! Please note that this is a snapshot of our old Bugzilla server, which is read only since May 29, 2020. Please go to gitlab.xfce.org for our new server !
Plain text password in de mailwatch file.
Status:
RESOLVED: WONTFIX
Severity:
enhancement
Product:
Xfce4-mailwatch-plugin
Component:
General

Comments

Description tim de gier 2007-08-31 18:10:38 CEST
Hello,

I just found out the xfce4-mailwatch-plugin is storing it's password in plain text. Although i know pop3 is an unencrypted protocol, it's still better not to store a password in plain text, since it will just make things easier for an attacker to hack into other services you own. Especially with mail, this can lead to very bad things. 

Greets,

Crypt0 (Tim de Gier@home.nl)

"attachment"
crypt0:/home/crypt0/.config/xfce4/panel# cat mailwatch-11885819891.rc
[mailwatch-plugin]
click_command=
new_messages_command=
normal_icon=xfce-nomail
new_mail_icon=xfce-newmail
log_lines=200
show_log_status=true

[mailwatch]
nmailboxes=1
mailbox0=pop3
mailbox_name0=timdegier

[mailbox0]
host=xxxx.xxxx.nl
username=timdegier
password=xxxxxpassword_is_herexxxxx
auth_type=0
use_standard_port=1
nonstandard_port=0
timeout=600
Comment 1 Brian J. Tarricone (not reading bugmail) 2007-08-31 18:17:45 CEST
Any obfuscation of the password would just lead to a false sense of security, since there's no way to actually 'encrypt' the password in such a way that others could not easily decrypt it (at least not without having a master password that has to be entered every time mailwatch starts).

Normal unix permissions should keep other people on the system out.  You shouldn't be using this plugin on a system where you don't trust the people with root access.
Comment 2 Brian J. Tarricone (not reading bugmail) 2009-12-09 06:36:33 CET
*** Bug 6062 has been marked as a duplicate of this bug. ***
Comment 3 Ján Sučan editbugs 2013-11-03 17:11:00 CET
*** Bug 7784 has been marked as a duplicate of this bug. ***

Bug #3516

Reported by:
tim de gier
Reported on: 2007-08-31
Last modified on: 2013-11-03
Duplicates (2):
  • 6062 Passwords stored in clear text in ~/.config/xfce4/panel/mailwatch
  • 7784 Passwords stored in plain text

People

Assignee:
Brian J. Tarricone (not reading bugmail)
CC List:
3 users

Version

Version:
1.1.0 or older

Attachments

Additional information