Where are account passwords saved?

[irwinr12]

Does anyone know where account passwords are saved in webOS 3.x?

I can't remember the passwords of some of my accounts and I was hoping I could extract them from my Touchpad.

[artxxork]

Usually stored in Key Store (using Key Manager - https://developer.palm.com/content/a...y-manager.html)

[irwinr12]

Quote:

Originally Posted by artxxork

Usually stored in Key Store (using Key Manager - https://developer.palm.com/content/a...y-manager.html)

Thanks, that's a start. Any idea how to extract them from the command line?

[artxxork]

https://developer.palm.com/content/a....html#fetchKey

note: Key data is returned if the key had been originally stored or generated with nohide = true. Otherwise, the call fails and a "key is not exportable" error message is returned

Code:

luna-send -n 1 luna://com.palm.keymanager/fetchKey '{"keyname":"xx"}'

[Remy X]

This has me thinking, if the keys are marked non-exportable, what other way exists to extract them....

Since most log-ins happen over SSL, it should be possible to create a "man-in-the-middle" attack with a Linux router presenting a fake SSL certificate, then decrypting the data.... or even a laptop running as an ad-hoc WiFi hotspot can do the same thing if configured correctly...

[irwinr12]

Quote:

Originally Posted by artxxork

https://developer.palm.com/content/a....html#fetchKey

note: Key data is returned if the key had been originally stored or generated with nohide = true. Otherwise, the call fails and a "key is not exportable" error message is returned

Code:

luna-send -n 1 luna://com.palm.keymanager/fetchKey '{"keyname":"xx"}'

Yeah I saw that but the passwords have to be "extractable" if the Touchpad is sending the password over the internet to log into an account, right?

I saw the luna-send example in the docs, but how do I know what the keyname is for a password for a particular account?

[Remy X]

Quote:

Originally Posted by irwinr12

Yeah I saw that but the passwords have to be "extractable" if the Touchpad is sending the password over the internet to log into an account, right?

Well, if "nohide = true" refers to passwords being displayed as a plain text vs a string of bullets/asterisks, then if your password isn't visible, it might be "locked"...

I don't now for sure, but in any case the password is being retrieved and sent, so if you run out of options, it can be captured after it leaves the Touchpad....

[artxxork]

Quote:

Originally Posted by irwinr12

Yeah I saw that but the passwords have to be "extractable" if the Touchpad is sending the password over the internet to log into an account, right?

I saw the luna-send example in the docs, but how do I know what the keyname is for a password for a particular account?

They can be hidden - depends on protocol used for authentification ... in theory you don't need to send password over the internet - you may only need it for 'calculation' and be sending just the result ... in that case password can be hidden in Key Store ...

Maybe the easiest way is to patch existing code.

Code:

/usr/palm/services  # grep -r * -n -e fetchKey                                                        
com.palm.service.accounts/models/credentials-model.js:12:		var future = PalmCall.call(KEYMGR_URI, "fetchKey", {
com.palm.service.accounts/models/credentials-model.js:47:		var future = PalmCall.call(KEYMGR_URI, "fetchKey", {
com.palm.service.boxnet/commands/checkCredentials_command.js:62:    	future = IMPORTS.foundations.Comms.PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.contacts.linkedin/serviceassistant.js:117:			future = PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.contacts.linkedin/serviceassistant.js:124:				return PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.contacts.yahoo/serviceassistant.js:111:			future = PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.contacts.yahoo/serviceassistant.js:118:				return PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.dropbox/commands/checkCredentials_command.js:64:    	future = IMPORTS.foundations.Comms.PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.dropbox/commands/checkCredentials_command.js:71:    		return IMPORTS.foundations.Comms.PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.photos.photobucket/account.js:99:		future = PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.photos.photobucket/account.js:104:			return PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.videos.youtube/assistant.js:27:		future = PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.videos.youtube/assistant.js:32:			return PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {

Above are some places where fetchKey is being called ... hook console.log there and you will see...

What password are you actually trying to recover?

