Given that Empathy Instant Messenger is going to be the default messenger in the next Ubuntu Release, I thought I'd check it out. While setting up my gmail and msn accounts I noticed that it was saving the passwords in the public keyring. It was also giving the familiar quickAllow ("Deny","Allow Once", "AllowAll") dialog when starting up the program and connecting to these accounts. No prompting for any password to protect the keyring.
Given that this was being stored in a public keyring, I wanted to see how easy it was to find these password. I open up sea horse, and hey presto! My passwords to gmail and msn are available for all to see for someone who might be strolling around my workstation/laptop while i'm not there, (if I forget to log out or lock)... using the quickAllow dialog.
Now if someone finds my wireless network key, I don't really care in the scheme of things, even if they use my network to commit bad acts, it happens often enough that I'm unlikely to be penalized. However! I and most people have very sensitive information in our webmail accounts and easy access to them is definitely something I'd like to avoid.
It looks like the quickAllow dialog is from some common library that both applications call into. Please can this prompt for a password, the same way as critical updates do!!!
I see this as a VERY serious security flaw!
Given that Empathy Instant Messenger is going to be the default messenger in the next Ubuntu Release, I thought I'd check it out. While setting up my gmail and msn accounts I noticed that it was saving the passwords in the public keyring. It was also giving the familiar quickAllow ("Deny","Allow Once", "AllowAll") dialog when starting up the program and connecting to these accounts. No prompting for any password to protect the keyring.
Given that this was being stored in a public keyring, I wanted to see how easy it was to find these password. I open up sea horse, and hey presto! My passwords to gmail and msn are available for all to see for someone who might be strolling around my workstation/laptop while i'm not there, (if I forget to log out or lock)... using the quickAllow dialog.
Now if someone finds my wireless network key, I don't really care in the scheme of things, even if they use my network to commit bad acts, it happens often enough that I'm unlikely to be penalized. However! I and most people have very sensitive information in our webmail accounts and easy access to them is definitely something I'd like to avoid.
It looks like the quickAllow dialog is from some common library that both applications call into. Please can this prompt for a password, the same way as critical updates do!!!
Thank you.