Bug 147873

Summary: require password before displaying clear text username and password
Product: kwalletmanager Reporter: Marco Costantini <marco.costantini71>
Component: generalAssignee: Valentin Rusu <valir>
Status: ASSIGNED ---    
Severity: task CC: bjoernv, capnedwin, cpigat242, eshkrig, flyos, frodriguez.developer, fuckel, gem, jasper.noid, kneczaj, kumaran, m.wege, nortexoid, postix, richih-kde, valir
Priority: HI    
Version: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:
Attachments: kwalltermanager-4.14.3-kauth.patch
kwalletmanager-4.14.3-kauth.patch
kwalletmanager-4.14.3-kauth.patch

Description Marco Costantini 2007-07-14 17:04:00 UTC
Version:           1.1 (using KDE 3.5.6, Kubuntu (feisty) 4:3.5.6-0ubuntu14)
Compiler:          Target: x86_64-linux-gnu
OS:                Linux (x86_64) release 2.6.17-10-generic

Consider the following scenario: an user has wallet open (this is normal, as used by kmail).
 
The user get distracted for a moment, and leaves the PC unlocked, and the wallet open (once in a while it may happen, even if the user is usually careful). 

Then everyone that comes there can read or change the usernames and passwords, very quickly, without installing or modifying anything, and without any technical knowledge. Furthermore, the spy can quickly delete any evidence simply closing one window, when the legitimate user is coming back. 
 

Hence my proposal is that kwalletmanager asks one again the same password that is used to open a wallet before allowing to change its master password, or showing the wallet's clear text content or allowing the user to modify it from the wallet main window.

This could be done so: when in kwalletmanager window the user tries to open a wallet, then the wallet's password is asked again once.

Of course, if kwalletmanager asks again the password, this doesn't prevent more complex attacks, but is very effective against the very naive ones.
 
 
This would be similar to login. After having provided the username and password, the user is allowed to do everything, except to change the password. In order to change the password, the user is user is required to provide the password again. 
 

(Note that this bug may be related to bugs 120512, 115011 and 80063. I'm reporting again because they are "Status:  RESOLVED, Resolution:  WONTFIX", and IMHO there isn't enough reason for not fixing them.)
Comment 1 kilrae 2007-10-07 01:30:15 UTC
I agree completely.  The default behaviour is for your wallet to stay open until it is manually closed.  Potentially dangerous actions like viewing passwords in clear text and changing the master password should require re-authentication much the same way that most web services will "remember" you and allow you a certain level of access but then require you enter your password to access more dangerous features.
Comment 2 Michael Leupold 2008-05-06 20:09:12 UTC
*** Bug 140825 has been marked as a duplicate of this bug. ***
Comment 3 Michael Leupold 2008-05-06 23:52:14 UTC
*** Bug 149403 has been marked as a duplicate of this bug. ***
Comment 4 Kumaran Santhanam 2010-05-14 08:32:30 UTC
I would like to ask if somebody can please update this to be a severe bug instead of a wishlist item.  Security issues can seriously compromise the usage of kwallet.
Comment 5 Richard Hartmann 2011-03-09 18:25:04 UTC
*** Bug 171608 has been marked as a duplicate of this bug. ***
Comment 6 Richard Hartmann 2011-03-09 18:26:35 UTC
Bug 171608 has a lot more comments.

To make a long story short, this seems like a trivial change and it can only serve to increase security.
Comment 7 Christoph Feck 2011-05-02 20:44:15 UTC
*** Bug 271479 has been marked as a duplicate of this bug. ***
Comment 8 Christoph Feck 2013-02-19 00:50:36 UTC
*** Bug 314599 has been marked as a duplicate of this bug. ***
Comment 9 Eugeny Shkrigunov 2013-04-03 13:04:26 UTC
Hi!
Sorry for my English.

kwallet is totally unsecure while it is open.
Anyone, who has access to non-locked desktop with opened kwallet, can view, modify or export all stored passwords or even change the wallet's password, without knowledge the original one.
The wallet's password required be entered every time for view, modify or export stored passwords, change the wallet's password, etc. - it is absolutely essential for safe operation of the kwallet.
This is definitely a security problem and this problem is not solved for almost 6 years ...
Protect our passwords, please!
Comment 10 Michael D 2013-04-03 13:15:35 UTC
Eugeny is completely right. Kwallet might as well store passwords in plain text on the desktop in a file called "passwords!.txt". Disabling kwallet is fairly easy, but it's super inconvenient having to re-enter passwords for akonadi, network manager, etc. every time it requests them. So you're stuck with security + inconvenience, or insecurity + convenience. I've happened to go grudgingly with the latter, but I wish this GAPING security flaw would get addressed VERY soon.
Comment 11 Valentin Rusu 2013-09-03 22:13:14 UTC
I'll add a new feature related to this report: ask for the current password upon password change request.

