Did You Know Gnome Lets Anyone See Your Keyring Passwords (MSN, WiFi, Twitter, etc) Without Needing A Password?

By , Published October 29, 2009

A security hole in Gnome allows anyone to see your keyring passwords without needing to enter so much as a password.


The Issue

Despite needing to enter your root password to alter such basic things as CPU Scaling, you are not once prompted to enter it to access the Passwords and Encryption Keyring.

Ubuntu Forum user humphreybc, who first reported this anomaly on the Ubuntu Forums, posted a quick €“step-through guide so you can see for yourself how dodgy this lapse is: -

1. Restart your computer and login. Do not enter any passwords after your desktop has loaded.

2. Go to Applications > Accessories > Passwords and Encryption Keyrings

3. Click on the ‘Login’ folder to drop down and view the programs that store data here.

4. Double click on something you want to look at.

5. Click Password to show some dots, then uncheck the box below the dots marked "Show password"

6. Note that throughout this whole procedure, not once were you prompted to enter in anything that verifies you are authorized to view this information.

Thankfully no-one in my household is dubious (or well versed enough!) to know how to do this, but given that one third of people use just one password for every thing they do this has the potential to be quite serious.

€œProtecting your personal data is your responsibility, not the system’s€

Bachstelze, a moderator over on the Ubuntu Forums, responded to the issue in question with a a rather disconcerting explanation as to why this is allowed: -

Because accessing your personal data doesn’t require administrator access. Protecting your personal data is your responsibility, not the system’s.

Which is somewhat fair enough and is part of the security design of the Gnome Keyring, but actually, to my mind, is not good enough.

User the.lost.one offers up a sane chunk of reasoning as to why: -

€¦I want to protect it by making the system ask for a password to access it. But the system provides no such option.

Which is the crux of this matter.

If i need to enter my password to scale my CPU or edit a panel applet then i should need to enter my password to view something as important as passwords.

If this issue concerns you then be sure to share that concern with the Gnome Keyring via their mailing list @ http://mail.gnome.org/mailman/listinfo/gnome-keyring-list or check out the bug report that's been floating around aimlessly since Hardy.

A simple confirmation/authorisation dialog and this issue is moot.

Thanks to Benjamin

Article originally appeared on omgubuntu.co.uk

Related posts:

  1. ubuntu one sync passwords
Post a comment or leave a trackback: Trackback URL.
  • d00bi0uz

    quite concerning!.

  • snkiz

    It should be noted that only a single email has been sent. As yet we have not had a reply.
    There is to my knowage no bug report yet, The dev’s have not yet snubbed it entirely.

  • ctc26

    Of course you do have to login (enter username and password) before you can access the keyring.

    And if you have automatic login enabled the Ubuntu keyring prompts you for your user password before the network etc can connect.

    Just keep your login details a secret and don’t leave your desktop unattended. There are far more serious things a person can do with physical access to your computer than reading your MSN password.

  • Anonymous

    YOU need to configure YOUR system, then you can use it,
    without system configured properly you can get root access from Grub for example,
    remember phisical access is root access, this is not a security hole, just Troll post.

  • Anonymous

    I dont think that it cuold be called a bug, because is not a hazzard to the system.

    Even apps like pidgin advises users that they dont ecrypt password and accounts (and it could be fixed with a small plugin).

    Well, in this case, in need to be a potential security hole, the “attacker” needs physical access to the computer and an active gnome session, a little hard to get remotely i think.

    Nice blog, I will be following your rss feed

    • snkiz

      They do? been using pidgin for five years and just found this out in the thread. Pidgin has never told my my passwords are not encrypted.

  • Mohan

    That is not good!

  • Name
  • Martini1179

    I don’t know if it’s apathy or a misguided sense of personal responsibility, but the opinions of Bachstelze regarding this issue are crap. I somewhat agree with him if “personal data” involves only documents, music, pictures and the like, but protecting the integrity of the system by restricting access to passwords should be in a separate category.

    Sure, an argument can be made that no one can access your passwords if they cannot log into your account in the first place, but I’d argue that once you’re in, you’re in, and any wayward soul that wanted to get your passwords, could, provided he had the knowledge. From personal experience, people don’t routinely log out when leaving the computer unattended, even with others around. Password integrity should be absolute, with GNOME taking an active part in not sharing personal information instead of relying on the conscience of my techie friends.

