Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#65 Pidgin: Contact and chat log security issue

ALL
open
nobody
7
2008-03-17
2008-03-17
Chih-Wei Huang
No

Procedure to reproduce the issue:

* Login an MSN account
* Choose "Options" -> "Enable Logging"
* Send a message to a friend, then logout and quit pidgin.
* Run pidgin again, DO NOT login.
* Choose "Buddies" -> "Vide User Log...",
type the first letter of friends, then the whole name will be shown.
* Choose the friend you just sent messages, then you can see the log.

The issue is, one can get the friend list and chat log without login. Some of our customers think it is a security and/or privacy problem.

Discussion

  • Yuan Chao
    Yuan Chao
    2008-03-17

    Logged In: YES
    user_id=553347
    Originator: NO

    The log files are actually in plan text so one can always be able to extract (part of) the contact list by parsing the log files. The log file can only be protected by file system permissions.

     
  • Fai Wong
    Fai Wong
    2008-03-17

    Logged In: YES
    user_id=419425
    Originator: NO

    Actually even no need to open pidgin to see the contact list and log files.
    The contact list is in /home/user/.purple/blist.xml and the logs are all inside /home/user/.purple/logs/
    What does this mean? This means the files are own by the user, there is no restriction to the user himself/herself to read his/her own files.
    Same should appliable to any OS's any messenger.
    A suggestion here (assuming the user know nothing about .purple directory) is to disable the "Buddies" menu item before logging in, or directly remove the history viewer.