[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.63.0508020640370.11701@forced.attrition.org>
Date: Tue, 2 Aug 2005 06:51:19 -0400 (EDT)
From: security curmudgeon <jericho@...rition.org>
To: bugtraq@...urityfocus.com
Cc: Suramya Tomar <security@...amya.com>
Subject: Re: Trillian Ver 3.1 saves password's in plain Text
Hi Suramya,
: I was playing around with Trillian Pro 3.1 Build 121 and noticed a very
: disturbing behavior when using it to check my yahoo mail.
:
: When you choose the option to check your yahoo email from Trillian (The
: little connection ball -> Check Yahoo Mail) it creates a temp file in
: the <Install Directory>\users\default\cache with a random name that
: contains the yahoo password in *clear text* and this file is world
: readable. This would be somewhat ok if the file was deleted as soon as
: the login was done but the file just sits there till you exit out of
: trillian. Logging out doesn't erase the file. I have watched the file
: exist on my system for over two weeks.
:
: I have duplicated this with Trillian 3.0 Basic and Pro also. Tested on
: Windows XP Pro and Windows 2000.
I have Trillian Pro 3.1 Build 121 on Windows XP and can't duplicate this
behavior. I have a YIM, ICQ, AIM and several Jabber accounts. My cache
directory has several files in it; buddy type icon files for various
AIM/YIM users, graphics for plugins, etc. In fact, every single file in
there is JPEG, GIF or PNG.
Doing a case insensitive grep through all the files, I can't find any
trace of any of my passwords in any file in this directory. All of the
files are dated 08/01/2005 shortly after I started Trillian up after
returning from out of town.
Could this occur the first time you set up a specific protocol/account,
and that cache file is erased upon Trillian restart? If so, that would
still be an issue, although considerably less severe. If not that, is
there anything else being done differently here?
: I have attempted to contact Cerulean Studios multiple times before
: releasing this using their webform, email and forums over the past month
: but havn't heard anything back from them. My last attempt to contact
: them was on 06/13/2005. Since I havn't heard anything from them I am
: sending this to Bugtraq.
Before 3.x (i think), Trillian had a way to submit bugs/feedback from
within the program, and all of my reports were responded to within 24
hours. Since 3.x I believe that feature is gone. Doesn't help you, just a
side comment =) Would be nice to see Cerulean bring this back.
Powered by blists - more mailing lists