Prompt for keyring password on Linux GNOME: security concerns

Our organisation has set up some Ubuntu GNOME machines with Auto-Login (no password required for login) and Brave. In a recent security audit we noticed that the first time Brave runs after system startup (or login) it prompts (see illustration here):

Enter password to unlock your login keyring. The login keyring did not get unlocked when you logged into your computer.

By default the password expected here is the password for the logged-in Linux account: a password that our workflow dictates shouldn’t be keyed in anywhere because of the auto-login. But (to make a long story short) unfortunately a bunch of users entered the high-security login password here and now we are trying to find exactly where this information has passed through our systems & their software.

I have an I.T. and development background but still I’m having trouble answering this precisely, e.g.:

  • is it the GNOME Keyring that’s popping up that dialogue box: to unlock the keyring upon Brave’s request?
  • … OR is Brave prompting for the password, to temporarily store the cleartext password and unlock the keyring on its own?
  • … AND IF Brave is prompting for that password, is this done by Brave’s open source code, or is it from one of the Chromium components that might be included from a library without source code?

I understand there are ways of manipulating the login keyring: to remove the password, reset it, and use a different keyring: and we would use these in the future to prevent this problem from happening again. But in the short term we would really like to trace the exposure of any passwords entered in this particular dialogue box so we can pass this security audit and continue using Brave in our workflow.

(observations are on Ubuntu 22.04 and a few months of Brave revisions up through Version 1.61.109)

@rphair short basic answer without me looking too deep into what you’re saying, Brave just is prompting for keyring because it uses that for encryption. Everything is maintained locally and nothing given to the internet or to Brave. Similar situation as to what Chrome does.

I think so? Usually I’d rely on @Mattches to answer this one but I think he’s still on vacation along with most of the other Support. Might not be until next week or so can get better replies here.

I may also tag in @JimB1, another user, just in case he ends up available and able to help answer.

Not sure if it will help, but also want to throw in links below in case might paint some info for you:

https://bbs.archlinux.org/viewtopic.php?id=246020

Thanks @Saoiray for tagging those others and I’m happy to wait for whatever information they might provide in a more specific answer.

:point_up: This is correct.

Thanks @Mattches @Saoiray - so on GNOME systems configured for auto-login, by default a user running Brave enters their login password into the GUI (dialogue box) of whatever PAM module unlocks the keyring. That password never goes near Brave or any of its components.

If anyone knows of a security risk for these components of GNOME then I hope they will please post. Otherwise I would say the security exposure for passwords entered there would be the same as what you have from entering that password to log in with GNOME’s display manager.

1 Like

That’s correct. If you were running KDE, then it would be the KDE wallet popping up to ask for a password.

Neither the Brave Browser nor Brave Software (the company) sees the password that users type.

That’s how I would describe it as well.

1 Like

The only such component (a library with executable code) in Brave that I’m aware of is the Widevine DRM module that is downloaded and installed the first time a user goes to a site that requires it and that user says yes to the install prompt.

Besides that, all of the code which comes from Chromium in Brave is imported from the upstream source code repository and built from source by Brave. There are some exceptions for the Android and iOS versions of Brave due to requirements outside of our control when integrating with OS features, but for desktop, as far as I know it’s just Widevine, which is optional and not installed by default.

There are a bunch of data structures that come from Chromium and are downloaded at run-time (e.g. Safe Browsing, TLS revocation lists – see brave://components/), but none of those are libraries with executable code.

1 Like

Depending on what your setup actually looks like, you may want to look into these command-line options:
https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux/password_storage.md.

We don’t generally recommend the basic password store because it means that passwords and cookies are stored in plain text on disk, but for example if your company setup disables the password manager by policy, and then cookies and data are cleared on exit (e.g. the disk is ephemeral, or the Brave profile is deleted), then this insecure storage backend may be okay.

1 Like

Thanks, this clarification is also very helpful (to clarify the situation in a good way) :sunglasses:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.