Fix for Master password expose for Pidgin

Sponsored Link
Pidgin is an instant messaging program for Windows, Linux, BSD, and other Unixes. You can talk to your friends using AIM, ICQ, Jabber/XMPP, MSN Messenger, Yahoo!, Bonjour, Gadu-Gadu, IRC, Novell GroupWise Messenger, QQ, Lotus Sametime, SILC, SIMPLE, and Zephyr.

Pidgin stores you passwords in plain text in ~/.purple/accounts.xml.Someone can easily boot into recovery mode while you are away and find your passwords in plain text.

Download the patch from here into the same directory and do the following

tar xf master-password.patch.tar

patch -p 1 < master-password.patch You should be ready to configure, make, and install as normal. ./configure make sudo make install When you launch pidgin, you will see a new tab in the preferences called "security". You can set a master password there. The link above has screenshots. After configuring, you should notice that the accounts.xml file now has gibberish where there once were passwords. To remove pidgin, run the following from the directory in which you built pidgin make uninstall This will work for pidgin 2.1.0,2.1.1 versions.

Sponsored Link

You may also like...

7 Responses

  1. I wish I had known this before!!

    My GMail account was stolen today, and in the course of tracking down how it happened I hit upon Pidgin as one other password that was stolen (the only other one) was my ICQ account which I almost never use. The password for ICQ *only* exists in Accounts.XML so that is certainly how the hacker got my GMail password as well.

    I’m rather upset that anyone considers it acceptable to store plaintext passwords. I use a password manager on my system that requires a Master Password to unlock, and yet one of my most important passwords is compromised by a bad programming decision. How they got the Accounts.XML file is almost irrelevant (not quite sure, but I’ve wiped the system just in case the exploit was still around), just that it apparently is a juicy target that IS BEING TARGETTED.

    I will never again use Pidgin until this is changed.

  2. scv5 says:

    If you wrote that patch, you need to contact the pidgin developers team to push this upstream.

  3. ConnorBehan says:

    I would really like to include that patch in my “Funpidgin” package which aims to give users the features they ask for without being preachy or political. Is that ok? I will give you credit for writing it on the site if you tell me what name I should use. Thanks!

  4. admin says:

    yes you can use and you can use name for this

  5. TSM says:

    Nice catch. I noticed this a few days ago myself and was highly confused that anyone would store passwords in such a way.. I really hope the pidgin development team fixes this in the not too distant future.

  6. Attila says:

    Hi guys!
    I actually read at the pidgin website why they decided not to encode the passwords on your hard drive.
    Since you probably did not read it here it is in short:
    The passwords are sent through the internet without encryption. Therefore if your password is encoded on your box it gives you a false feeling of security.
    By the way when your passwords are stolen from your machine it is the same as if your keys were stolen from your desk. Do not leave your machine unattended and unlocked.

  7. simon says:

    Attila – actually the passwords are not necessarily sent in plaintext. My GTalk account uses SSL/TLS. I would very much prefer that my password was *not* stored in plaintext on my filesystem.

    The Pidgin developers’ argument is basically that unless the security is 100%, a little security is not better than no security. I don’t agree.


Leave a Reply

Your email address will not be published. Required fields are marked *