When master password is used and password dialog entry is cancelled, terminals still opens!

[ghost]

This is probably serious security breach - if master password dialog entry is cancelled, terminals app is still opened.
This should not happen.
Also, in this case the startup RDP connections are opened without explicit setting/confirmation/control with the lowest possible display resolution.

[jirkapok]

Fixed in 4.0.1

[truist]

Was this a security breach? Were stored passwords accessible in prior versions?

[jirkapok]

No, it was introduced in 4.0 and fixed in 4.0.1

[ghost]

Hmm. I didn't check that. I wrote that is a security breach because one could start remote sessions (starting the program itself) without typing the master password - that is going around password-based security.

[truist]

OK, thanks for responding. But to be clear: if you canceled out of the dialog, you'd have access to the app, but if you tried to use a host that had a saved password, it wouldn't work?

[ghost]

I think I worked, but to be sure of it I have to install the first version and try it. Do you need confirmation of this? Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10 From: Nathan Arthur<mailto:notifications@github.com> Sent: понеделник, 07 август 2017 21:45 To: Terminals-Origin/Terminals<mailto:Terminals@noreply.github.com> Cc: Todor Tanevski<mailto:todor.tanevski@hotmail.com>; Author<mailto:author@noreply.github.com> Subject: Re: [Terminals-Origin/Terminals] When master password is used and password dialog entry is cancelled, terminals still opens! (#5) OK, thanks for responding. But to be clear: if you canceled out of the dialog, you'd have access to the app, but if you tried to use a host that had a saved password, it wouldn't work? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#5 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ADnzsPLUa6QV8ogCzWfgohdmuukddZDcks5sV2lygaJpZM4M7A1q>.

[truist]

My real question is whether it was - or still is - possible to get an unencrypted password without knowing the master password. I expect @jirkapok would have to answer, to be sure. (I've done a little code digging, and it looks like the passwords are encrypted with the master password, but I'm not certain.)

[awojtas]

Does this mean a hacker could use a 4.0.0 version to access saved credentials, read passwords that are now decrypted in memory, or connect using saved credentials, if they had the db from a terminals install?

[ghost]

Let me check that in a virtual machine and get back to you. Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10 From: Aidan<mailto:notifications@github.com> Sent: недела, 13 август 2017 00:55 To: Terminals-Origin/Terminals<mailto:Terminals@noreply.github.com> Cc: Todor Tanevski<mailto:todor.tanevski@hotmail.com>; Author<mailto:author@noreply.github.com> Subject: Re: [Terminals-Origin/Terminals] When master password is used and password dialog entry is cancelled, terminals still opens! (#5) Does this mean a hacker could use a 4.0.0 version to access saved credentials, read passwords that are now decrypted in memory, or connect using saved credentials, if they had the db from a terminals install? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#5 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ADnzsIRfmjwCSxwLOs06W9ul_wOena_oks5sXi1pgaJpZM4M7A1q>.

[ghost]

I didn’t succeed in finding the 4.0.0 version on github. Can someone provide the link to the msi/exe? There are no archived versions there? Maybe on codeplex… Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10 From: Todor Tanevski<mailto:todor.tanevski@hotmail.com> Sent: недела, 13 август 2017 06:55 To: Terminals-Origin/Terminals<mailto:reply@reply.github.com> Subject: RE: [Terminals-Origin/Terminals] When master password is used and password dialog entry is cancelled, terminals still opens! (#5) Let me check that in a virtual machine and get back to you. Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10 From: Aidan<mailto:notifications@github.com> Sent: недела, 13 август 2017 00:55 To: Terminals-Origin/Terminals<mailto:Terminals@noreply.github.com> Cc: Todor Tanevski<mailto:todor.tanevski@hotmail.com>; Author<mailto:author@noreply.github.com> Subject: Re: [Terminals-Origin/Terminals] When master password is used and password dialog entry is cancelled, terminals still opens! (#5) Does this mean a hacker could use a 4.0.0 version to access saved credentials, read passwords that are now decrypted in memory, or connect using saved credentials, if they had the db from a terminals install? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#5 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ADnzsIRfmjwCSxwLOs06W9ul_wOena_oks5sXi1pgaJpZM4M7A1q>.

[ghost]

I guess you wer right about not able to decrypt the passwords from the local file store (am I designating things right?). I tried the 4.0.0 bytes with my Data. You could not see the existing passwords, as far as the GUI goes. See for yourself the attachments, please. Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10 From: Todor Tanevski<mailto:notifications@github.com> Sent: недела, 13 август 2017 08:47 To: Terminals-Origin/Terminals<mailto:Terminals@noreply.github.com> Cc: Todor Tanevski<mailto:todor.tanevski@hotmail.com>; Your activity<mailto:your_activity@noreply.github.com> Subject: Re: [Terminals-Origin/Terminals] When master password is used and password dialog entry is cancelled, terminals still opens! (#5) I didn’t succeed in finding the 4.0.0 version on github. Can someone provide the link to the msi/exe? There are no archived versions there? Maybe on codeplex… Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10 From: Todor Tanevski<mailto:todor.tanevski@hotmail.com> Sent: недела, 13 август 2017 06:55 To: Terminals-Origin/Terminals<mailto:reply@reply.github.com> Subject: RE: [Terminals-Origin/Terminals] When master password is used and password dialog entry is cancelled, terminals still opens! (#5) Let me check that in a virtual machine and get back to you. Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10 From: Aidan<mailto:notifications@github.com> Sent: недела, 13 август 2017 00:55 To: Terminals-Origin/Terminals<mailto:Terminals@noreply.github.com> Cc: Todor Tanevski<mailto:todor.tanevski@hotmail.com>; Author<mailto:author@noreply.github.com> Subject: Re: [Terminals-Origin/Terminals] When master password is used and password dialog entry is cancelled, terminals still opens! (#5) Does this mean a hacker could use a 4.0.0 version to access saved credentials, read passwords that are now decrypted in memory, or connect using saved credentials, if they had the db from a terminals install? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#5 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ADnzsIRfmjwCSxwLOs06W9ul_wOena_oks5sXi1pgaJpZM4M7A1q>. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#5 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ADnzsNZw2t8V3DgU8Y1FVvO_8LyuRyn4ks5sXpvrgaJpZM4M7A1q>.