dbus-monitor shows mail password in clear text and other sensitive information
This is a duplicate of https://together.jolla.com/question/37710/dbus-monitor-shows-exchange-mail-password-in-clear-text/ because this still happens on my Sailfish X 2.2.0 and I can't reopen an issue.
Copy of the original report :
I was fiddling with the dbus-monitor and noticed the password for my exchange mail flicker by on the screen. It seems like this could be a huge security hole since any app monitoring the dbus could get access to my exchange mail. Here is a draft of what I saw.
method call sender=:1.95 -> dest=org.freedesktop.DBus serial=31 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetConnectionUnixProcessID
string ":1.20"
signal sender=:1.95 -> dest=(null destination) serial=32 path=/com/google/code/AccountsSSO/SingleSignOn/AuthSession_2; interface=com.google.code.AccountsSSO.SingleSignOn.AuthSession; member=stateChanged
int32 8
string "The request is started successfully"
method return sender=:1.95 -> dest=:1.20 reply_serial=233
array [
dict entry(
string "Secret"
variant string "mypassword"
)
dict entry(
string "UserName"
variant string "myemail@something.com"
)
]
It also leaks all the email titles, senders etc :
struct {
string "EMAIL ACCOUNT"
uint32 275
string "image://theme/graphic-service-google"
string "SENDER EMAIL"
string "TITLE OF THE EMAIL"
array [
string "app"
string ""
string "default"
string ""
]
array [
dict entry(
string "category"
variant string "x-nemo.email"
)
dict entry(
string "x-nemo-remote-action-default"
variant string "com.jolla.email.ui /com/jolla/email/ui com.jolla.email.ui openMessage AAAAAgAAAAEt"
)
dict entry(
string "x-nemo-timestamp"
variant string "2018-06-07T15:44:55Z"
)
dict entry(
string "x-nemo-item-count"
variant int32 1
)
dict entry(
string "urgency"
variant int32 1
)
dict entry(
string "x-nemo-feedback"
variant string "email_exists"
)
dict entry(
string "x-nemo-priority"
variant string "100"
)
dict entry(
string "x-nemo-remote-action-app"
variant string "com.jolla.email.ui /com/jolla/email/ui com.jolla.email.ui openCombinedInbox"
)
dict entry(
string "x-nemo-owner"
variant string "messageserver5"
)
dict entry(
string "x-nemo-icon"
variant string "icon-lock-email"
)
dict entry(
string "x-nemo-led-disabled-without-body-and-summary"
variant string "false"
)
dict entry(
string "x-nemo.email.published-message-id"
variant string "301"
)
]
int32 -1
}
you see this in dbus-monitor running from normal user with no root privileges?
coderus ( 2018-06-07 18:44:54 +0200 )editFrom the user nemo, which doesn't have root privileges afaik ?
Lectem ( 2018-06-07 19:15:38 +0200 )editIf someone has hands on your unlocked phone I suppose it is already a huge security hole.
Piotr ( 2018-06-08 11:32:33 +0200 )editYeah right, it makes perfect sense for any non-root application to have access to evrything just by looking at dbus, because installing an app is a huge security hole. i dont know for you, but I dont have time to review the code (when available) and build any package myself.
Lectem ( 2018-06-08 16:45:06 +0200 )editBut isnt that nemo has access to nemo? afair email client works as user, so stores password as user, so I think its normal that user has access to his passwords. ;) But maybe Im wrong somewhere along the way?
Piotr ( 2018-06-08 23:57:47 +0200 )edit