Results 1 to 19 of 19
Like Tree3Likes
  • 1 Post By GMMan
  • 1 Post By irwinr12
  • 1 Post By greenoyster
  1.    #1  
    Does anyone know where account passwords are saved in webOS 3.x?

    I can't remember the passwords of some of my accounts and I was hoping I could extract them from my Touchpad.
  2. #2  
    Usually stored in Key Store (using Key Manager - https://developer.palm.com/content/a...y-manager.html)
  3.    #3  
    Quote Originally Posted by artxxork View Post
    Usually stored in Key Store (using Key Manager - https://developer.palm.com/content/a...y-manager.html)
    Thanks, that's a start. Any idea how to extract them from the command line?
  4. #4  
    https://developer.palm.com/content/a....html#fetchKey

    note: Key data is returned if the key had been originally stored or generated with nohide = true. Otherwise, the call fails and a "key is not exportable" error message is returned

    Code:
    luna-send -n 1 luna://com.palm.keymanager/fetchKey '{"keyname":"xx"}'
  5. #5  
    This has me thinking, if the keys are marked non-exportable, what other way exists to extract them....

    Since most log-ins happen over SSL, it should be possible to create a "man-in-the-middle" attack with a Linux router presenting a fake SSL certificate, then decrypting the data.... or even a laptop running as an ad-hoc WiFi hotspot can do the same thing if configured correctly...
  6.    #6  
    Quote Originally Posted by artxxork View Post
    https://developer.palm.com/content/a....html#fetchKey

    note: Key data is returned if the key had been originally stored or generated with nohide = true. Otherwise, the call fails and a "key is not exportable" error message is returned

    Code:
    luna-send -n 1 luna://com.palm.keymanager/fetchKey '{"keyname":"xx"}'
    Yeah I saw that but the passwords have to be "extractable" if the Touchpad is sending the password over the internet to log into an account, right?

    I saw the luna-send example in the docs, but how do I know what the keyname is for a password for a particular account?
  7. #7  
    Quote Originally Posted by irwinr12 View Post
    Yeah I saw that but the passwords have to be "extractable" if the Touchpad is sending the password over the internet to log into an account, right?
    Well, if "nohide = true" refers to passwords being displayed as a plain text vs a string of bullets/asterisks, then if your password isn't visible, it might be "locked"...

    I don't now for sure, but in any case the password is being retrieved and sent, so if you run out of options, it can be captured after it leaves the Touchpad....
  8. #8  
    Quote Originally Posted by irwinr12 View Post
    Yeah I saw that but the passwords have to be "extractable" if the Touchpad is sending the password over the internet to log into an account, right?

    I saw the luna-send example in the docs, but how do I know what the keyname is for a password for a particular account?
    They can be hidden - depends on protocol used for authentification ... in theory you don't need to send password over the internet - you may only need it for 'calculation' and be sending just the result ... in that case password can be hidden in Key Store ...

    Maybe the easiest way is to patch existing code.
    Code:
    /usr/palm/services  # grep -r * -n -e fetchKey                                                        
    com.palm.service.accounts/models/credentials-model.jsjsjs:$12$:		$var$ $future$ = $PalmCall$.$call$($KEYMGR_URI$, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$accounts$/$models$/$credentials$-$model$.$js$:$47$:		$var$ $future$ = $PalmCall$.$call$($KEYMGR_URI$, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$boxnet$/$commands$/$checkCredentials_command$.$js$:$62$:    	$future$ = $IMPORTS$.$foundations$.$Comms$.$PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$contacts$.$linkedin$/$serviceassistant$.$js$:$117$:			$future$ = $PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$contacts$.$linkedin$/$serviceassistant$.$js$:$124$:				$return$ $PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$contacts$.$yahoo$/$serviceassistant$.$js$:$111$:			$future$ = $PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$contacts$.$yahoo$/$serviceassistant$.$js$:$118$:				$return$ $PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$dropbox$/$commands$/$checkCredentials_command$.$js$:$64$:    	$future$ = $IMPORTS$.$foundations$.$Comms$.$PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$dropbox$/$commands$/$checkCredentials_command$.$js$:$71$:    		$return$ $IMPORTS$.$foundations$.$Comms$.$PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$photos$.$photobucket$/$account$.$js$:$99$:		$future$ = $PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$photos$.$photobucket$/$account$.$js$:$104$:			$return$ $PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$videos$.$youtube$/$assistant$.$js$:$27$:		$future$ = $PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$videos$.$youtube$/$assistant$.$js$:$32$:			$return$ $PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    Above are some places where fetchKey is being called ... hook console.log there and you will see...

