lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 28 Feb 2012 00:14:49 +0200
From: Dimitris Glynos <dimitris@...sus-labs.com>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Re: pidgin OTR information leakage

On 02/27/2012 11:23 PM, devnull@...age.com wrote:
> 
> I believe that clarification is in order.

Indeed it is. The original post mentions a same-user attack
vector which is very misleading as to what the real problem here is.

And it boils down to this:

Once a process sends private info over DBUS there is no way
to control where this ends up (which apps are the qualified receivers)
or what the receivers do with it. So, if for example the user
selects not to log OTR plaintext (so that this sensitive information
doesn't touch the hard drive) another application on the other end
of DBUS might choose to do something different (and not by malicious
intent). There is no way to enforce the same security policy on the
sender and the receivers.

How this could be exploited by attackers or what forensic evidence
DBUS snooping leaves are of much less importance than the above
privacy issue.

There is a very good discussion on the pidgin ticket page:
http://developer.pidgin.im/ticket/14830

Also, I've made some updates to our post, to make it clearer
as to what this issue is about:

http://census-labs.com/news/2012/02/25/libpurple-otr-info-leak/

If there are still questions, I'll be happy to answer them.

Hope this clarifies things a bit,

Dimitris

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists