purple changed .purple/accels changed .purple/accounts.xml changed .purple/blist.xml changed .purple/prefs.xml changed .purple/status.xml
It turns out they are for pidgin, the extremely popular Instant Messaging software. Ok, I use that – fine. But my interest got the best of me and I looked at the accounts.xml file. Obviously it is an XML file, but I was shocked to discover the following (modified for my protection):
prpl-jabber
admin-userid@example.com/Admin
some-really-complex-password-with-lots-of-special-characters-in-clear-text
admin
The password isn’t encrypted. Not at all!
This is unacceptable.
There is an encryption plugin for pidgin but it is for IMs, not the stupid passwords. This is just crazy. Heck, there are ROT13 methods and trivial 2-way password encrypt/decrypt methods which could be used if necessary.
The pidgin wiki has this to say. I have to admit, they do have a point, but I still disagree with it. At least they do set the directory permissions to 700 and file permissions to 600 (user only), but this doesn’t help with my backups placed on another system, does it?
Trackbacks
Use the following link to trackback from your own site:
https://blog.jdpfu.com/trackbacks?article_id=383
Hey, checking out your blog… O.o I’m a little angry about this! I go to a lot of trouble to keep my personal email and my passwords secret, and to have such easy access?? Why, anyone could find this file and thus my password! I’m just glad I change it every so often, and never use the same password for any sensitive account. x-( Thanks for the heads up!
Jrobb/dreadpirate15
Just to be clear, the xml file permissions are configured by default so only the user can see them, but anyone with admin rights on the system could look if they wanted.
The Pidgin guys figure that since IM usually goes over unencrypted channels, there’s no need to be too concerned about this password. The password security is compromised outside their control already. They do have a point.
My company runs an internal IM server. We only allow access over SSL connections, but since the IM login uses LDAP authentication for the users, any compromise will allow access to every system to which the user has access, after they get onto the VPN (which uses a different scheme completely).
Actually the reason I heard was that there’s no point in a unchanging encryption method in an open source program. Like the encrypted-chat plugins, if you want to you can secure your passwords.
So I was trying a few new, lighter email clients recently. I use Thunderbird most of the time, but it has some behaviors that I don’t like.
On the N800, I use Claws-Email, so I set that up with both home and work IMAPS email accounts. It is designed to be fast and keyboard friendly. I looked through the accountrc file and saw the password field is encrypted. It has to be 2-way encryption or it couldn’t transmit the correct password to the IMAP and SMTP servers. Further the permissions are 600 on the file. Nice. Just as expected.
Then I saw an article on Sylpheed – I guess it is the default email client for Lubuntu 10.0×. Could be, but maybe not. Anyway, I loaded it and used it for a few days too. Nice, quick. It feels like Thunderbird did 10 yrs ago. The bad news is the password settings are not encrypted in the accountrc file. The file itself has 600 permissions, to I guess that’s ok. They seem to be following the Pidgin theory of security.
Just for fun, I looked in the ~/.thunderbird/ directory (recursively) for unencrypted passwords. I didn’t find any. To my, that means they encrypt them.