GAIM wtf



  • So while snooping around in my linux partition under Windows, I found out that GAIM (a multiprotocol IM client) stores its user IDs and passwords in an xml file - in cleartext. Although the file's permissions are set as read-write for owner and nothing for others, it's still kinda weird for such a widely used (i hate it though) and touted as the best IM client the foss/linux world has to offer. Anyone with an ext3 partition reader can read the passwords.... so can the root user.



  • From http://gaim.sourceforge.net/plaintextpasswords.php:

    Instant messaging is not very secure, and it's kind of pointless to
    spend a lot of time adding protections onto the fairly strong file
    protections of UNIX (our native platform) when the protocols themselves
    aren't all that secure. The way to truly know who you are talking to is
    to use an encryption plugin on both ends (such as gaim-e or
    gaim-encryption), and use verified GPG keys. Secondly, you shouldn't be
    using your instant messaging password for anything else. While
    some protocols have decent password security, others are insufficient
    and some (like IRC) don't have any at all.

    There are basically four approaches to password storage...blahblahblah




  • @mercurysquad said:

    So while snooping around in my linux partition under Windows, I found out that GAIM (a multiprotocol IM client) stores its user IDs and passwords in an xml file - in cleartext. Although the file's permissions are set as read-write for owner and nothing for others, it's still kinda weird for such a widely used (i hate it though) and touted as the best IM client the foss/linux world has to offer. Anyone with an ext3 partition reader can read the passwords.... so can the root user.


    This is exactly how security works.

    Root access means full control of the system, and all data residing on it.
    Raw read/write access to the drive means full control of the machine.

    Trying to hide the password in this case is futile. You can obscure it to make it harder to find, but this is really a usability problem.

    Gaim, presumably, stores the passwords so that you DO NOT HAVE TO ENTER THEM every time you start the program. I'm pretty sure there's a checkbox for this behaviour. There's no way to have an automatic logon without storing all the information on the system.

    Simply encrypting the file does no good, since the key to decrypt it would have to be, again, stored somewhere. The altenative here would be to have a second password that's used to encrypt the password database. That way, you only have to enter one password rather than the password for each IM account.

    That's the approach that's used by KDE with the kWallet system. A master password unlocks the key store, and decrypts the individual passwords that are needed, for email, remote login, instant messenging, etc.

    That defeats the point of a password-less login, however, so to offer that functionality GAIM really doesn't have a choice and isn't doing anything wrong either.

    If you want to protect your personal data, then you should look into encrypting your home directory. That means that you'll have to enter the passphrase for mounting the home directory after logging in. This way, without the pass phrase, nobody can read your files. When someone pulls the hdd or boots another OS to examine it, the data can only be dead in the encrypted form.

    Of course, the root user will still (and always) be able to read the data after you log in and provide the pass phrase. You'll always have to trust that.

    So gAIM is pretty much doing the right thing here. They could try to provide their own encryption framework, but the purpose of the project is instant messenging, and not crypto. There are other, well established projects to do crypto, and those projects have the resources to make sure that they get it right.
    Haphazardly added crypto would be a real WTF, since that's most likely to contain flaws compromising the integrity of the algorithms (or worse, contain home-brewed algorithms with holes big enough to drive a truck through.)

    The morale is: anyone with admin access to your system, or worse, with physical access, has complete control over it.



  • Many similar programs do not store the passwords in cleartext, but obfuscated. While this is clearly not enough to keep off a dedicated hacker (for all the reasons Nanduris has given), the occassional snooping coworker might not have the guts to break that.



  • Even if it isn't insecure, it doesn't look good to most people. If Gaim worried about it's image any it wouldn't do this. I think it would be better to not store the data in cleartext, even if it didn't add any security.



  • The real WTF is whining about about gaims security. They make good points on their password-faq:

    "Lastly, you can not store passwords at all. This is Gaim's default,
    and by far the most secure of all of the options."

    It aint their fault you use a insecure setup. You could encrypt your filesystem - problem solved.



  • @HeroreV said:

    Even if it isn't insecure, it doesn't look good to most people. If Gaim worried about it's image any it wouldn't do this. I think it would be better to not store the data in cleartext, even if it didn't add any security.

    How can a computer program be worried about its image?



  • GPG keys


    GPG keys?

    Gaim Pretty Good keys?


  • @dhromed said:


    GPG keys?

    Gaim Pretty Good keys?


    GNU Privacy Guard keys. (http://www.gnupg.org/)



  • Sorry mercury, but I agree with everyone else here.  The only thing worse than no security is a false sense of security.  There is no honestly secure way that GAIM could keep your password stored for you, as already mentioned.
    For those worried about "image", you're missing the point.  It looks bad because it is bad; hiding that fact doesn't make it any less so.  It's the age old adage about security by obscurity.  If you feel like you're safe (nobody can see my password), you're likely to take more risks (use the same password as for other things, not bothering to try to keep it secure).
    By not pretending to be secure, GAIM is being honest.  That's a lot more than you can say for most.

    PS: This is a case where public-key encryption doesn't help.  It works well over a communication channel (no shared secrets), but just like this saved password, the private key needs to be kept locally.  Therefore, the private key is no more secure then the cleartext password in the permission-restricted file.  Either way, if you are able to read the file, you've got what you need.  This is a weakness that no password/key/biometric signature can avoid--the key is always stored somewhere, it's just a matter of accessing it.



  • hmm ok... lots of new insights..
    what can i say, every day is a day at school.


Log in to reply