Apache OpenOffice (AOO) Bugzilla – Issue 106012
Word Completion: default OFF/First word typed Warning
Last modified: 2013-08-07 14:38:26 UTC
My laptop (Lenovo T61 wide screen) hard drive died a month or so ago. It was replaced under warranty from Lenovo, along with the Window OS, but I've been gradually restoring my apps and files. I discovered that I don't have the MSOffice apps, so I installed OpenOffice 3 and have been beginning to use it. I was just using it to write a letter. To my shock, a word I was starting to type was autocompleted with one of my passwords. Navigating through the OO help, I discovered an autocomplete list that included dozens of passwords, along with many URLs I've accessed, login IDs, and other stuff. That function area also included a "collect words" box, apparently checked by default, which I unchecked. I also deleted all the passwords from the list and turned off all the autocorrection I could find. That's bad enough, but where did OpenOffice get those passwords? Many of them I haven't used for years, certainly not since installing OO, and all I can think of is that it found them in some file that I had restored. Does OO, on installation, harvest autocompletion vocabulary from files it seeks out on the machine? I can see doing that for a custom vocabulary list from a spellchecker or a speech recognition program. These may have been in autocompletion files from my old browser installations. I never expected them to show up in a letter. This is dangerous! (I have conservatively chosen priority 3, rather than 2. What happens if typists less attentive than me start sending out passwords in their letters and blog posts? And I have chosen "editing" as the subcomponent, but "open-import" might be appropriated as well. If so, note that I didn't choose what files to open and import vocabulary from.)
We had a similar Issue 105930 with a simple (non-virus) explanation for the observations! @urttakkadigakku: Please check whether you can find similarities! May be you can uninstall, rename you user data profile, install again and report your results?
Thank you. These word completions were almost certainly taken from an document that I had opened in OO. One of the first things I did after replacing the hard drive was to open my list of websites and passwords. Having deleted the passwords from OO's autocompletion list and turned off the "collect words" feature, I should not have to uninstall, etc., as you suggest. **HOWEVER**, I did not realize that OO would scan any document I opened for vocabulary, rather than just looking at my live input. This feature can be very useful, but making it the app's default behavior is a serious bug. Status still unresolved. Since the same problem has been reported already, I consider this issue CONFIRMED and am checking "Reassign issue to owner of selected subcomponent". I hope that goes through. I am new to OO and this forum and can't spend a lot of time on this.
Currently I see this more as a worrying thing than a security issue. Any Ideas how we should handle that? Preference "no collection" after each installation?
I tend not to see this as a security issue. 1) The list is deleted every time OOo restarts. 2) Of course the algorithm cannot make a difference between "this is a password and this is not" 3) we cannot warn the user every time he types a word: "this word has been added in to word completion" The only thing we could do is like browsers do when entering something the first time in a form: "Do you want to activate the Word completion...[Details]... Yes/Never/Remind me later". And this is an enhancement. Pro: more awareness about this feature. Cons: we usually switch features ON in order them to be used. But the warning would give the awareness we want to have. @urttakkadigakku, allow me some remarks: - that's not a very good practice to write down your passwords... - It means that the first 3 letters of 1 of your passwords are the first 3 letters of a common word (else you wouldn't have been sooo surprised to see your password) ;) -> bad - At least it means that your password is >= 10 characters (default for triggering the word completion) -> good :)