lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 29 Jul 2005 23:50:33 -0400
From: Suramya Tomar <security@...amya.com>
To: bugtraq@...urityfocus.com
Subject: Trillian Ver 3.1 saves password's in plain Text


Hi Everyone,

I was playing around with Trillian Pro 3.1 Build 121 and noticed a very 
disturbing behavior when using it to check my yahoo mail.

When you choose the option to check your yahoo email from Trillian (The 
little connection ball -> Check Yahoo Mail) it creates a temp file in 
the <Install Directory>\users\default\cache with a random name that 
contains the yahoo password in *clear text* and this file is world 
readable. This would be somewhat ok if the file was deleted as soon as 
the login was done but the file just sits there till you exit out of 
trillian. Logging out doesn't erase the file. I have watched the file 
exist on my system for over two weeks.

Now I shouldn't have to tell you why having a file like this will a 
password in clear text is such a bad idea. All anyone needs is 2 mins 
unsupervised on a computer that uses trillian and they will have the 
user's password and since a lot of people use the same password for 
various sites this will compromise a lot of other accounts too.

In my opinion the file shouldn't contain the password in the first place 
but even if it *has* to have the password it should be deleted as soon 
as the login is done and not sit there for over two weeks.

I have duplicated this with Trillian 3.0 Basic and Pro also. Tested on 
Windows XP Pro and Windows 2000.

I have attempted to contact Cerulean Studios multiple times before 
releasing this using their webform, email and forums over the past month 
but havn't heard anything back from them. My last attempt to contact 
them was on 06/13/2005. Since I havn't heard anything from them I am 
sending this to Bugtraq.

If you have any questions/comments about this let me know.

Thanks,
  Suramya

-- 
----------------------------------------------------------
Mountain Dew and doughnuts... because breakfast is the
most important meal of the day
----------------------------------------------------------
Name : Suramya Tomar
Homepage URL: http://www.suramya.com
-------------------------------------------------

************************************************************
Disclaimer:
Any errors in spelling, tact, or fact are transmission errors.
************************************************************

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