Submit A Tip Alternative Tip Form

Did You Know Gnome Lets Anyone See Your Keyring Passwords (MSN, WiFi, Twitter, etc) Without Needing A Password?

A security hole in Gnome allows anyone to see your keyring passwords without needing to enter so much as a password.


The Issue

Despite needing to enter your root password to alter such basic things as CPU Scaling, you are not once prompted to enter it to access the Passwords and Encryption Keyring.

Ubuntu Forum user humphreybc, who first reported this anomaly on the Ubuntu Forums, posted a quick —step-through guide so you can see for yourself how dodgy this lapse is: -

1. Restart your computer and login. Do not enter any passwords after your desktop has loaded.

2. Go to Applications > Accessories > Passwords and Encryption Keyrings

3. Click on the ‘Login’ folder to drop down and view the programs that store data here.

4. Double click on something you want to look at.

5. Click Password to show some dots, then uncheck the box below the dots marked "Show password"

6. Note that throughout this whole procedure, not once were you prompted to enter in anything that verifies you are authorized to view this information.

Thankfully no-one in my household is dubious (or well versed enough!) to know how to do this, but given that one third of people use just one password for every thing they do this has the potential to be quite serious.

“Protecting your personal data is your responsibility, not the system’s”

Bachstelze, a moderator over on the Ubuntu Forums, responded to the issue in question with a a rather disconcerting explanation as to why this is allowed: -

Because accessing your personal data doesn’t require administrator access. Protecting your personal data is your responsibility, not the system’s.

Which is somewhat fair enough and is part of the security design of the Gnome Keyring, but actually, to my mind, is not good enough.

User the.lost.one offers up a sane chunk of reasoning as to why: -

…I want to protect it by making the system ask for a password to access it. But the system provides no such option.

Which is the crux of this matter.

If i need to enter my password to scale my CPU or edit a panel applet then i should need to enter my password to view something as important as passwords.

If this issue concerns you then be sure to share that concern with the Gnome Keyring via their mailing list @ http://mail.gnome.org/mailman/listinfo/gnome-keyring-list or check out the bug report that’s been floating around aimlessly since Hardy.

A simple confirmation/authorisation dialog and this issue is moot.

Thanks to Benjamin