What is libsecret and why does it leak passwords?

I just ran LaZagne on my Ubuntu desktop computer. It is a python program that scans the computer to find passwords.

It found 14 passwords, and some of them are still active. I changed most of them. By running the program with option -v we can see where the password are found.

All of the passwords are found with Libsecret. According to the gnome wiki for libsecret:

libsecret is a library for storing and retrieving passwords and other secrets. It communicates with the "Secret Service" using D-Bus. gnome-keyring and ksecretservice are both implementations of a Secret Service

Apparently, this thing doesn’t work properly and leaks passwords.

  1. What is this library ? 
  2. Why and how is it leaking passwords ?
  3. How can I secure my passwords ?

Some passwords are of private keys used for ssh.

1 Answer

libsecret is working as intended - it might be the intention that is at odds with your use case.

The "Secret Service" allows a user to store e.g. passwords in a way, that they are easily accessible for the logged on user, but very hard to access by someone else.

If your Computer is physically taken (while you are not logged in) or the harddrive copied, then the attacker must break some serious encryption to access your passwords, as he can't access them via D-Bus. If a webserver running on your machine (under another user) is hacked, the attacker can't access your passwords via D-Bus, as they have the wrong login.

But if a program started by you running under your account requests it, the password will be easily accessible. This is why Lazagne was easily able to fetch them.

This allows for a compromise between security and convenience, that is very often acceptable to the typical user - but it might not be acceptable for you. You can easily avoid storing your passwords in keyring or friends, by just not using the feature to store passwords, or by using software that is no integrated with libsecret.

6

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like