Ahmed El Gamil » hacks http://www.blog.manhag.org Thu, 02 Sep 2010 10:54:00 +0000 en hourly 1 http://wordpress.org/?v=3.0.1 http://www.blog.manhag.org http://www.blog.manhag.org/wp-content/mbp-favicon/favicon.ico Ahmed El Gamil Pidgin may eat your password ! http://www.blog.manhag.org/2008/12/pidgin-may-eat-your-password/ http://www.blog.manhag.org/2008/12/pidgin-may-eat-your-password/#comments Thu, 11 Dec 2008 18:41:09 +0000 Ahmed El Gamil http://www.blog.manhag.org/?p=275 الحمد لله و كفى و صلاة و سلاماً على عباده الذين اصطفى

logopidgin

EDIT: Added the solution at the end of the post

So i have been navigating through my home directory and i found a hidden directory (which starts with a dot .) and i found a directory called .purple..Hmm, i don’t remember installing an application called purple.. :-o

So after some searching i found that the .purple directory contains some files related to pidgin The universal Instant messaging client..okay this sounds reasonable now..the pidgin color is purple :mrgreen:

okay..before you read any further in this topic please open a terminal in your Linux distro and execute the following command:

cat ~/.purple/acc* | grep “ord>”

YES, the output you have seen from this command is REAL !! :mrgreen: ..It is your IM passwords :D

I used some bash tricks to hide what the command really do..but here is what it will really do

cat ~/.purple/accounts.xml | grep password

and if you are using window$, you will find it in C:Documents and Settings%USERNAME%Application Data.purpleaccounts.xml

What are we having here ? , well pidgin is not saving the passwords in encrypted format, it is saving them in clear text !

So beware.. don’t save your password on pidgin when using a shared machine with someone else :-D

Solution

First of all, lets see why did the pidgin team decided not to encrypt the passwords, actually they talked about lots of issue, but to summarize, Here is a quote from their wiki:

Instant messaging is not very secure, and it’s kind of pointless to spend a lot of time adding protections onto the fairly strong file protections of UNIX (our native platform) when the protocols themselves aren’t all that secure

Edit: Kamasheto added the following quote in the comments, thanks kama :)

“But other programs don’t store my password in plain text!”

That’s true. But few of them store it in a way that’s any safer. A Google search for im passwords shows a bunch of hits for getting the passwords out of other IM clients just as easily as Pidgin.

so they advice you to use key rings that comes with your desktop environment (GNOME and KDE have key rings), there is a project discussing this issue here

Another solution is use a master password mechanism, like that one implemented in firefox, you can use this feature in pidgin by install the Password Encryption plugin

Hope this tips will solve the problem isA

سبحانك اللهم و بحمدك..أشهد ان لا إله إلا أنت..أستغفرك و أتوب إليك

]]> http://www.blog.manhag.org/2008/12/pidgin-may-eat-your-password/feed/ 12