Package: pidgin Version: 2.7.1-1 Severity: wishlist Tags: security In its default configuration, the bonjour account type exports the user's first and last name (as well as username), to the local network.
I've seen Apple laptops expose their user's name to the local network similarly. (I think they may do it by default if the user calls it "Joe User's laptop", while in pidgin one has to manually enable the bounjour account.) And it always makes me wonder: * Does the user of this laptop in a coffee shop, airport, etc realize that their full name is being broadcast to everyone in the area? * Would they appreciate being googled/facebooked, stalked, etc? * How bad a social engineering trick could an attacker dream up with this information? Bearing in mind that the user has a typically rather expensive laptop out, in a public place. Also that in the case of the airport, the public place is very security sensitive. The only value I can see in broadcasting a last name is disambiguation. And in a large network, that is probably useful. Using a last initial would disambiguate fairly well too, while preventing most of the problem for most people. Pidgin allows manually changing the first name or last name that is sent. Unfortunatly, it does not allow modifying the username. So those using first.last or flast can't hide. I hope that the username is not part of the underlying protocol? -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages pidgin depends on: ii gconf2 2.28.1-3 GNOME configuration database syste ii libatk1.0-0 1.30.0-1 The ATK accessibility toolkit ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib ii libcairo2 1.8.10-4 The Cairo 2D vector graphics libra ii libdbus-1-3 1.2.24-1 simple interprocess messaging syst ii libdbus-glib-1-2 0.86-1 simple interprocess messaging syst ii libfontconfig1 2.8.0-2.1 generic font configuration library ii libfreetype6 2.3.11-1 FreeType 2 font engine, shared lib ii libglib2.0-0 2.24.1-1 The GLib library of C routines ii libgstreamer0.10-0 0.10.29-1 Core GStreamer libraries and eleme ii libgtk2.0-0 2.20.1-1 The GTK+ graphical user interface ii libgtkspell0 2.0.16-1 a spell-checking addon for GTK's T ii libice6 2:1.0.6-1 X11 Inter-Client Exchange library ii libpango1.0-0 1.28.1-1 Layout and rendering of internatio ii libpurple0 2.7.1-1 multi-protocol instant messaging l ii libsm6 2:1.1.1-1 X11 Session Management library ii libstartup-notification0 0.10-1 library for program launch feedbac ii libx11-6 2:1.3.3-3 X11 client-side library ii libxml2 2.7.7.dfsg-3 GNOME XML library ii libxss1 1:1.2.0-2 X11 Screen Saver extension library ii perl 5.10.1-13 Larry Wall's Practical Extraction ii perl-base [perlapi-5.10.1] 5.10.1-13 minimal Perl system ii pidgin-data 2.7.1-1 multi-protocol instant messaging c Versions of packages pidgin recommends: ii gstreamer0.10-plugins-base 0.10.29-4 GStreamer plugins from the "base" ii gstreamer0.10-plugins-good 0.10.23-4 GStreamer plugins from the "good" Versions of packages pidgin suggests: ii evolution-data-server 2.30.2-1 evolution database backend server ii gnome-panel 2.30.0-2 launcher and docking facility for ii libsqlite3-0 3.6.23.1-4 SQLite 3 shared library -- no debconf information -- see shy jo
signature.asc
Description: Digital signature
