[Telepathy] Regarding the safety of passwords in the account manager

[George Kiagiadakis]

Hello everybody,

I have been wondering for some time now, why the account manager lets 
account passwords be exported to all applications over dbus? Hasn't anybody 
ever thought this is a security risk? I think that in this way, it is too easy 
for a malicious application to get the password and do nasty things with 
private data.

Let's consider some possible scenarios. Let's suppose that you use the same 
password everywhere. A malicious application in your computer wants to gain 
access to your computer as root, so, it connects to dbus, gets the password 
from the account manager and it has access to anything. Even if you don't use 
the same password for your root account, most IM accounts have an email 
address associated with them that use the same password. Let's suppose that 
there is a spyware/trojan running on your computer, it gets the password and 
then it can use your email account for anything you can imagine. One even more 
common case (as I have seen it happening with windows live messenger) is the 
case where some adware gets the password and then connects to your IM account 
and starts sending spam to all your contacts (well, with telepathy this can 
also be done without getting the password, but at least it is will not cause 
any harm to private data...).

Of course you could argue that in unix systems the chance of getting such 
malicious software running on your computer is very low, but what about 
windows? Telepathy also runs (or should run) under windows, so that is 
perfectly possible. And it is even more easy if you have some dbus tools 
installed in your PATH. For example, let's say you have installed Qt. Then you 
have this cool "qdbus" tool in your PATH, which is the easiest way to get a 
password. For example, I can get my password with:

$ qdbus org.freedesktop.Telepathy.AccountManager 
/org/freedesktop/Telepathy/Account/gabble/jabber/kiagiadakis_2egeorge_40gmail_2ecom0 
Get org.freedesktop.Telepathy.Account Parameters | grep password

And this utility of course runs also under windows and is included in the 
default kde-windows installations (which concerns me as a KDE developer)...

No other program I know exports passwords like that. And I wonder what is the 
purpose of saving the passwords in gnome-keyring if mission-control can get 
them out of keyring and give them to anybody...

You could also argue that telepathy is not safe anyway, as everything is 
exported on dbus and any malicious application can do all kinds of strange 
things. But, there is a difference. Having access to program functionality is 
not a security risk. When a malicious application starts calling random 
functions, the application may start behaving weird or crash, but at least 
data will be safe. Having access to a password possibly grants the attacker 
access to private and possibly important data, which is more serious than an 
application crashing. At least that's my opinion.

Proposed solution:
-----------------------------
My proposed solution to this problem is to make the password parameter write-
only. Nobody needs to read the password from the account manager. The account 
management GUI needs to set or change the password (which means write only), 
and the account manager then needs to set this password to a connection 
manager in order to put it online. The account manager has access to the 
password internally anyway and nobody else needs to be able to read the 
password. This should make things much safer. And in the future, if needed, we 
could have access to the password from gnome-keyring / kwallet directly, as 
afaik they are going to develop a common dbus-based API so that they are 
interchangeable.

What do you think?

Best regards,
George