We have moved to a new Sailfish OS Forum. Please start new discussions there.
15

dbus-monitor shows mail password in clear text and other sensitive information

Tracked by Jolla (In release)

asked 2018-06-07 16:25:06 +0200

Lectem gravatar image

updated 2018-06-08 08:52:19 +0200

jovirkku gravatar image

This is a duplicate of https://together.jolla.com/question/37710/dbus-monitor-shows-exchange-mail-password-in-clear-text/ because this still happens on my Sailfish X 2.2.0 and I can't reopen an issue.

Copy of the original report :

I was fiddling with the dbus-monitor and noticed the password for my exchange mail flicker by on the screen. It seems like this could be a huge security hole since any app monitoring the dbus could get access to my exchange mail. Here is a draft of what I saw.

method call sender=:1.95 -> dest=org.freedesktop.DBus serial=31 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetConnectionUnixProcessID
   string ":1.20"
signal sender=:1.95 -> dest=(null destination) serial=32 path=/com/google/code/AccountsSSO/SingleSignOn/AuthSession_2; interface=com.google.code.AccountsSSO.SingleSignOn.AuthSession; member=stateChanged
   int32 8
   string "The request is started successfully"
method return sender=:1.95 -> dest=:1.20 reply_serial=233
   array [
      dict entry(
         string "Secret"
         variant             string "mypassword"
      )
      dict entry(
         string "UserName"
         variant             string "myemail@something.com"
      )
   ]

It also leaks all the email titles, senders etc :

  struct {
     string "EMAIL ACCOUNT"
     uint32 275
     string "image://theme/graphic-service-google"
     string "SENDER EMAIL"
     string "TITLE OF THE EMAIL"
     array [
        string "app"
        string ""
        string "default"
        string ""
     ]
     array [
        dict entry(
           string "category"
           variant                   string "x-nemo.email"
        )
        dict entry(
           string "x-nemo-remote-action-default"
           variant                   string "com.jolla.email.ui /com/jolla/email/ui com.jolla.email.ui openMessage AAAAAgAAAAEt"
        )
        dict entry(
           string "x-nemo-timestamp"
           variant                   string "2018-06-07T15:44:55Z"
        )
        dict entry(
           string "x-nemo-item-count"
           variant                   int32 1
        )
        dict entry(
           string "urgency"
           variant                   int32 1
        )
        dict entry(
           string "x-nemo-feedback"
           variant                   string "email_exists"
        )
        dict entry(
           string "x-nemo-priority"
           variant                   string "100"
        )
        dict entry(
           string "x-nemo-remote-action-app"
           variant                   string "com.jolla.email.ui /com/jolla/email/ui com.jolla.email.ui openCombinedInbox"
        )
        dict entry(
           string "x-nemo-owner"
           variant                   string "messageserver5"
        )
        dict entry(
           string "x-nemo-icon"
           variant                   string "icon-lock-email"
        )
        dict entry(
           string "x-nemo-led-disabled-without-body-and-summary"
           variant                   string "false"
        )
        dict entry(
           string "x-nemo.email.published-message-id"
           variant                   string "301"
        )
     ]
     int32 -1
  }
edit retag flag offensive close delete

Comments

3

you see this in dbus-monitor running from normal user with no root privileges?

coderus ( 2018-06-07 18:44:54 +0200 )edit
3

From the user nemo, which doesn't have root privileges afaik ?

Lectem ( 2018-06-07 19:15:38 +0200 )edit

If someone has hands on your unlocked phone I suppose it is already a huge security hole.

Piotr ( 2018-06-08 11:32:33 +0200 )edit

Yeah right, it makes perfect sense for any non-root application to have access to evrything just by looking at dbus, because installing an app is a huge security hole. i dont know for you, but I dont have time to review the code (when available) and build any package myself.

Lectem ( 2018-06-08 16:45:06 +0200 )edit

But isnt that nemo has access to nemo? afair email client works as user, so stores password as user, so I think its normal that user has access to his passwords. ;) But maybe Im wrong somewhere along the way?

Piotr ( 2018-06-08 23:57:47 +0200 )edit

1 Answer

Sort by » oldest newest most voted
7

answered 2018-06-08 09:20:41 +0200

jovirkku gravatar image

@Lectem: Thank you for this report. An internal bug at Jolla has been filed on this.

edit flag offensive delete publish link more
Login/Signup to Answer

Question tools

Follow
6 followers

Stats

Asked: 2018-06-07 16:25:06 +0200

Seen: 547 times

Last updated: Jun 08 '18