lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 2 Aug 2005 15:20:40 -0700
From: "Darren Pilgrim" <dmp@...freak.org>
To: "'security curmudgeon'" <jericho@...rition.org>,
	<bugtraq@...urityfocus.com>
Cc: "'Suramya Tomar'" <security@...amya.com>
Subject: RE: Trillian Ver 3.1 saves password's in plain Text


From: security curmudgeon [mailto:jericho@...rition.org] 
> : I was playing around with Trillian Pro 3.1 Build 121 and noticed
> : a very disturbing behavior when using it to check my yahoo mail.
> : 
> : When you choose the option to check your yahoo email from
> : Trillian (The little connection ball -> Check Yahoo Mail) it
> : creates a temp file in the <Install
> : Directory>\users\default\cache with a random name that contains
> : the yahoo password in *clear text* and this file is world 
> : readable. This would be somewhat ok if the file was deleted as
> : soon as the login was done but the file just sits there till you
> : exit out of trillian. Logging out doesn't erase the file. I have
> : watched the file exist on my system for over two weeks.
> : 
> : I have duplicated this with Trillian 3.0 Basic and Pro also.
> : Tested on Windows XP Pro and Windows 2000.
> 
> I have Trillian Pro 3.1 Build 121 on Windows XP and can't
> duplicate this behavior.

Did you use the "Check Yahoo! Mail..." function?

I'm running v3.1 Basic, Build 121, running on Windows XP Pro SP2.  When
I started Trillian, there were just image files in the cache directory
as you describe.  When I used the "Check Yahoo! Mail" function as
described by the OP, an HTML file was created in the cache folder.  The
contents of the file is a form containing, among other information,
these lines:

username='<my Yahoo! username in plaintext>';
password='<my Yahoo! password in plaintext>';

The filename used is insufficiently random to provide any real benefit.
The file names used (in order used) were:

sfd27.html
sfd67.html
sfd96.html
sfd82.html
sfd36.html
sfd3.html

I also checked this behavior with MSN and AIM:

With the "Check Hotmail..." function, a temporary HTML form file is also
created but the Passport login uses a hash-based authentication
mechanism.  The temp file is similarly long-lived, but the hash is
different each time a new temp file is created.

AIM's "Check AOL Mail" function didn't result in the creation of a temp
file like those used for Yahoo! and MSN.  I don't have an AOL mail
account and that may have been a factor.

I do agree that the temp files are poor implementation.  There's no
reason to store such single-use information on disk.  But then I suppose
this is fairly moot, since all of the passwords are stored as a
reversible hash in static files in the user's directory.

Powered by blists - more mailing lists