Comments on: Fix for Master password expose for Pidgin

By: simon

simon — Sat, 29 May 2010 12:27:03 +0000

Attila - actually the passwords are not necessarily sent in plaintext. My GTalk account uses SSL/TLS. I would very much prefer that my password was *not* stored in plaintext on my filesystem.

The Pidgin developers’ argument is basically that unless the security is 100%, a little security is not better than no security. I don’t agree.

*frustrated*

By: Attila

Attila — Tue, 07 Oct 2008 11:31:16 +0000

Hi guys!
I actually read at the pidgin website why they decided not to encode the passwords on your hard drive.
Since you probably did not read it here it is in short:
The passwords are sent through the internet without encryption. Therefore if your password is encoded on your box it gives you a false feeling of security.
By the way when your passwords are stolen from your machine it is the same as if your keys were stolen from your desk. Do not leave your machine unattended and unlocked.
Attila

By: TSM

TSM — Fri, 06 Jun 2008 08:14:51 +0000

Nice catch. I noticed this a few days ago myself and was highly confused that anyone would store passwords in such a way.. I really hope the pidgin development team fixes this in the not too distant future.

By: admin

admin — Wed, 30 Apr 2008 17:19:45 +0000

yes you can use and you can use ubuntugeek.com name for this

By: ConnorBehan

ConnorBehan — Wed, 30 Apr 2008 16:45:39 +0000

I would really like to include that patch in my “Funpidgin” package which aims to give users the features they ask for without being preachy or political. Is that ok? I will give you credit for writing it on the site if you tell me what name I should use. Thanks!

By: scv5

scv5 — Wed, 09 Apr 2008 12:54:01 +0000

If you wrote that patch, you need to contact the pidgin developers team to push this upstream.

By: Alvin Brinson

Alvin Brinson — Fri, 22 Feb 2008 10:29:09 +0000

I wish I had known this before!!

My GMail account was stolen today, and in the course of tracking down how it happened I hit upon Pidgin as one other password that was stolen (the only other one) was my ICQ account which I almost never use. The password for ICQ *only* exists in Accounts.XML so that is certainly how the hacker got my GMail password as well.

I’m rather upset that anyone considers it acceptable to store plaintext passwords. I use a password manager on my system that requires a Master Password to unlock, and yet one of my most important passwords is compromised by a bad programming decision. How they got the Accounts.XML file is almost irrelevant (not quite sure, but I’ve wiped the system just in case the exploit was still around), just that it apparently is a juicy target that IS BEING TARGETTED.

I will never again use Pidgin until this is changed.