SipSorcery is logging Google Voice passwords

Share your views, news, tips and articles about VoIP
Post a reply

SipSorcery is logging Google Voice passwords

Postby staticfish » Mon Jan 25, 2010 10:15 pm

I am very interested in getting a SIP bridge working through Google Voice, so of course after numerous searches, this lead me to SipSorcery.

After finding out that Google Voice has no apparent API, and that i'd have to enter my Google Voice credentials into SS so *it* could initiate an http request, I wanted to be certain that any information would be safe, so I delved into the source code.

In the "InitiateCall" function inside the GoogleVoiceCall.cs object, I found some worrying code:

Code: Select all
tring rnr = Login(cookies, emailAddress, password);
                if (!rnr.IsNullOrBlank()) {
                   
            Log_External(new SIPMonitorControlClientEvent(SIPMonitorServerTypesEnum.AppServer, SIPMonitorEventTypesEnum.DialPlan, "Call key " + rnr + " successfully retrieved for " + emailAddress + ", proceeding with callback.", m_username));
                    return SendCallRequest(cookies, forwardingNumber, destinationNumber, rnr, phoneType, waitForCallbackTimeout, contentType, body);
                }


This pretty much means anything being concatenated into the rnr String, (all of the Google credentials) is being logged into the method "Log_External", which is probably persisting the information to disk.

Can anybody explain why this is necessary, how the log is being used, where it's kept, etc etc

Many thanks
Daniel[/code]
staticfish
 
Posts: 2
Joined: Mon Jan 25, 2010 10:06 pm
Top

Postby Aaron » Mon Jan 25, 2010 11:13 pm

The rnr string in the code snippet is a token retrieved from your GoogleVoice account page AFTER the login request is sent. I haven't investigated but I suspect by itself the rnr token does not provide access to anything and it needs to be coupled with a valid GoogleVoice cookie which can only be obtained by logging into GoogleVoice and would be time limited.

The Log_External method you are worried about is what's used to get diagnostics messages out to users. You can view diagnostics messages in the Siverlight client on the Console tab or by using an SSH'ing into sipsorcery.com. I'd recommend you try either and place your GoogleVoice call and you will see the log message you are concerned about.

That aside if someone at sipsorcery wanted to harvest Google Voice or other sensitive information there's no need for further logging during calls. All the information is already stored unencrypted in the sipsorcery database. At the moment I am the sole sipsorcery administrator with access to the information and if you don't trust me, which you probably shouldn't because you don't know me, then you shouldn't use sipsorcery.

Regards,

Aaron
User avatar
Aaron
Site Admin
 
Posts: 4057
Joined: Thu Jul 12, 2007 12:13 am
Top

Postby synchron » Tue Jan 26, 2010 12:48 am

Hi Aaron,

How does one SSH using Putty or similar SSH client? What port do you use and where do you enter your un/password to authenticate?

Thanks,

Synchron 8)
synchron
 
Posts: 179
Joined: Fri Jun 26, 2009 5:39 am
Top

Postby Aaron » Tue Jan 26, 2010 1:01 am

ssh username@sipsorcery.com

Where username is the same as your web login.

I've tested the SSH server with putty and openssh (which is what cygwin uses) but in theory any SSH client should work.

Regards,

Aaron
User avatar
Aaron
Site Admin
 
Posts: 4057
Joined: Thu Jul 12, 2007 12:13 am
Top

Postby staticfish » Tue Jan 26, 2010 4:28 pm

Aaron wrote:The rnr string in the code snippet is a token retrieved from your GoogleVoice account page AFTER the login request is sent. I haven't investigated but I suspect by itself the rnr token does not provide access to anything and it needs to be coupled with a valid GoogleVoice cookie which can only be obtained by logging into GoogleVoice and would be time limited.

The Log_External method you are worried about is what's used to get diagnostics messages out to users. You can view diagnostics messages in the Siverlight client on the Console tab or by using an SSH'ing into sipsorcery.com. I'd recommend you try either and place your GoogleVoice call and you will see the log message you are concerned about.

That aside if someone at sipsorcery wanted to harvest Google Voice or other sensitive information there's no need for further logging during calls. All the information is already stored unencrypted in the sipsorcery database. At the moment I am the sole sipsorcery administrator with access to the information and if you don't trust me, which you probably shouldn't because you don't know me, then you shouldn't use sipsorcery.

Regards,

Aaron


Thank you for the honest reply.

Is there no way to encrypt info in the DB?
staticfish
 
Posts: 2
Joined: Mon Jan 25, 2010 10:06 pm
Top

Postby jaminmc » Thu Jan 28, 2010 8:41 am

The only way to be save is to run the local version on your own computer or server if you are really concerned about your passwords..
jaminmc
 
Posts: 22
Joined: Tue Oct 13, 2009 8:24 pm
Top
Post a reply

Return to General VoIP Discussions



Who is online

Users browsing this forum: No registered users and 2 guests

Powered by phpBB® Forum Software © phpBB Group
Theme created by StylerBB.net
cron