Uh oh – Pidgin stores passwords in plain text in accounts.xml

Posted on Posted in linux, security, system administration

Funny thing we found out at work today: Pidgin, which is a multi-protocol chat client I’ve been using for years and (worse) recommending to others, stores all passwords in plain text on the file system when you click “connect automatically” in your account options. This basically rules out use of the client in any corporate environment. We’re using Pidgin at work, with an OpenFire (open source, free XMPP/Jabber) server at work.

So why is this a big deal if your file permissions are set to 600 (Read and write only for the owner)? Well, in my past positions, most admins had root passwords for workstations. Being that in most environments the same password is used for multiple accounts, that’s a huge security issue. Here it’s tied to our Active Directory, i.e. e-mail and domain access, and at previous jobs it was tied to Unix accounts. So, any other system admin could login with the root password, check my accounts.xml file if they knew where to look (.purple in everyone’s home directory for Linux), and then proceed to do whatever they wanted with my user credentials. Imagine if I used the same one for other personal use, like bank accounts, which I would think others do.

Needless to say we’re currently researching other IM clients to use…

Leave a Reply

Your email address will not be published. Required fields are marked *