Bug 208371

Summary: export of wallet requires no password
Product: [Applications] kwalletmanager Reporter: Nick Hibma <nick>
Component: generalAssignee: Valentin Rusu <valir>
Status: CONFIRMED ---    
Severity: major CC: arjunak234, bilatino, GodGODGoddess, korossy, kumaran, markus.de.sade, mk.mateng, nate, qqqqqqqqq9, reddog4_dke, stasnel, unger.roger, valir
Priority: VHI    
Version: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: All   
See Also: https://bugs.kde.org/show_bug.cgi?id=337022
https://bugs.kde.org/show_bug.cgi?id=337391
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Nick Hibma 2009-09-24 11:47:26 UTC 
Version:           1.4 (using 4.3.1 (KDE 4.3.1), compiled sources)
Compiler:          cc
OS:                FreeBSD (i386) release 7.2-STABLE

Kwallet tries to prevent anyone from stealing passwords as best as it can. When looking up info in kwalletmanager you have to press 'Show values' each time so you don't accidentally display them.

But exporting requires NO password and produces ALL passwords in plain text in one convenient file.

Export (and probably import as well) should require the main password to be entered (again).

And while there, 'Show values' as well. That switch should persist so you can more easily search for the information you are looking for; more of a flag to enable and disable the values column.
Comment 1 qqqqqqqqq9 2010-01-16 02:00:22 UTC 
Hi,
i, too, think that kwalletmanager is a bit too talkative in this regard. It's a big difference whether someone has two minutes to read my email or if he can extract the password and read them at home.
Comment 2 Kumaran Santhanam 2010-05-14 08:30:28 UTC 
I would like to ask if somebody can please update this to be a severe bug instead of a wishlist item.  Security issues can seriously compromise the usage of kwallet.
Comment 3 Arjun AK 2014-07-01 16:21:46 UTC 
Along with the export as XML option, there should be another option to 'export as encrypted file'. It should also be decryptable by a standard  tool like gpg or openssl.
Comment 4 Valentin Rusu 2014-07-03 20:01:32 UTC 
(In reply to comment #3)
> Along with the export as XML option, there should be another option to
> 'export as encrypted file'. It should also be decryptable by a standard 
> tool like gpg or openssl.

I opened a separate bug to keep track of your suggestion:
https://bugs.kde.org/show_bug.cgi?id=337022
Comment 5 bilatino 2015-03-18 13:25:28 UTC 
Good morning I'm going to KMyMoney Microsoft Money. I would like to tell you four enhancements that may be useful: 1) to add the default password; 2) add the button back and forth; 3) add auto-saving exit 4) move the button new file because deceiving. (translated by google)
Comment 6 Valentin Rusu 2015-03-18 19:46:27 UTC 
(In reply to bilatino from comment #5)
> Good morning I'm going to KMyMoney Microsoft Money. I would like to tell you
> four enhancements that may be useful: 1) to add the default password; 2) add
> the button back and forth; 3) add auto-saving exit 4) move the button new
> file because deceiving. (translated by google)

I don't know how the problems you have with KMyMoney are related with this Whish Report concerning KWalletManager. I have no choice but to ignore it. Perhaps you should file a new "whish" bug report and select KMyMoney as the target product.
Comment 7 Tom 2015-11-24 02:40:36 UTC 
I'm using  fedora 23 with kwalletmanager5 
I can confirm that wallets can be opened and exported to XML without a password:

#!/bin/sh
nohup /usr/bin/kwalletmanager5 > /dev/null 2>&1 &
sleep 1
qdbus org.kde.kwalletmanager5 /kwalletmanager5/MainWindow_1 openWallet kdewallet
qdbus org.kde.kwalletmanager5 /kwalletmanager5/MainWindow_1 activateAction wallet_export

Just give the file a name and tell the dialog where you want it.  Anyone with about 30 seconds of access to your desktop could get all your passwords and put them on a thumbdrive real quick.  So protect your desktop.
This also works with the older version of kwalletmanager if you take the 5's out of the commands.
Comment 8 Nick Hibma 2015-11-24 09:51:34 UTC 
Together with a key stroke macro and an autorun feature for a USB stick you can stick it in, distract someone so he turns around, you have all the keys in plain text.
Comment 9 Tom 2015-11-24 17:49:48 UTC 
Corection:
The commands I gave above only work if an empty password is stored for the wallet, which many people do, and which I did when I tested this.  If the wallet actually has a non-empty password, then the wallet must be already open to allow the XML export.  Still many people do leave their wallets open to avoid having to punch in the wallet password all the time.   So the OP still has a valid point.  I too think the XML export should require a separate password entry
Comment 10 groot 2017-06-16 08:40:42 UTC 
Removing "platform: FreeBSD" since it's not FreeBSD-specific. Confirmed, though, once again on FreeBSD 10.3 and KDE 4.14.30 -- with the wallet open, the export can be triggered through dbus.
Comment 11 GOD 2017-11-22 23:41:46 UTC 
All wallets should be used as indicated not as needed by false apps.