Bug 141922 - Back up File not Password Protected using Windows 10
Summary: Back up File not Password Protected using Windows 10
Status: UNCONFIRMED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Calc (show other bugs)
Version:
(earliest affected)
7.1.2.2 release
Hardware: All Windows (All)
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: Password-Protected
  Show dependency treegraph
 
Reported: 2021-04-26 19:13 UTC by Walter
Modified: 2022-11-27 11:48 UTC (History)
1 user (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Walter 2021-04-26 19:13:48 UTC 
Description:
Used Windows 10  "BU and Restore" to B/U Confidential Files to external Drive. Discovered I could plug the external drive into another(wife's) computer and OPEN any file (Read Only) without requiring to use the Password which was saved with the file.
I was able to view/print/E Mail confidential information.
"File History" was enabled on Windows Back up and Restore could view them all.
The password seems only to prevent data destruction. Could be a MS problem ..I let them know also . (Note I did not try to "Restore" the files just clicked on them in "File History" on the external drive ..... CANT BE INTENTIONAL COULD IT?   Walter


Steps to Reproduce:
1.Back up Documents (Calc) to External Device use Windows 10 B/U and Restore with File History Set to ON
2.Look for a Password Protected file on the external device
3.Click on it don't be surprised if it opens!

Actual Results:
Mine opened in Read Only

Expected Results:
I expected to still require the password


Reproducible: Always


User Profile Reset: No



Additional Info:
Just Opened .. could see all the Data. Also could alter the settings to allow changes.. couldn't overwrite the original file... that's all
Comment 1 m_a_riosv 2021-04-27 06:55:24 UTC 
Doesn't seem feasible, because it's in the practice no possible to recover a password saved file on LibreOffice without the password.

So please detail as much as possible the steps that you follow, from when you have the file open and how do you save the file, the file type you have used to save and  following steps.
Comment 2 Walter 2021-04-27 15:11:18 UTC 
Here is exactly what I did (and have done).. its 100 % repeatable.
(Using LibreOffice Calc... Latest Version and Build   7.05.2 (x64))

I have  a spread sheet which I use to record 'sensitive information' using LibreOffice Calc
I put a (complex) password on the file. (But did not encrypt it... not that sensitive!)

I use Windows 10 Back up and Restore to back up selected files (eg Documents) on a Seagate USB Extension Drive,  have done for years.
There is an option on Windows 10 Back Up and Restore and Record "File History"
It has a recommendation in Windows B/U to select this option.
I did that (have done for ages also).
It saves all revisions of any file modified... to the same drive during the Back Up process.

Once the back up is complete .. the back up file appears to be encrypted and not readable.
However the "File History is not".

If you take the extension drive to ANY computer and plug it in a usb port,  you can find  ALL of the File History Data on the Extension Drive.
If you have a suitable application (In my case my wife's laptop also has LibreOffice Installed)

CLICK on any one of them (including the very last one (most recent).
Its possible to OPEN that file in Read Only mode... displaying all of the data  without any request for a password whatsoever!

It is also possible to change the settings in this file to allow updates and changes which cannot overwrite the file on the extension drive but can be saved under a new name in a New Location or  E Mailed /Printed etc.

I wrote also to Microsoft .. it may be their problem.... got a rather terse reply and a form to fill up.. not expecting any interest there!


I discovered this by accident when my desktop got damaged by water..  I simply plugged the extension drive into my wife's laptop.. used Windows Explorer to search the Extension drive for my files.. there were many .. I clicked on the latest one (all had dates shown in the File Name).
To my surprise LibreOffice on her machine Opened the file without any password request.. and I could view all the Data.

Not sure of your definition of a "Vulnerability"  but I see a number of ways to obtain sensitive information using any kind of approach.
Even "The Cloud" doesn't seem secure if anyone can do this?

 Thank you for taking my concern seriously.

Walter


On 2021-04-27 2:55 a.m., bugzilla-daemon@bugs.documentfoundation.org wrote:
> m.a.riosv changed bug 141922
> What 	Removed 	Added
> Ever confirmed 	  	1
> CC 	  	miguelangelrv@libreoffice.org
> Status 	UNCONFIRMED 	NEEDINFO
>
> Comment # 1 on bug 141922 from m.a.riosv
> Doesn't seem feasible, because it's in the practice no possible to recover a
> password saved file on LibreOffice without the password.
>
> So please detail as much as possible the steps that you follow, from when you
> have the file open and how do you save the file, the file type you have used to
> save and  following steps.
Comment 3 Walter 2021-04-27 15:20:24 UTC 
One other point I forgot!
Once I opened the "File History" document on the extension drive.
In LO Calc  the "Change Password" function was 'Greyed Out' so that the 'Password' could not be changed... !
Walt
Comment 4 QA Administrators 2021-04-28 03:52:12 UTC Comment hidden (obsolete)