Page 1 of 3 123 LastLast
Results 1 to 10 of 413

Thread: Keyring passwords visible after login without second password prompt

Hybrid View

  1. #1
    Join Date
    Mar 2009
    Location
    New Zealand
    Beans
    687
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Exclamation Keyring passwords visible after login without second password prompt

    Why is it that when I go to Applications > Accessories > Passwords and Encryption Keys I can click on Passwords, then expand 'login' and then I can see my passwords for my MSN account and wireless networks I connect to without once being prompted for my user password?

    But then when I change CPU Frequency scaling, I'm prompted to enter my admin password?

    O.o

    How to reproduce:

    1. Restart your computer and login. Do not enter any passwords after your desktop has loaded.

    2. Go to Applications > Accessories > Passwords and Encryption Keyrings

    3. Click on the 'Login' folder to drop down and view the programs that store data here.

    4. Double click on something you want to look at.

    5. Click Password to show some dots, then uncheck the box below the dots marked "Show password"

    6. Note that throughout this whole procedure, not once were you prompted* to enter in anything that verifies you are authorized to view this information.

    *The only prompt is asking if it's allowed access to the keyring, to which anyone can click allow.

    Links all in one place:

    Bug report filed on Launchpad
    OMG! UBUNTU! Blog Post
    Gnome-keyring mailing list
    Gnome Keyring Security Philosophy
    Ubuntu Brainstorm Idea




    -------
    Attached Images Attached Images
    Last edited by humphreybc; October 29th, 2009 at 04:43 AM.
    Writer for OMG! Ubuntu!, Editor-in-Chief Ubuntu Gamer. Co-founder of media and software company Ohso.

  2. #2
    Join Date
    May 2009
    Beans
    48
    Distro
    Ubuntu Development Release

    Re: Blatant security flaw much?

    Because you already entered your password once? Lock your screen when you leave your computer if you don't want others to see this information...

  3. #3
    Join Date
    Sep 2008
    Beans
    519

    Re: Blatant security flaw much?

    gksu and sudo have the 15 minute period where you don't have to type in a password for administrative tasks

  4. #4
    Join Date
    Jun 2009
    Location
    Seanchan
    Beans
    227
    Distro
    Ubuntu Development Release

    Re: Blatant security flaw much?

    Quote Originally Posted by renkinjutsu View Post
    gksu and sudo have the 15 minute period where you don't have to type in a password for administrative tasks
    Is it that long? That's too long for my tastes. I'm gonna change my sudoers file.

  5. #5
    Join Date
    May 2007
    Beans
    880
    Distro
    Ubuntu Development Release

    Re: Blatant security flaw much?

    Quote Originally Posted by TrueJournals View Post
    Because you already entered your password once? Lock your screen when you leave your computer if you don't want others to see this information...
    It does seem odd to me that you're not required to enter your password again here. I realize that this is not being done as a superuser and that's probably why, but perhaps viewing the password should require you to re-enter your user password. It doesn't seem like a good idea to allow anyone to view your entered passwords for things like email acounts and whatnot unless you lock your screen or logout.

  6. #6
    Join Date
    May 2009
    Beans
    48
    Distro
    Ubuntu Development Release

    Re: Blatant security flaw much?

    Regardless, this is something that requires physical access, which is the biggest security whole in the first place. Why would you lave your computer without locking your screen if you're worried about security?

  7. #7
    Join Date
    May 2007
    Beans
    880
    Distro
    Ubuntu Development Release

    Re: Blatant security flaw much?

    Quote Originally Posted by TrueJournals View Post
    Regardless, this is something that requires physical access, which is the biggest security whole in the first place. Why would you lave your computer without locking your screen if you're worried about security?
    Both true and irrelevant. It's reasonable to wonder why passwords for things other than your local computer can be viewed in clear text without entering a password. Even Windows doesn't allow that.

  8. #8
    Join Date
    Nov 2005
    Location
    Bordeaux, France
    Beans
    11,297
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Blatant security flaw much?

    Quote Originally Posted by michaelzap View Post
    Both true and irrelevant. It's reasonable to wonder why passwords for things other than your local computer can be viewed in clear text without entering a password. Even Windows doesn't allow that.
    Orly? See attachment.

    Quote Originally Posted by the.lost.one View Post
    If the sudo command asks for password, accessing other partitions asks for password, update manager asks for password, if the wireless access point is turned off for a while it keeps asking for password (annoying since Windows can reconnect automatically when the access point becomes available), why cant accessing keyring and stored passwords require asking for password???
    Because accessing your personal data doesn't require administrator access. Protecting your personal data is your responsibility, not the system's.
    Attached Images Attached Images
    Last edited by Bachstelze; October 27th, 2009 at 08:54 AM.
    「明後日の夕方には帰ってるからね。」


  9. #9
    Join Date
    May 2006
    Location
    Switzerland
    Beans
    2,541
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Blatant security flaw much?

    Quote Originally Posted by michaelzap View Post
    It's reasonable to wonder why passwords for things other than your local computer can be viewed in clear text without entering a password. Even Windows doesn't allow that.
    There is a tool called "SnadBoy Revelation". Go and Google it. With it you can unmask any password Windows is "protecting". So even if Windows doesn't show the password it's easy for a user-space application such as "SnadBoy" to find it in the RAM and reveal it.

    At least with Linux you know right away what you're dealing with.

  10. #10
    Join Date
    Jun 2009
    Beans
    Hidden!
    Distro
    Ubuntu Studio 9.10 Karmic Koala

    Re: Blatant security flaw much?

    Quote Originally Posted by humphreybc View Post
    Why is it that when I go to Applications > Accessories > Passwords and Encryption Keys I can click on Passwords, then expand 'login' and then I can see my passwords for my MSN account and wireless networks I connect to without once being prompted for my user password?

    But then when I change CPU Frequency scaling, I'm prompted to enter my admin password?

    O.o

    *The only prompt is asking if it's allowed access to the keyring, to which anyone can click allow.
    It's Your computer,isn't it? I am sure that if you are concerned about your personal information,your not going to leave your machine lying around,powered up,with your keyring open.
    Last edited by sliketymo; October 27th, 2009 at 06:30 AM. Reason: spelling

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •