Page 1 of 42 12311 ... LastLast
Results 1 to 10 of 413

Thread: Keyring passwords visible after login without second password prompt

  1. #1
    Join Date
    Mar 2009
    Location
    New Zealand
    Beans
    687
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Exclamation Keyring passwords visible after login without second password prompt

    Why is it that when I go to Applications > Accessories > Passwords and Encryption Keys I can click on Passwords, then expand 'login' and then I can see my passwords for my MSN account and wireless networks I connect to without once being prompted for my user password?

    But then when I change CPU Frequency scaling, I'm prompted to enter my admin password?

    O.o

    How to reproduce:

    1. Restart your computer and login. Do not enter any passwords after your desktop has loaded.

    2. Go to Applications > Accessories > Passwords and Encryption Keyrings

    3. Click on the 'Login' folder to drop down and view the programs that store data here.

    4. Double click on something you want to look at.

    5. Click Password to show some dots, then uncheck the box below the dots marked "Show password"

    6. Note that throughout this whole procedure, not once were you prompted* to enter in anything that verifies you are authorized to view this information.

    *The only prompt is asking if it's allowed access to the keyring, to which anyone can click allow.

    Links all in one place:

    Bug report filed on Launchpad
    OMG! UBUNTU! Blog Post
    Gnome-keyring mailing list
    Gnome Keyring Security Philosophy
    Ubuntu Brainstorm Idea




    -------
    Attached Images Attached Images
    Last edited by humphreybc; October 29th, 2009 at 04:43 AM.
    Writer for OMG! Ubuntu!, Editor-in-Chief Ubuntu Gamer. Co-founder of media and software company Ohso.

  2. #2
    Join Date
    May 2009
    Beans
    48
    Distro
    Ubuntu Development Release

    Re: Blatant security flaw much?

    Because you already entered your password once? Lock your screen when you leave your computer if you don't want others to see this information...

  3. #3
    Join Date
    Sep 2008
    Beans
    519

    Re: Blatant security flaw much?

    gksu and sudo have the 15 minute period where you don't have to type in a password for administrative tasks

  4. #4
    Join Date
    Jun 2009
    Location
    Seanchan
    Beans
    227
    Distro
    Ubuntu Development Release

    Re: Blatant security flaw much?

    Quote Originally Posted by renkinjutsu View Post
    gksu and sudo have the 15 minute period where you don't have to type in a password for administrative tasks
    Is it that long? That's too long for my tastes. I'm gonna change my sudoers file.

  5. #5
    Join Date
    May 2007
    Beans
    880
    Distro
    Ubuntu Development Release

    Re: Blatant security flaw much?

    Quote Originally Posted by TrueJournals View Post
    Because you already entered your password once? Lock your screen when you leave your computer if you don't want others to see this information...
    It does seem odd to me that you're not required to enter your password again here. I realize that this is not being done as a superuser and that's probably why, but perhaps viewing the password should require you to re-enter your user password. It doesn't seem like a good idea to allow anyone to view your entered passwords for things like email acounts and whatnot unless you lock your screen or logout.

  6. #6
    Join Date
    May 2009
    Beans
    48
    Distro
    Ubuntu Development Release

    Re: Blatant security flaw much?

    Regardless, this is something that requires physical access, which is the biggest security whole in the first place. Why would you lave your computer without locking your screen if you're worried about security?

  7. #7
    Join Date
    May 2007
    Beans
    880
    Distro
    Ubuntu Development Release

    Re: Blatant security flaw much?

    Quote Originally Posted by TrueJournals View Post
    Regardless, this is something that requires physical access, which is the biggest security whole in the first place. Why would you lave your computer without locking your screen if you're worried about security?
    Both true and irrelevant. It's reasonable to wonder why passwords for things other than your local computer can be viewed in clear text without entering a password. Even Windows doesn't allow that.

  8. #8
    Join Date
    Jun 2009
    Beans
    Hidden!
    Distro
    Ubuntu Studio 9.10 Karmic Koala

    Re: Blatant security flaw much?

    Quote Originally Posted by humphreybc View Post
    Why is it that when I go to Applications > Accessories > Passwords and Encryption Keys I can click on Passwords, then expand 'login' and then I can see my passwords for my MSN account and wireless networks I connect to without once being prompted for my user password?

    But then when I change CPU Frequency scaling, I'm prompted to enter my admin password?

    O.o

    *The only prompt is asking if it's allowed access to the keyring, to which anyone can click allow.
    It's Your computer,isn't it? I am sure that if you are concerned about your personal information,your not going to leave your machine lying around,powered up,with your keyring open.
    Last edited by sliketymo; October 27th, 2009 at 06:30 AM. Reason: spelling

  9. #9
    Join Date
    Mar 2009
    Location
    New Zealand
    Beans
    687
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: Blatant security flaw much?

    All valid points, but, regardless of individual situations I still think that you should not be able to view important passwords without first validating that you are indeed the owner of the accounts they belong to.
    Writer for OMG! Ubuntu!, Editor-in-Chief Ubuntu Gamer. Co-founder of media and software company Ohso.

  10. #10
    Join Date
    Oct 2007
    Location
    Chennai, India
    Beans
    3,804
    Distro
    Ubuntu Development Release

    Re: Blatant security flaw much?

    Quote Originally Posted by humphreybc View Post
    Why is it that when I go to Applications > Accessories > Passwords and Encryption Keys I can click on Passwords, then expand 'login' and then I can see my passwords for my MSN account and wireless networks I connect to without once being prompted for my user password?
    This is big; you should file a bug report, I guess. No matter what the justifications offered, your keyring passwords should not be opened with prompting for a password. (I don't even get the prompt to allow the keyring to be opened).
    Cheers,PRShah
    Make your own: Ubuntu, Kubuntu, Xubuntu, Mythbuntu All-in-One Live DVD
    "I never make mistakes; I thought I did, once.. but I was wrong."

Page 1 of 42 12311 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •