ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

DonationCoder.com Software > Find And Run Robot

Urgent security notice for all FARR plugin writers

(1/3) > >>

electronixtar:
If you are going to publish you FARR MOD or plugin package on Web please double check every plugin folder  for "options.xml" where your Gmail account & password may be leaked through distribution. Especially "Google Calendar Quick Add" or any other account related plug-ins.

options.xml looks like this

--- ---<options>
<username label="Email :" value="[email protected]"/>
<password label="Password :" value="xxx"/>
</options>

One of the DC member already made a terrible mistake. I can't image how many ppl have donwloaded that plugin package.

Also, are there any ready-to-use solutions for credentials storage?

Saving plain passwords in XML is not a good idea. I am currently trying to write a twitter plugin for FARR, but where to save the passwords? The web-based auth_token hacking is complex & unstable

sri:
Thanks for bringing it to my notice.

22 have downloaded my zip file. I've now made this file private and changed my Gmail password.

Perry Mowbray:
Also, are there any ready-to-use solutions for credentials storage?
-electronixtar (May 27, 2008, 01:29 AM)
--- End quote ---

Maybe it's best for FARR to handle this internally?

Josh:
I blame mouser for this security hole! But again, even if it weren't his fault, I would blame him as well ;-)

mouser:
I could add a FARR feature to help plugins figure out where to store data,
but let me clarify a little what this security hole is all about for people reading this and nervous.

There is a FARR plugin called "Google Calendar Quick Add", and with this plugin you have to configure your login info.

Sri decided to make a package of his pre-configured aliases and plugins and upload them for others.  He made a slight mistake and included the options file for this plugin, which has his gmail login info in it.

So this is not something any normal FARR user needs to be concerned with -- but it is a reminder for plugin writers and others who might zip up and share their FARR plugin configuration directories, to make sure you dont upload any configuration files that might have sensitive data inside them.

Like I said, I could add a feature into FARR which a plugin could call to get a MyDocuments folder suitable for storing options files, so that they arent in the normal FARR directories, but then again it would be just as easy for a plugin to do that.

Navigation

[0] Message Index

[#] Next page

Go to full version