Revision history [back]
 | 1 | initial version | posted 2018-06-07 16:25:06 +0200  |
dbus-monitor shows exchange mail password in clear text
This is a duplicate of https://together.jolla.com/question/37710/dbus-monitor-shows-exchange-mail-password-in-clear-text/ because this still happens on my Sailfish X 2.2.0 and I can't reopen an issue.
Copy of the original report :
I was fiddling with the dbus-monitor and noticed the password for my exchange mail flicker by on the screen. It seems like this could be a huge security hole since any app monitoring the dbus could get access to my exchange mail. Here is a draft of what I saw.
method call sender=:1.95 -> dest=org.freedesktop.DBus serial=31 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetConnectionUnixProcessID
string ":1.20"
signal sender=:1.95 -> dest=(null destination) serial=32 path=/com/google/code/AccountsSSO/SingleSignOn/AuthSession_2; interface=com.google.code.AccountsSSO.SingleSignOn.AuthSession; member=stateChanged
int32 8
string "The request is started successfully"
method return sender=:1.95 -> dest=:1.20 reply_serial=233
array [
dict entry(
string "Secret"
variant string "mypassword"
)
dict entry(
string "UserName"
variant string "myemail@something.com"
)
]
| | 2 | No.2 Revision |
dbus-monitor shows exchange mail password in clear texttext and other sensitive information
This is a duplicate of https://together.jolla.com/question/37710/dbus-monitor-shows-exchange-mail-password-in-clear-text/ because this still happens on my Sailfish X 2.2.0 and I can't reopen an issue.
Copy of the original report :
I was fiddling with the dbus-monitor and noticed the password for my exchange mail flicker by on the screen. It seems like this could be a huge security hole since any app monitoring the dbus could get access to my exchange mail. Here is a draft of what I saw.
method call sender=:1.95 -> dest=org.freedesktop.DBus serial=31 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetConnectionUnixProcessID
string ":1.20"
signal sender=:1.95 -> dest=(null destination) serial=32 path=/com/google/code/AccountsSSO/SingleSignOn/AuthSession_2; interface=com.google.code.AccountsSSO.SingleSignOn.AuthSession; member=stateChanged
int32 8
string "The request is started successfully"
method return sender=:1.95 -> dest=:1.20 reply_serial=233
array [
dict entry(
string "Secret"
variant string "mypassword"
)
dict entry(
string "UserName"
variant string "myemail@something.com"
)
]
It also leaks all the email titles, senders etc :
struct {
string "EMAIL ACCOUNT"
uint32 275
string "image://theme/graphic-service-google"
string "SENDER EMAIL"
string "TITLE OF THE EMAIL"
array [
string "app"
string ""
string "default"
string ""
]
array [
dict entry(
string "category"
variant string "x-nemo.email"
)
dict entry(
string "x-nemo-remote-action-default"
variant string "com.jolla.email.ui /com/jolla/email/ui com.jolla.email.ui openMessage AAAAAgAAAAEt"
)
dict entry(
string "x-nemo-timestamp"
variant string "2018-06-07T15:44:55Z"
)
dict entry(
string "x-nemo-item-count"
variant int32 1
)
dict entry(
string "urgency"
variant int32 1
)
dict entry(
string "x-nemo-feedback"
variant string "email_exists"
)
dict entry(
string "x-nemo-priority"
variant string "100"
)
dict entry(
string "x-nemo-remote-action-app"
variant string "com.jolla.email.ui /com/jolla/email/ui com.jolla.email.ui openCombinedInbox"
)
dict entry(
string "x-nemo-owner"
variant string "messageserver5"
)
dict entry(
string "x-nemo-icon"
variant string "icon-lock-email"
)
dict entry(
string "x-nemo-led-disabled-without-body-and-summary"
variant string "false"
)
dict entry(
string "x-nemo.email.published-message-id"
variant string "301"
)
]
int32 -1
}
| | 3 | retagged |
dbus-monitor shows mail password in clear text and other sensitive information
This is a duplicate of https://together.jolla.com/question/37710/dbus-monitor-shows-exchange-mail-password-in-clear-text/ because this still happens on my Sailfish X 2.2.0 and I can't reopen an issue.
Copy of the original report :
I was fiddling with the dbus-monitor and noticed the password for my exchange mail flicker by on the screen. It seems like this could be a huge security hole since any app monitoring the dbus could get access to my exchange mail. Here is a draft of what I saw.
method call sender=:1.95 -> dest=org.freedesktop.DBus serial=31 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetConnectionUnixProcessID
string ":1.20"
signal sender=:1.95 -> dest=(null destination) serial=32 path=/com/google/code/AccountsSSO/SingleSignOn/AuthSession_2; interface=com.google.code.AccountsSSO.SingleSignOn.AuthSession; member=stateChanged
int32 8
string "The request is started successfully"
method return sender=:1.95 -> dest=:1.20 reply_serial=233
array [
dict entry(
string "Secret"
variant string "mypassword"
)
dict entry(
string "UserName"
variant string "myemail@something.com"
)
]
It also leaks all the email titles, senders etc :
struct {
string "EMAIL ACCOUNT"
uint32 275
string "image://theme/graphic-service-google"
string "SENDER EMAIL"
string "TITLE OF THE EMAIL"
array [
string "app"
string ""
string "default"
string ""
]
array [
dict entry(
string "category"
variant string "x-nemo.email"
)
dict entry(
string "x-nemo-remote-action-default"
variant string "com.jolla.email.ui /com/jolla/email/ui com.jolla.email.ui openMessage AAAAAgAAAAEt"
)
dict entry(
string "x-nemo-timestamp"
variant string "2018-06-07T15:44:55Z"
)
dict entry(
string "x-nemo-item-count"
variant int32 1
)
dict entry(
string "urgency"
variant int32 1
)
dict entry(
string "x-nemo-feedback"
variant string "email_exists"
)
dict entry(
string "x-nemo-priority"
variant string "100"
)
dict entry(
string "x-nemo-remote-action-app"
variant string "com.jolla.email.ui /com/jolla/email/ui com.jolla.email.ui openCombinedInbox"
)
dict entry(
string "x-nemo-owner"
variant string "messageserver5"
)
dict entry(
string "x-nemo-icon"
variant string "icon-lock-email"
)
dict entry(
string "x-nemo-led-disabled-without-body-and-summary"
variant string "false"
)
dict entry(
string "x-nemo.email.published-message-id"
variant string "301"
)
]
int32 -1
}