Bug 5419 – WiFi password shows up in auto-completion

Bug 5419 - (int-138885) WiFi password shows up in auto-completion

(int-138885)
Summary:	WiFi password shows up in auto-completion

Status:	CLOSED FIXED

Product:	Desktop platform
Component:	Input method framework
Version:	5.0/(1.2009.42-11)
Platform:	N900 Linux

Importance:	Low major (vote)
Target Milestone:	5.0/(2.2009.51-1)
Assigned To:	Joaquim Rocha
QA Contact:	input-method-framework-bugs

URL:
Keywords:	security

Depends on:
Blocks:
	Show dependency tree

Reported:	2009-10-13 23:12 UTC by Jeroen Wouters
Modified:	2010-03-02 14:06 UTC (History)
CC List:	10 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description Jeroen Wouters (reporter) 2009-10-13 23:12:39 UTC

SOFTWARE VERSION:
(Control Panel > General > About product)

STEPS TO REPRODUCE THE PROBLEM:
Add a protected wireless network.
Open a window with text auto-completion (e.g. chat window)
Type the first char of the psk in the text input.

EXPECTED OUTCOME:
Text is auto-completed using dictionary word.

ACTUAL OUTCOME:
The wireless password is used for autocompletion.

REPRODUCIBILITY:
always

EXTRA SOFTWARE INSTALLED:

OTHER COMMENTS:
I have found a my password in all lower-case in
.osso/dictionaries/.personal.dictionary

User-Agent:       Mozilla/5.0 (X11; U; Linux armv7l; en-GB; rv:1.9.2a1pre)
Gecko/20090928 Firefox/3.5 Maemo Browser 1.4.1.15 RX-51 N900W

Comment 1 Andre Klapper maemo.org

2009-10-14 01:20:25 UTC

Thanks for reporting this.

Does this also happen in other apps?
You tried this with "Conversations"?

Asking as I cannot confirm this here.
Running
   grep -r "password" .osso/dictionaries/.personal.dictionary
does not include my WiFi password.

Would be great if another one or two persons could test this with the N900 and
report here.

(Note to myself: Also see int-136775).

Comment 2 Jeroen Wouters (reporter) 2009-10-14 11:26:20 UTC

I've tried it in 'Notes', in 'Calendar' (Title field in 'New Event') and
Conversations ('New SMS and 'New IM'). They all behave the same way.

Comment 3 Lucas Maneos 2009-10-14 13:13:05 UTC

Can't reproduce it either with three different WPA passphrases.  Jeroen: are
you using WPA or WEP?  Did you enter the password manually?

Comment 4 Jeroen Wouters (reporter) 2009-10-14 20:35:51 UTC

The password is for a WPA network that I configured manually in Settings.
I have been trying to get another password in there, but I can't reproduce that
part any more.

Comment 5 Marko Vertainen 2009-10-15 14:39:21 UTC

I could not reproduce this in version 1.2009.41-10 but I have noticed same
problem with password fields used in Password Safe.

When I add new password there this password is automatically added in auto
completion database. I don't yet make bug against Password Safe as the problem
might be some other part in the system as this bug hints.

Comment 6 mike bradshaw 2009-10-16 16:30:58 UTC

I was also seeing this (auto-completion was suggesting things entered as
passwords).
After the recent updates to Password-Safe (two since the Summit?) I am no
longer seeing this behavior.

Comment 7 Andre Klapper maemo.org

2009-10-16 16:56:53 UTC

This implies that this could be a Password Safe issue.

(In reply to comment #0)
> EXTRA SOFTWARE INSTALLED:
> 

Jeroen, do you have Password Safe installed?

Comment 8 Fred Lefévère-Laoide 2009-10-16 17:01:01 UTC

PasswordSafe did not use hildon_gtk_entry_set_input_mode before v1.5.5b.
Does anybody know if the default input method includes
HILDON_GTK_INPUT_MODE_DICTIONARY ?
that could explain this ...

Comment 9 Jeroen Wouters (reporter) 2009-10-19 00:49:38 UTC

> Jeroen, do you have Password Safe installed?
No, I do not have Password Safe installed.

Comment 10 Joaquim Rocha 2009-10-19 12:03:10 UTC

Hi Jeron,

Did you use the hardware or the finger keyboard to enter that password?


Thank you,

Comment 11 Jeroen Wouters (reporter) 2009-10-19 13:57:05 UTC

I believe I used the hardware keyboard to enter the password.

Comment 12 Marko Vertainen 2009-11-18 20:50:17 UTC

I think that I have found way how to reproduce this and I hope that some one
can confirm this.

SOFTWARE VERSION:
1.2009.42-11

STEPS TO REPRODUCE THE PROBLEM:
1. Go to settings and start to make new Internet connection.
2. Select pre-shared WPA key and click Next.
3. Now use Sym+Backspace to go task switcher.
4. Start Web browser and select some big site e.g. Facbook or Engadget.
5. While web browser is downloading that site switch back to Internet
connection settings.
6. Write WPA password to that field and save settings.
7. Close settings windows and go to Notes application. 
8. Start to write your WPA password and it appears as an auto completion
suggestion. 

REPRODUCIBILITY:
almost always

OTHER COMMENTS:
I noticed this first with Password Safe but it's not Password Safe problem as
it happens also when setting WPA key. Using grep for ".personal.dictionary"
doesn't show those passwords in that file for some reason.

Password Safe might be a bit easier way to reproduce this. With it you have
also one nasty feature if you start loading some big website and then switch to
Password Safe to check what your password for that site was, you get password
auto completion after few first characters. It works if you use lower case
passwords.

Comment 13 Joaquim Rocha 2009-11-19 10:01:35 UTC

I'll take a look into that. Thank you.

Comment 14 Josh Triplett 2009-12-10 03:30:18 UTC

I can confirm this issue.  I configured my wifi network, entered the WEP key,
and now when I type the first character of the key I see part of the key in the
autocompletion.

I have no third-party software installed.

Comment 15 Andre Klapper maemo.org

2009-12-30 21:30:18 UTC

This *should* be fixed for the next feature release (internally called "PR1.1")
as it is not reproducible anymore. It's not 100% sure though that it's fixed.

After PR1.1 has been published, please feel free to confirm/reopen.

Comment 16 Andre Klapper maemo.org

2009-12-30 21:54:19 UTC

Note that dictionary data in Maemo5 is stored in the files
   /home/user/.osso/dictionaries/.personal.dictionary
   /home/user/.osso/dictionaries/.used.dictionary

In order to check whether this is still an issue you probably want to remove
the passwords from these files which is only recommended for advanced users
(e.g. by using vim, or ssh'ing to use a UI text editor).

Also see bug 2247.

Comment 17 Michiel 2010-01-08 06:22:43 UTC

*** Bug 7734 has been marked as a duplicate of this bug. ***

Comment 18 Andre Klapper maemo.org

2010-01-14 12:28:34 UTC

The problem reported here should be fixed in the update released today for
public: The Maemo5 update version 2.2009.51-1 (also called "PR1.1" sometimes).
Please leave a comment if the problem is not fixed for you in this update
version.

Comment 19 Venomrush 2010-03-01 22:53:42 UTC

Verifying

Not an issue anymore in PR1.1