GNOME Bugzilla – Bug 505586
Audioscrobbler password saved in plain text (Minor security issue)
Last modified: 2007-12-26 09:05:55 UTC
Please describe the problem: The users password for last.fm is saved in plain text in gconf... I know the protocol and you only need an md5hash if the password login... So storing the actual password is an unnecessary security risk. Steps to reproduce: 1. Enter last.fm password to rhythmbox 2. Open gconf-editor and find /apps/rhythbox/audioscrobbler/password 3. The password is in plain text. Actual results: Expected results: The password should have been an md5 sum. Does this happen every time? Yes. Other information: I suppose you are still using the old protocol there's a short introduction to it here: http://gabistapler.de/blog/index.php?/archives/268-Play-last.fm-streams-without-the-player.html I've documented the new last.fm 1.2 protocol here, if it's of any interest: http://code.google.com/p/thelastripper/wiki/LastFM12UnofficialDocumentation (Appendix A is a list of Last.fm URI's you might want to add personal, playlist and loved by default.)
Thanks for the bug report. This particular bug has already been reported into our bug tracking system, but please feel free to report any further bugs you find. *** This bug has been marked as a duplicate of 349132 ***