    What password are you actually trying to recover?
  9. #9  
    Btw. just noticed that Impostah has Key Store Exploration ... you can find keyname there
  10. #10  
    You might need to add the -a argument to luna-send for it to return something:
    Code:
    -a com.palm.appname
    Remy X likes this.
  11.    #11  
    Quote Originally Posted by artxxork View Post
    They can be hidden - depends on protocol used for authentification ... in theory you don't need to send password over the internet - you may only need it for 'calculation' and be sending just the result ... in that case password can be hidden in Key Store ...

    Maybe the easiest way is to patch existing code.
    Code:
    /usr/palm/services  # grep -r * -n -e fetchKey                                                        
    com.palm.service.accounts/models/credentials-model.jsjsjs:$12$:		$var$ $future$ = $PalmCall$.$call$($KEYMGR_URI$, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$accounts$/$models$/$credentials$-$model$.$js$:$47$:		$var$ $future$ = $PalmCall$.$call$($KEYMGR_URI$, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$boxnet$/$commands$/$checkCredentials_command$.$js$:$62$:    	$future$ = $IMPORTS$.$foundations$.$Comms$.$PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$contacts$.$linkedin$/$serviceassistant$.$js$:$117$:			$future$ = $PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$contacts$.$linkedin$/$serviceassistant$.$js$:$124$:				$return$ $PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$contacts$.$yahoo$/$serviceassistant$.$js$:$111$:			$future$ = $PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$contacts$.$yahoo$/$serviceassistant$.$js$:$118$:				$return$ $PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$dropbox$/$commands$/$checkCredentials_command$.$js$:$64$:    	$future$ = $IMPORTS$.$foundations$.$Comms$.$PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$dropbox$/$commands$/$checkCredentials_command$.$js$:$71$:    		$return$ $IMPORTS$.$foundations$.$Comms$.$PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$photos$.$photobucket$/$account$.$js$:$99$:		$future$ = $PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$photos$.$photobucket$/$account$.$js$:$104$:			$return$ $PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$videos$.$youtube$/$assistant$.$js$:$27$:		$future$ = $PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    $com$.$palm$.$service$.$videos$.$youtube$/$assistant$.$js$:$32$:			$return$ $PalmCall$.$call$(&$quot$;$luna$://$com$.$palm$.$keymanager$/&$quot$;, &$quot$;$fetchKey$&$quot$;, {
    Above are some places where fetchKey is being called ... hook console.log there and you will see...

    What password are you actually trying to recover?
    Google and Facebook primarily.
  12. #12  
    Quote Originally Posted by irwinr12 View Post
    Google and Facebook primarily.
    Can't you just reset the password and update it on your devices? It's easier (and the most obvious method) to go that route instead of trying to pull them out of supposedly secured containers.
  13.    #13  
    Quote Originally Posted by GMMan View Post
    Can't you just reset the password and update it on your devices? It's easier (and the most obvious method) to go that route instead of trying to pull them out of supposedly secured containers.
    The password recovery email for the Facebook account is the Google email and I never set up a recovery email for Google and don't remember the password recovery question.

    I haven't really used these accounts in a while. Plus it seemed like a fun learning exercise as well.
    Remy X likes this.
  14.    #14  
    So I've been browsing Impostah looking at the keys, I can't figure out what actually makes up the "keyName". Impsotah shows the keyname for all the accounts as "com.palm.service.accounts" but when I run fetchKey with that keyname it says key not found. Which makes sense, it would need to be unique.

    I've tied a variety of combinations, not sure what it's expecting.
  15. #15  
    Use ls-monitor to watch what's being sent across the service bus
    Remy X likes this.
  16. #16  
    trick is to use parameter "-a appId" in luna-send command.

    In Impostah's Key Store Exploration you can see KEY KIND list with pairs appid:keyname, for example 'service.accounts:++I4jEc0Qvce+ko4' ... so your magic command would be:
    luna-send -n 1 -a com.palm.service.accounts luna://com.palm.keymanager/fetchKey '{"keyname":"yourkeyhere"}'

    note: Impostah removed leading com.palm from appId in GUI, but you must use full appid in luna-send.

    You should see any non-hidden passwords this way ... tested with Skype and POP mail.
  17. #17  
    I think services like Google, Facebook, and Dropbox use tokens instead of authenticating each time. I haven't had a full look at how Google Synergy works, but I'd assume that's the case. Maybe Hotmail too.
  18. #18  
    You are mixing 2 different things ... how password is stored and how it is used.

    In this case we are discussing how passwords from various accounts are stored. For example 'Google' account is stored same way as Skype - in Key Store and can be easily obtained from running device.
  19. #19  
    Only if it is not configured to be hidden...

Posting Permissions