GOA and Third Party Apps - Plain Text Passwords



Hey everyone,

I just joined the list so I apologize if this is a topic previously discussed. I was digging through seahorse earlier today and noticed a few things. When viewing passwords associated with GOA - Google Accounts, all that is displayed is an authorization key with presumable some sort of salted value. There appears to be no way to view the actual password. However, GOA - owncloud accounts show passwords in plain text.

Additionally, and more concerning is that credentials such as those stored by "Evolution Data Source", Yorba's Geary mail client, VPN Connections, and presumable others are stored in plain text. Simply selecting "show password" displays the password in plain text. At no point from the launching of seahore to viewing a password is their an authentication prompt.

Security Concerns/Questions

1.) Is it at all possible to de-salt the passwords for viewing if admin/su/user credentials are provided?
    a.) My guess is that the salting is done on Google's end, and GOA never actually see's the password
2.) Should there not be at least an admin/su/user credential prompt before being able to view passwords such as those via VPN, GOA - Owncloud, etc?

--
Marc Thomas
mthx.org | Github: mthxx | @mthx_


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]