Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 09, 2016, 01:47:53 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Urgent security notice for all FARR plugin writers  (Read 4594 times)

electronixtar

  • Member
  • Joined in 2007
  • **
  • Posts: 141
    • View Profile
    • Donate to Member
Urgent security notice for all FARR plugin writers
« on: May 27, 2008, 01:29:45 AM »
If you are going to publish you FARR MOD or plugin package on Web please double check every plugin folder  for "options.xml" where your Gmail account & password may be leaked through distribution. Especially "Google Calendar Quick Add" or any other account related plug-ins.

options.xml looks like this
<options>
<username label="Email :" value="xxx@gmail.com"/>
<password label="Password :" value="xxx"/>
</options>

One of the DC member already made a terrible mistake. I can't image how many ppl have donwloaded that plugin package.

Also, are there any ready-to-use solutions for credentials storage?

Saving plain passwords in XML is not a good idea. I am currently trying to write a twitter plugin for FARR, but where to save the passwords? The web-based auth_token hacking is complex & unstable

sri

  • Honorary Member
  • Joined in 2006
  • **
  • Posts: 677
    • View Profile
    • Sridhar Katakam
    • Read more about this member.
    • Donate to Member
Re: Urgent security notice for all FARR users
« Reply #1 on: May 27, 2008, 01:41:06 AM »
Thanks for bringing it to my notice.

22 have downloaded my zip file. I've now made this file private and changed my Gmail password.
<a href="https://sridharkatakam.com">My blog</a>

Perry Mowbray

  • N.A.N.Y. Organizer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 1,817
    • View Profile
    • Donate to Member
Re: Urgent security notice for all FARR users
« Reply #2 on: May 27, 2008, 02:06:13 AM »
Also, are there any ready-to-use solutions for credentials storage?

Maybe it's best for FARR to handle this internally?

Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: -5
  • Posts: 3,397
    • View Profile
    • Donate to Member
Re: Urgent security notice for all FARR users
« Reply #3 on: May 27, 2008, 02:07:45 AM »
I blame mouser for this security hole! But again, even if it weren't his fault, I would blame him as well ;-)

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 36,421
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Urgent security notice for all FARR users
« Reply #4 on: May 27, 2008, 02:14:55 AM »
I could add a FARR feature to help plugins figure out where to store data,
but let me clarify a little what this security hole is all about for people reading this and nervous.

There is a FARR plugin called "Google Calendar Quick Add", and with this plugin you have to configure your login info.

Sri decided to make a package of his pre-configured aliases and plugins and upload them for others.  He made a slight mistake and included the options file for this plugin, which has his gmail login info in it.

So this is not something any normal FARR user needs to be concerned with -- but it is a reminder for plugin writers and others who might zip up and share their FARR plugin configuration directories, to make sure you dont upload any configuration files that might have sensitive data inside them.

Like I said, I could add a feature into FARR which a plugin could call to get a MyDocuments folder suitable for storing options files, so that they arent in the normal FARR directories, but then again it would be just as easy for a plugin to do that.

electronixtar

  • Member
  • Joined in 2007
  • **
  • Posts: 141
    • View Profile
    • Donate to Member
Re: Urgent security notice for all FARR plugin users
« Reply #5 on: May 27, 2008, 02:20:54 AM »
I could add a FARR feature to help plugins figure out where to store data,
but let me clarify a little what this security hole is all about for people reading this and nervous.

There is a FARR plugin called "Google Calendar Quick Add", and with this plugin you have to configure your login info.

Sri decided to make a package of his pre-configured aliases and plugins and upload them for others.  He made a slight mistake and included the options file for this plugin, which has his gmail login info in it.

So this is not something any normal FARR user needs to be concerned with -- but it is a reminder for plugin writers and others who might zip up and share their FARR plugin configuration directories, to make sure you dont upload any configuration files that might have sensitive data inside them.

Like I said, I could add a feature into FARR which a plugin could call to get a MyDocuments folder suitable for storing options files, so that they arent in the normal FARR directories, but then again it would be just as easy for a plugin to do that.

Centralized storage would be cool.

ps another question: If 3 plugin use 3 FScript.dll, then there's 3 copy of FScript.dll in memory?

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 36,421
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Urgent security notice for all FARR plugin users
« Reply #6 on: May 27, 2008, 03:04:30 AM »
Quote
ps another question: If 3 plugin use 3 FScript.dll, then there's 3 copy of FScript.dll in memory?

i believe that is right.. until and unless ecaradec (the brilliant fscript author) decides to make a multi-script fscript version.  that's probably best discussed on the fscript thread though.

rjbull

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,927
    • View Profile
    • Donate to Member
Re: Urgent security notice for all FARR plugin writers
« Reply #7 on: May 27, 2008, 03:44:20 AM »
double check every plugin folder  for "options.xml"
[...]

One of the DC member already made a terrible mistake. I can't image how many ppl have donwloaded that plugin package.

I was one of them.  I've now found and deleted all "options.xml" files in my FARR subdirectories; there were only two, both sri-related.  As an afterthought, I emptied the Recycle Bin as well.  Hope that leaves me returned to a state of innocence?


f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Urgent security notice for all FARR plugin writers
« Reply #8 on: May 27, 2008, 07:20:01 AM »
Quote
ps another question: If 3 plugin use 3 FScript.dll, then there's 3 copy of FScript.dll in memory?

i believe that is right.. until and unless ecaradec (the brilliant fscript author) decides to make a multi-script fscript version.  that's probably best discussed on the fscript thread though.
Should only have one instance of script.dll in memory, unless one of the plugins decide to create a new process that then in turn uses fscript.dll. And even then, windows does copy-on-write sharing of DLLs system-wide.
- carpe noctem

Perry Mowbray

  • N.A.N.Y. Organizer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 1,817
    • View Profile
    • Donate to Member
Re: Urgent security notice for all FARR plugin writers
« Reply #9 on: May 27, 2008, 07:47:25 AM »
Centralized storage would be cool.

Let me clarify, often people like their passwords encrypted, and I wondered if many plug-ins were needing log-ins and passwords then if FARR handled that and the encryption then it's centralized and carries the FARR seal of quality.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Urgent security notice for all FARR plugin writers
« Reply #10 on: May 27, 2008, 08:02:04 AM »
Centralized storage would be cool.

Let me clarify, often people like their passwords encrypted, and I wondered if many plug-ins were needing log-ins and passwords then if FARR handled that and the encryption then it's centralized and carries the FARR seal of quality.
Probably wouldn't be a bad idea to add this to the FARR core - and with an option of having the passwords stored either in a file (with some basic encryption, no need to go overboard with AES etc. since it's going to be reversible anyway, just make that perfectly clear to the users), or in the windows "secure storage" thing (protected & encrypted part of the registry, iirc).
- carpe noctem

ecaradec

  • Honorary Member
  • Joined in 2006
  • **
  • Posts: 409
    • View Profile
    • Blog & Projects
    • Read more about this member.
    • Donate to Member
Re: Urgent security notice for all FARR plugin writers
« Reply #11 on: May 31, 2008, 09:53:19 AM »
I'll add a note in the FScript documentation about the login information issue. I must confess that I did it too, while developping the delicious plugin.
Blog & Projects : Blog | Qatapult | SwiffOut | FScript