lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 26 Jun 2009 10:36:22 -0300 From: Gabriel Menezes Nunes <gab.mnunes@...il.com> To: bugtraq@...urityfocus.com Subject: Trillian SSL Certificate Vulnerability Trillian SSL Certificate Vulnerability I. The Vulnerability Trillian does not check SSL certificate before sending MSN user credentials. An attacker is able to obtain MSN username and password with a spoofed certificate and no alert is generated to the user. This vulnerability was found in Trillian Basic 3.1. Other versions and/or protocols may also be affected. II. Disclosure Timeline 06/19/2009 - Vendor contact. 06/26/2009 - No answer. Public Disclosure. III. Vendor http://www.ceruleanstudios.com/ IV. Credit Gabriel Menezes Nunes <gab.mnunes [at] gmail (dot) com>