For the other problems, have ever tried the option named "close when unused for:" one can find in kwallet settings? AFAICT, that would fix all of the other concerns reported here.
Comment 12 Eugeny Shkrigunov 2013-09-08 07:42:29 UTC
(In reply to comment #11)
> I'll add a new feature related to this report: ask for the current password
> upon password change request.
> 
> For the other problems, have ever tried the option named "close when unused
> for:" one can find in kwallet settings? AFAICT, that would fix all of the
> other concerns reported here.

Yes, it is possible to set "close when unused for:" = 1 minute. Why use kwallet at all if you have to enter kwallet's password again and again and again all the time?
There is 2 type of actions: an usual everyday usage (to save/get password in kwallet) and the hazardous rare one (to view/export/import all passwords, change master password, etc.).
The comfortable usual everyday usage is to not enter kwallet's password every N minutes.
On the any hazardous actions kwallet MUST ask for password.
Just do it as option, please.
Sorry for my English.
Comment 13 flyos 2013-09-12 12:45:57 UTC
Hi!

I'm also much concerned by the fact that if I ever forgot to lock my screen when leaving my computer, anybody could come and have access to all my passwords... Yet, closing the wallet every XX minutes would reveal very much annoying!

I think asking for the password again before displaying anything in plain would be much relevant.

To illustrate, I think Firefox's GUI policy about password (not mentioning encryption, or anything, just the interface) is relevant here: FF asks for the Master password in order to start the password manager, and then ask for the same Master password again if you are going to display the passwords.

It does make sense to assume that nothing ever guarantee that the person who entered the Master Password the first time (which may be quite a long time ago) is the person trying to display the passwords now, doesn't it?
Comment 14 bjoernv 2014-05-08 12:55:30 UTC
I think, it's unacceptable and dangerous, that passwords can be read unconditionally in clear text, if the wallet is unlocked. I think, we need 3 states:

1) locked wallet
2) unlocked wallet: applications can access user/password information, but password will not be shown
3) unlocked wallet with visible passwords: applications can access user/password information, and passwords can be shown

One problem remains: How can I switch between 2 and 3. Entering a password twice (for state 1 and state 2) and switching back to state 3 after an timeout can be annoying for users, who need to copy-and-paste password from kwalletmanager to other applications. My idea: there should be options to configure this behavior.
Comment 15 Fernando Rodriguez 2015-07-23 03:21:57 UTC
Created attachment 93706 [details]
kwalltermanager-4.14.3-kauth.patch

This is especially problematic if you use the kwallet-pam PAM integration module as the wallet is always open. This patch adds kauth policies (polkit) for viewing the passwords, exporting the wallet to XML, and changing the wallet password with default set to ask for password before performing any of these. It's not hard to get kwalletd to give the plaintext password but this will protect from the average user on the scenario described by the OP.

I've also made a patched ebuild for gentoo: https://github.com/fernando-rodriguez/portage-overlay/tree/master/kde-apps/kwalletmanager
Comment 16 Fernando Rodriguez 2015-07-23 21:49:01 UTC
Created attachment 93719 [details]
kwalletmanager-4.14.3-kauth.patch

Updated patch to also authenticate before showing Maps.
Note that this patch asks for your user password, not wallet password as suggested by bug report. I think that makes more sense and it allows us to use kauth/polkit so it's user configurable.
Also note that by default it asks for password everytime you look at a password or map, but this is configurable through PolicyKit (or whatever kauth backend is). To set it to ask for password once per session with PolicyKit copy /usr/share/polkit-1/actions/org.kde.kwallet.policy to /etc/polkit-1/actions and change <allow_active>auth_self</allow_active> to <allow_active>auth_self_keep</allow_active>. The location of these files may vary among distros.
Comment 17 Fernando Rodriguez 2015-08-02 04:32:39 UTC
Created attachment 93839 [details]
kwalletmanager-4.14.3-kauth.patch

Updated patch again. I'd missed that you could copy password to clipboard by right-clicking on the entry.
Comment 18 Valentin Rusu 2015-08-02 08:59:40 UTC
(In reply to Fernando Rodriguez from comment #17)
> Created attachment 93839 [details]
> kwalletmanager-4.14.3-kauth.patch
> 
> Updated patch again. I'd missed that you could copy password to clipboard by
> right-clicking on the entry.

I completely switched to latest KF5-based KDE applications so I cannot test this myself.
On what platform are you testing your changes? I may eventually build an equivalent docker image.
Comment 19 Fernando Rodriguez 2015-08-02 22:00:10 UTC
I'm using KDE 4.14.8 on Gentoo.
I made some more changes last night. I need to test thoroughly and will post an updated patch probably tonight. Now I have three policies, view, modify, and change password and they cover every action you can take on kwalletmanager except closing wallets. That may be excessive for most but you can ship a permissive policy by default and users needing the extra security can just update the policy. When used along with a strong MAC policy it makes it possible to keep the wallet data fairly secure even when the wallet is always open.