search

Ygauraw / android-sms

Automatically exported from code.google.com/p/android-sms
0 stars 1 forks source link

Gmail password written in plaintext in Android log #142

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Extermely important security bug:

Gmail password written in plaintext in Android log by the service

08-24 00:01:45.428: INFO/SmsSync(15990): 
tv.studer.smssync.SmsSyncService$AuthenticationErrorException: 
Application-specific password required: 
http://www.google.com/support/accounts/bin/answer.py?answer=185833 [Failure]
        at tv.studer.smssync.SmsSyncService.backup(SmsSyncService.java:300)
        at tv.studer.smssync.SmsSyncService.access$2(SmsSyncService.java:239)
        at tv.studer.smssync.SmsSyncService$1.run(SmsSyncService.java:156)
        Caused by: com.android.email.mail.AuthenticationFailedException: Application-specific password required: http://www.google.com/support/accounts/bin/answer.py?answer=185833 [Failure]
        at com.android.email.mail.store.ImapStore$ImapConnection.open(ImapStore.java:1374)
        at com.android.email.mail.store.ImapStore$ImapConnection.sendCommand(ImapStore.java:1467)
        at com.android.email.mail.store.ImapStore$ImapConnection.executeSimpleCommand(ImapStore.java:1514)
        at com.android.email.mail.store.ImapStore$ImapConnection.executeSimpleCommand(ImapStore.java:1505)
        at com.android.email.mail.store.ImapStore.getConnection(ImapStore.java:259)
        at com.android.email.mail.store.ImapStore.access$2(ImapStore.java:254)
        at com.android.email.mail.store.ImapStore$ImapFolder.create(ImapStore.java:503)
        at tv.studer.smssync.SmsSyncService.backup(SmsSyncService.java:296)
        ... 2 more
        Caused by: com.android.email.mail.store.ImapStore$ImapException: Command: LOGIN "[PLAINTEXT EMAIL]" "[PLAINTEXT PASSWORD]"; response: #1# [NO, [ALERT], Application-specific, password, required:, http://www.google.com/support/accounts/bin/answer.py?answer=185833, [Failure]]
        at com.android.email.mail.store.ImapStore$ImapConnection.executeSimpleCommand(ImapStore.java:1546)
        at com.android.email.mail.store.ImapStore$ImapConnection.open(ImapStore.java:1371)
        ... 9 more

Security FAIL.

Original issue reported on code.google.com by a.kosenkov on 23 Aug 2011 at 10:08

GoogleCodeExporter commented 9 years ago 
Always happens once user enabled two-factor auth in Gmail.
I'm going to report this to google security team to remove this app from Market 
until this bug will be fixed.

Original comment by a.kosenkov on 23 Aug 2011 at 10:10

GoogleCodeExporter commented 9 years ago 
Thanks for the report, I'll look into this.

Original comment by chstu...@gmail.com on 24 Aug 2011 at 7:27

GoogleCodeExporter commented 9 years ago 
has this been fixed??? i've just done this 2factor auth & now gmail won't work 
on my phone.

Original comment by puddajen...@gmail.com on 10 Dec 2011 at 9:33

GoogleCodeExporter commented 9 years ago 
You should definitely switch to O'Auth for the authentication. Even if you 
remove the password from the logs, storing the password in plain is a real 
no-no.

Original comment by pablo.sx on 12 Jan 2012 at 7:11