'Big Honking Security Hole' or something else?
dotancohen at gmail.com
Tue Oct 19 18:04:56 UTC 2010
On Mon, Oct 18, 2010 at 23:13, Steven Susbauer <steven at too1337.com> wrote:
> On 10/18/10 1:40 PM, Dotan Cohen wrote:
>> As a demonstration of what happens to plain text passwords.
>> Now that the issue is being taken seriously, where is the offending
>> file? No matter how much blame-shifting we do, the fact remains that
>> this is a serious security issue and it's time to fix it.
> There is no offending file. gnome-keyring does not store passwords as
> plain text, but provides the ability to retrieve the password if you
> have unlocked (IE: decrypted) the keyring. If you wish to avoid this
> behavior, change the password on the login keyring so it does not
> automatically unlock, or set another keyring as the default keyring and
> manage those passwords separately from the login keyring (so maybe your
> user passwords remain locked until you manually unlock it, but you still
> automatically connect to your wireless network).
> Keyrings are stored in the .gnome2/keyrings folder. Run strings and
> you'll not find much of value.
i had understood the situation to be that after the password is given,
there exists a plaintext file with the passwords. Rereading the OP, I
see that it is not the filesystem that he was poking around in, but
rather the Password and Encryption Keys application. That is
reasonable, so there is no bug.
More information about the ubuntu-users