| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Nov 29 10:24:17 2005 From: unknown.pentester at gmail.com (pagvac) Subject: Google Talk cleartext credentials in process memory Jaroslaw, thanks for your post. You're right, the same issue occurs in *many* applications. However, any vendor that is serious about security should at least attempt to obfuscate the credentials in the process memory (IMHO). I just published the advisory to let the public know that Google "fixed" this problem, that's all. However I respect your opinion and appreciate your post. On 11/29/05, Jaroslaw Sajko <sloik@...areal.net> wrote: > pagvac wrote: > > Title: Google Talk Beta Messenger cleartext credentials in process memory > > > > > > Description > > > > Google Talk stores all user credentials (username and password) in > > clear-text in the process memory. Such vulnerability was found on > > August 25, 2005 (two days after the release of Google Talk) and has > > already been patched by Google. > > > > This issue would occur regardless of whether the "Save Password" > > feature was enabled or not. > > The same issue concerns many applications, ie. Gadu-Gadu - another > instant messenger. In my opinion such "vulnerabilities" are not worthy > publishing (for Gadu-Gadu we have not published this kind of software > behaviour) because if you can dump other user process or trick him to > execute any code then reading the password from the process memory is > only one of many things which you can do. > > regards, > js > -- pagvac (Adrian Pastor) www.ikwt.com - In Knowledge We Trust -- pagvac (Adrian Pastor) www.ikwt.com - In Knowledge We Trust
Powered by blists - more mailing lists