Archiv der Kategorie: Security

Weak password store in owncloud-client

We recently installed owncloud here @mur.at.  One neat tool is onwcloud-client to sync your files between your desktop and the cloud.  Obviously the client needs your password in order to access the cloud.  The only way the client can handle your password is by storing it in the filesystem after you entered it.  Unfortunately it stores it in plain text, worldreadable (sic!).

On linux you find owncloud-client’s config files in:

~/.local/share/data/ownCloud

Update.   According to the releases document, this should have been fixed in version 1.0.1 already.  A friend confirms this but the Debian version (I mostly use testing, which is currently jessie) still uses plain-text password store in the below mentioned config file.

There is a way to make owncloud-client ask for your password every time you start it.  If you add this to the owncloud section of the config file:

nostoredpassword=true

your password should not be stored at all.