  • Name

    Do these instructions include entering your password to log into your desktop in the first place?

  • Noel

    Firefox has had this ‘feature’ for a long time now. Anyone with access to your pc can just look at your saved passwords within firefox.

    • http://stesind.blogspot.com/ Steffen

      In firefox you are asked for creating a general password.

  • http://stesind.blogspot.com/ Steffen

    Hi,

    The standard situation on login is that you have to enter your password at login. If you choose to login automatically without entering a password then it is your decision and the risk is obvious.

    The key chain “login” is opened on login by default. If you have an auto login then it is open as well. But you can change the password of the key chain “login” as you want. Then you are prompted for a password. And once more you are free in your decision to store your passwords in seahorse, but for me it is a convenient and save way.

    Maybe my English is not good enough but I do not understand the “bug”.

    Steffen

  • Name

    “Protecting your personal data is your responsibility, not the system’s”

    Except when it’s windows… then it’s allways microsoft’s fault, right?
    sigh…

    • http://stesind.blogspot.com/ Steffen

      Not really. Sure protecting your personal data is your responsibility, but the system has to support this. If you have windows you often can’t choose security options and the whole security architecture is unsafe by default.

  • http://themikecam.com/ Miquel

    I think you’re exaggerating and inflaming the situation by saying anyone can see your keyring “without needing to enter so much as a password.” This is blatantly untrue, because you first have to login in order to gain access to the keyring. Even if you auto-login, you still have to enter your password to open the keyring.

    This makes perfect sense to me — if you login, you unlock all your personal data on the computer. If people don’t understand this, then they have an IT education or comprehension problem which is bigger than revealing a few IM passwords.

    If people want to share a computer, they should be taught to have separate users and to log out or lock their screen when they’re done. If they want to let someone have impromptu access, there is the ability to switch to a temporary guest account. I think teaching users basic security habits is a far better solution than changing a sensible usability pattern. I don’t want to have to enter my password yet again — I’m already sick of logging into things — software should be becoming more usable, not less.

    • snkiz

      Agreed The problem with that is no one is teaching the basics. A lot of people don’t even know seahorse is there.

  • bhm

    When you have physical access to PC, hands down, there’s no barriers.

    That’s not a bug, that’s not an issue. This should be in a papercuts. Still exaggerated.

  • Johan

    You identify yourself by logging in, which is why the keyring is unlocked at login. The computer is correctly assuming that the logged in user is using the computer until the user logs out/locks the session.
    In earlier releases, when the keyring wasn’t unlocked at login, users using wireless networks had to enter their password twice – once for login, and once for unlocking the keyring to allow access to network passwords.
    When other people are around, lock the computer when leaving it.

  • https://launchpad.net/~jmoronat Jacopo

    However you can right-click on the login folder and then click on “Block”: if you want to see passwords, you have to unblock it and therefore give login password.

  • Kamilion

    This is not a security flaw.

    When you installed ubuntu, you chose an account password.
    Then, when you first login, the first time seahorse is accessed, it asks you to choose a keyring password.

    IF you just press enter, seahorse will then automatically unlock your login keyring for you.
    It displays a scary box that says:

    Store passwords unencrypted?
    By choosing to use a blank password, your stored passwords will not be safely encrypted.
    They will be accessible to anyone with access to your files.
    [ Cancel ] [ Use Unsafe Storage ]

    You can easily change this by opening seahorse, right clicking the login keychain, and selecting Change Password.

    Choose a password other than your account password.

  • njlinuxmike

    This is an ignorant complaint. You are faulting the system for assuming you are the user who actually logged in. You provide a PW upon login! If you dont then YOU told the system to log you in automaticaly. That was your doing. Dont blame the system when you dont like the way you configured it.

    • http://omgubuntu.co.uk/ d0od

      You might’ve been better off posting your rant in the thread i’m reporting on, not the report itself. Don’t shoot the messenger and all that…

  • http://www.HostMyJPG.com/ John Smith

    I agree, if you have to use a password for so many much smaller things… why not this?

  • http://www.datelot.com/ freedating

    thanks for the heads up.

  • http://www.ekjodi.com/ Matrimony

    thats something new i never knew that could happen.

  • http://www.seozip.com seo services

    The problem with that is no one is teaching the basics. -Shobazee