Do not disclose user credentials when passing them through D-Bus
Steps to reproduce:
- Install Ubuntu 16.04 LTS
- Install Evolution
- Set-up Google account with default settings (this will end with e-mail and calendar)
- Reboot
- Open evolution Calendar and/or indicator-datetime
- Launch
dbus-monitor
Expected results:
- Evolution does not show account credentials in plain text in
dbus-monitor
output
Actual results:
- Evolution shows account credentials in plain text in
dbus-monitor
output:
method call time=1557268474.383095 sender=:1.74 -> destination=:1.40 serial=939 path=/org/gnome/evolution/dataserver/SourceManager/Source_17; interface=org.gnome.evolution.dataserver.Source; member=InvokeAuthenticate
array [
string "password:myrealpassword"
string "ssl-trust:"
]
method return time=1557268474.383686 sender=:1.40 -> destination=:1.74 serial=366 reply_serial=939
signal time=1557268474.389206 sender=:1.40 -> destination=(null destination) serial=367 path=/org/gnome/evolution/dataserver/SourceManager/Source_17; interface=org.gnome.evolution.dataserver.Source; member=Authenticate
array [
string "password:myrealpassword"
string "ssl-trust:"
]
signal time=1557268520.956861 sender=:1.40 -> destination=(null destination) serial=408 path=/org/gnome/evolution/dataserver/SourceManager/Source_19; interface=org.gnome.evolution.dataserver.Source; member=Authenticate
array [
string "password:myrealpassword"
string "ssl-trust:"
string "username:real@email"
]
signal time=1557268520.960443 sender=:1.40 -> destination=(null destination) serial=409 path=/org/gnome/evolution/dataserver/SourceManager/Source_18; interface=org.gnome.evolution.dataserver.Source; member=Authenticate
array [
string "password:myrealpassword"
string "ssl-trust:"
string "username:real@email"
]
signal time=1557268520.964374 sender=:1.40 -> destination=(null destination) serial=410 path=/org/gnome/evolution/dataserver/SourceManager/Source_20; interface=org.gnome.evolution.dataserver.Source; member=Authenticate
array [
string "password:myrealpassword"
string "ssl-trust:"
string "username:real@email"
]
This is huge security flaw.
dbus-monitor
output...
The malicious script can parse Not sure about more recent Ubuntu and Evolution versions.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: evolution-data-server-common 3.18.5-1ubuntu1.1
ProcVersionSignature: Ubuntu 4.4.0-143.169-generic 4.4.170
Uname: Linux 4.4.0-143-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.18
Architecture: amd64
CurrentDesktop: Unity
Date: Wed May 8 01:40:27 2019
InstallationDate: Installed on 2018-01-04 (488 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
PackageArchitecture: all
SourcePackage: evolution-data-server
UpgradeStatus: No upgrade log present (probably fresh install)
Downstream bug-report is here - https://bugs.launchpad.net/ubuntu/+source/evolution-data-server/+bug/1828124 (currently it is private, as it is serious security flaw) .
Edited by Norbert X