Security issue!

[surfzoid]

Hi Version de SchildiChat : 1.11.4-sc.1 Version de Olm : 3.2.12 Mageia 8

grep -ir MyLoginPassword ~/.config/SchildiChat grep: ./Local Storage/leveldb/000043.log: binary file matches grep: ./IndexedDB/vector_vector_0.indexeddb.blob/8/1e/1e3b: binary file matches

using Scite or cat ./Local Storage/leveldb/000043.log display password uncrypted/ clear text.

[surfzoid]

In the log binary file, it shouldn't be stored. Use encryption please for the other file.

[kloenk]

That probably comes from upstream. Can you verify that element does the same?

[surfzoid]

That probably comes from upstream. Can you verify that element does the same?

I don't have element

[su-ex]

Nothing touched here, upstream!

[surfzoid]

Perhap's i forgot to precise, it is the password of my nickname register to the Nickserver of libera.chat

[SpiritCroc]

Well, that sounds like an important detail. At first your report sounded like it's logging your matrix login password, which it shouldn't. Now it sounds like message content is logged locally, which doesn't sound like it should happen either, but wouldn't be a huge issue unless you share the logs with third parties. Either way, this is definitely something that you should test on Element and report to them, we haven't touched that.

Note that "encryption for that file" won't do anything useful unless you want to enter a password each time you open SchildiChat, which is not something we plan to implement. Encrypting with some "default key" will not provide any sensible security guarantees compared to storing it in plain. For messages you haven't deleted, and that may thus be cached locally - either you trust your installed applications to not read storage that they're not supposed to, or you need to protect it by other means (e.g. sandboxing, requires operating system support) that are out of scope for us as app developers.

[surfzoid]

I'm confused, i don't have such element cmd on my system!