[artxxork]

Btw. just noticed that Impostah has Key Store Exploration ... you can find keyname there

[GMMan]

You might need to add the -a argument to luna-send for it to return something:

Code:

-a com.palm.appname

[irwinr12]

Quote:

Originally Posted by artxxork

They can be hidden - depends on protocol used for authentification ... in theory you don't need to send password over the internet - you may only need it for 'calculation' and be sending just the result ... in that case password can be hidden in Key Store ...

Maybe the easiest way is to patch existing code.

Code:

/usr/palm/services  # grep -r * -n -e fetchKey                                                        
com.palm.service.accounts/models/credentials-model.js:12:		var future = PalmCall.call(KEYMGR_URI, "fetchKey", {
com.palm.service.accounts/models/credentials-model.js:47:		var future = PalmCall.call(KEYMGR_URI, "fetchKey", {
com.palm.service.boxnet/commands/checkCredentials_command.js:62:    	future = IMPORTS.foundations.Comms.PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.contacts.linkedin/serviceassistant.js:117:			future = PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.contacts.linkedin/serviceassistant.js:124:				return PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.contacts.yahoo/serviceassistant.js:111:			future = PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.contacts.yahoo/serviceassistant.js:118:				return PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.dropbox/commands/checkCredentials_command.js:64:    	future = IMPORTS.foundations.Comms.PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.dropbox/commands/checkCredentials_command.js:71:    		return IMPORTS.foundations.Comms.PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.photos.photobucket/account.js:99:		future = PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.photos.photobucket/account.js:104:			return PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.videos.youtube/assistant.js:27:		future = PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {
com.palm.service.videos.youtube/assistant.js:32:			return PalmCall.call("luna://com.palm.keymanager/", "fetchKey", {

Above are some places where fetchKey is being called ... hook console.log there and you will see...

What password are you actually trying to recover?

Google and Facebook primarily.

[GMMan]

Quote:

Originally Posted by irwinr12

Google and Facebook primarily.

Can't you just reset the password and update it on your devices? It's easier (and the most obvious method) to go that route instead of trying to pull them out of supposedly secured containers.

[irwinr12]

Quote:

Originally Posted by GMMan

Can't you just reset the password and update it on your devices? It's easier (and the most obvious method) to go that route instead of trying to pull them out of supposedly secured containers.

The password recovery email for the Facebook account is the Google email and I never set up a recovery email for Google and don't remember the password recovery question.

I haven't really used these accounts in a while. Plus it seemed like a fun learning exercise as well.

[irwinr12]

So I've been browsing Impostah looking at the keys, I can't figure out what actually makes up the "keyName". Impsotah shows the keyname for all the accounts as "com.palm.service.accounts" but when I run fetchKey with that keyname it says key not found. Which makes sense, it would need to be unique.

I've tied a variety of combinations, not sure what it's expecting.

[greenoyster]

Use ls-monitor to watch what's being sent across the service bus

[artxxork]

trick is to use parameter "-a appId" in luna-send command.

In Impostah's Key Store Exploration you can see KEY KIND list with pairs appid:keyname, for example 'service.accounts:++I4jEc0Qvce+ko4' ... so your magic command would be:
luna-send -n 1 -a com.palm.service.accounts luna://com.palm.keymanager/fetchKey '{"keyname":"yourkeyhere"}'

note: Impostah removed leading com.palm from appId in GUI, but you must use full appid in luna-send.

You should see any non-hidden passwords this way ... tested with Skype and POP mail.

[GMMan]

I think services like Google, Facebook, and Dropbox use tokens instead of authenticating each time. I haven't had a full look at how Google Synergy works, but I'd assume that's the case. Maybe Hotmail too.

[artxxork]

You are mixing 2 different things ... how password is stored and how it is used.

In this case we are discussing how passwords from various accounts are stored. For example 'Google' account is stored same way as Skype - in Key Store and can be easily obtained from running device.

[Garfonso]

Only if it is not configured to be hidden...