Pie Palace

I’ve put together a Gnome applet that checks the balance of an online bank account at predetermined times and emails the balances to a selected email address. It’s unimaginatively titled “balancer“.

It’s (1) useful, and (2) scares the crap out of me.

The useful part is pretty self evident. I want to know my current balance so I can reign in my spending if I’m going overboard.

The scary part is equally self evident. balancer keeps bank credentials on the user’s computer. That’s a terrible idea. An attacker who wants to make some cash just has to trawl the secrets stored in the GnomeKeyring to get access to the user’s life savings. In theory, GnomeKeyring could be secure-ish, if it kept all of its secrets on a portion of the disk hidden from users and blocked access on too many failed access attempts. But it doesn’t seem to. It looks like it keeps secrets in ~/.gnome2/keyrings. If an attacker can subvert an app owned by the user, then they can read ~/.gnome2/keyrings/balancer.credentials.keyring and pass the file offsite for an offline dictionary attack. Eep!

On top of that, GnomeKeyring differentiates between apps based on the path to the app binary. I guess this works for native applications, but it breaks when the app runs in a virtual machine. My app, balancer, is written in Python. After I run it, other Python apps are able to dig into the GnomeKeyring without the user being prompted for a password. Noes!

It’s funny. I tried Wesabe, and had no problem putting myself at the same risk balancer would inflict on me. Even though the Wesabe client has the same security problems, I put them out of my head because someone else wrote the code. But I’m having a hard time doing that with something I wrote.