Bug 96672 - Outgoing mail server password in clear text inside the registrymodifications.xcu file
Summary: Outgoing mail server password in clear text inside the registrymodifications....
Status: NEW
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
Inherited From OOo
Hardware: All All
: medium major
Assignee: Not Assigned
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks: Mail-Merge
  Show dependency treegraph
 
Reported: 2015-12-22 17:01 UTC by michele
Modified: 2019-10-18 21:45 UTC (History)
9 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description michele 2015-12-22 17:01:15 UTC
Tested on LibreOffice:
Version: 4.2.8.2
Build ID: 420m0(Build:2)
and
Version: 5.0.3.2
Build ID: e5f16313668ac592c1bfb310f4390624e3dbfb75
OS: Ubuntu 14.04


Problem description: 

-Navigate to: Tools > Options > LibreOffice Writer > Mail Merge E-mail > Server authentication
-Enter email information including username and password
-Confirm with Ok
-Go to your user profile (in ubuntu ~/.config/libreoffice/4/user) anyway open the registrymodifications.xcu file with a text editor
-Inside the file, search for your email password
-There it is, your email password in clear text!


Expected behaviour:

Would expect my email password to be stored encrypted.

I guess is a bug, maybe is the intended behaviour but still is a security issue.
Comment 1 Marina Latini (SUSE) 2015-12-23 14:52:22 UTC
<item oor:path="/org.openoffice.Office.Writer/MailMergeWizard"><prop oor:name="MailPassword" oor:op="fuse"><value>ClearTextPassword</value></prop></item>

confirmed on:

* Version: 4.4.7.2
* Build ID: f3153a8b245191196a4b6b9abd1d0da16eead600
* Locale: it_IT.UTF-8
* OS: openSUSE Tumbleweed (20151124) (x86_64)

and 

* Version: 5.2.0.0.alpha0+
* Build ID: 0b1da98da44bc9acb9e42a5cd1842adf9d82a415
* CPU Threads: 4; OS Version: Linux 4.3; UI Render: default; 
* TinderBox: Linux-rpm_deb-x86_64@70-TDF, Branch:master, Time: 2015-12-22_05:54:37
* Locale: it-IT (it_IT.UTF-8)
* OS: openSUSE Tumbleweed (20151124) (x86_64)

The password is stored in cleartext and the help page:
https://help.libreoffice.org/Common/Server_Authentication 
omits this information.

Suggestions:
a) Add the information to the help page
b) Disallow the password saving
c) implement a master password manager (like kwalletmanager, GNOME Keyring Manager/Seahorse for GNU/Linux or Keychain Access for OSX or Credential Manager for Windows).
Comment 2 Cor Nouws 2016-05-03 15:35:53 UTC
(In reply to Marina Latini from comment #1)

> Suggestions:
> a) Add the information to the help page
> b) Disallow the password saving
> c) implement a master password manager (like kwalletmanager, GNOME Keyring
> Manager/Seahorse for GNU/Linux or Keychain Access for OSX or Credential
> Manager for Windows).

So that should be three issues :) ?
Comment 3 Marina Latini (SUSE) 2016-05-03 15:59:50 UTC
(In reply to Cor Nouws from comment #2)
> (In reply to Marina Latini from comment #1)
> 
> > Suggestions:
> > a) Add the information to the help page
> > b) Disallow the password saving
> > c) implement a master password manager (like kwalletmanager, GNOME Keyring
> > Manager/Seahorse for GNU/Linux or Keychain Access for OSX or Credential
> > Manager for Windows).
> 
> So that should be three issues :) ?

Hi Cor.

The main problem is that the password is stored in clear text and the user doesn't know this.

If this report is considered as a real bug (not a feature ;) ) I could consider to split the report into 3 different issues.

Please, let me know the right steps :)

Best,
Marina
Comment 4 Mike Kaganski 2017-06-14 05:44:23 UTC
FYI: LibreOffice already has a password manager used e.g. with CMIS/WebDAV.
Comment 5 QA Administrators 2018-06-15 02:45:02 UTC Comment hidden (obsolete)
Comment 6 Marina Latini (SUSE) 2018-06-16 14:29:52 UTC
The issue is still present in:

Version: 6.2.0.0.alpha0+
Build ID: e79dd394deedaeed122717700077b77d94360c12
CPU threads: 4; OS: Linux 4.16; UI render: default; VCL: kde4; 
Locale: it-IT (it_IT.UTF-8); Calc: group threaded
Comment 7 Xisco Faulí 2018-11-06 09:57:45 UTC
@Stephan, I thought you could be interested in this issue...