Fix for Master password expose for Pidgin
Pidgin stores you passwords in plain text in ~/.purple/accounts.xml.Someone can easily boot into recovery mode while you are away and find your passwords in plain text.
Download the patch from here into the same directory and do the following
tar xf master-password.patch.tar
patch -p 1 < master-password.patch You should be ready to configure, make, and install as normal. ./configure make sudo make install When you launch pidgin, you will see a new tab in the preferences called "security". You can set a master password there. The link above has screenshots. After configuring, you should notice that the accounts.xml file now has gibberish where there once were passwords. To remove pidgin, run the following from the directory in which you built pidgin make uninstall This will work for pidgin 2.1.0,2.1.1 versions.
I wish I had known this before!!
My GMail account was stolen today, and in the course of tracking down how it happened I hit upon Pidgin as one other password that was stolen (the only other one) was my ICQ account which I almost never use. The password for ICQ *only* exists in Accounts.XML so that is certainly how the hacker got my GMail password as well.
I’m rather upset that anyone considers it acceptable to store plaintext passwords. I use a password manager on my system that requires a Master Password to unlock, and yet one of my most important passwords is compromised by a bad programming decision. How they got the Accounts.XML file is almost irrelevant (not quite sure, but I’ve wiped the system just in case the exploit was still around), just that it apparently is a juicy target that IS BEING TARGETTED.
I will never again use Pidgin until this is changed.
If you wrote that patch, you need to contact the pidgin developers team to push this upstream.
I would really like to include that patch in my “Funpidgin” package which aims to give users the features they ask for without being preachy or political. Is that ok? I will give you credit for writing it on the site if you tell me what name I should use. Thanks!
yes you can use and you can use ubuntugeek.com name for this
Nice catch. I noticed this a few days ago myself and was highly confused that anyone would store passwords in such a way.. I really hope the pidgin development team fixes this in the not too distant future.
I actually read at the pidgin website why they decided not to encode the passwords on your hard drive.
Since you probably did not read it here it is in short:
The passwords are sent through the internet without encryption. Therefore if your password is encoded on your box it gives you a false feeling of security.
By the way when your passwords are stolen from your machine it is the same as if your keys were stolen from your desk. Do not leave your machine unattended and unlocked.
Attila – actually the passwords are not necessarily sent in plaintext. My GTalk account uses SSL/TLS. I would very much prefer that my password was *not* stored in plaintext on my filesystem.
The Pidgin developers’ argument is basically that unless the security is 100%, a little security is not better than no security. I don’t agree.