Fix for Master password expose for Pidgin
Posted by admin on November 13th, 2007 
Email This Post
Pidgin stores you passwords in plain text in ~/.purple/accounts.xml.Someone can easily boot into recovery mode while you are away and find your passwords in plain text.
Download the patch from here into the same directory and do the following
tar xf master-password.patch.tar
patch -p 1 < master-password.patch
You should be ready to configure, make, and install as normal.
./configure
make
sudo make install
When you launch pidgin, you will see a new tab in the preferences called "security". You can set a master password there. The link above has screenshots. After configuring, you should notice that the accounts.xml file now has gibberish where there once were passwords.
To remove pidgin, run the following from the directory in which you built pidgin
make uninstall
This will work for pidgin 2.1.0,2.1.1 versions.
If you want to be notified the next time we write something please subscribe to our RSS feed.Thanks for Visiting!
February 22nd, 2008 at 11:29 am
I wish I had known this before!!
My GMail account was stolen today, and in the course of tracking down how it happened I hit upon Pidgin as one other password that was stolen (the only other one) was my ICQ account which I almost never use. The password for ICQ *only* exists in Accounts.XML so that is certainly how the hacker got my GMail password as well.
I’m rather upset that anyone considers it acceptable to store plaintext passwords. I use a password manager on my system that requires a Master Password to unlock, and yet one of my most important passwords is compromised by a bad programming decision. How they got the Accounts.XML file is almost irrelevant (not quite sure, but I’ve wiped the system just in case the exploit was still around), just that it apparently is a juicy target that IS BEING TARGETTED.
I will never again use Pidgin until this is changed.
April 9th, 2008 at 1:54 pm
If you wrote that patch, you need to contact the pidgin developers team to push this upstream.
April 30th, 2008 at 5:45 pm
I would really like to include that patch in my “Funpidgin” package which aims to give users the features they ask for without being preachy or political. Is that ok? I will give you credit for writing it on the site if you tell me what name I should use. Thanks!
April 30th, 2008 at 6:19 pm
yes you can use and you can use ubuntugeek.com name for this
June 6th, 2008 at 9:14 am
Nice catch. I noticed this a few days ago myself and was highly confused that anyone would store passwords in such a way.. I really hope the pidgin development team fixes this in the not too distant future.