[Pidgin] #14830: dbus information leakage
Pidgin
trac at pidgin.im
Sun Feb 26 13:50:11 EST 2012
#14830: dbus information leakage
---------------------+------------------------------------------------------
Reporter: dfunc | Owner: rekkanoryo
Type: defect | Status: new
Milestone: | Component: libpurple
Version: 2.10.0 | Resolution:
Keywords: privacy |
---------------------+------------------------------------------------------
Comment(by ultramancool):
@dfunc It's ridiculous to try to fix an issue where the user must be
completely compromised in order to have, because then _everything_ is an
issue. How hard would it really be for an attacker to simply kill your
pidgin process and restart it with a custom LD_PRELOAD? Not to mention
gtkparasite or similar could easily be used to grab the messages from the
pidgin window, as could common screenshoting tools. When an attacker can
execute code, all bets are off, you simply cannot fix this sort of issue
no matter how you pursue it. The only way to protect against this would be
complete and total desktop and process isolation, which are things we
simply do not have right now. This is not "security" this is simple
obscurity. Obscuring the problem does not solve it.
--
Ticket URL: <http://developer.pidgin.im/ticket/14830#comment:9>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list