Someone else with clear mail password in /home/defaultuser/.config/signond/signon-secrets.db?

When I open my backuped file

/home/defaultuser/.config/signond/signon-secrets.db

with sqlitebrowser on my PC, I can see my mail addresses + passwords.
Did I do something wrong?
You too?

When trying to download as defaultuser, I get permission denied (scp).

devel-su, cp/chmod later:

sqlite> .schema
CREATE TABLE CREDENTIALS(id INTEGER NOT NULL UNIQUE,username TEXT,password TEXT,PRIMARY KEY (id));
CREATE TABLE STORE(identity_id INTEGER,method_id INTEGER,key TEXT,value BLOB,PRIMARY KEY (identity_id, method_id, key));
CREATE TRIGGER tg_delete_credentials BEFORE DELETE ON CREDENTIALS FOR EACH ROW BEGIN     DELETE FROM STORE WHERE STORE.identity_id = OLD.id; END;
sqlite> 
sqlite> select * from CREDENTIALS;

ouch. not hashed.

I’m not sure if the mitigation with group privilig(ed) helps, but the passwords should be hashed. They are not.

This should be a bug report.

These are credentials needed for logging in to services, so they can’t be hashed unfortunately. They could be obfuscated, but ultimately there has to be some way for the device to be able to access the plain text credentials in order for it to use them.

5 Likes

It could be stored in encrypted way where the encryption key is the pincode for the device, then on the first device unlock it’s decrypted and hold in the memory in the unencrypted form. I know it’s not perfect but way harder to obtain it than from single file.

1 Like

How does the browser manage stored passwords?