lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.63.0508020640370.11701@forced.attrition.org>
Date: Tue, 2 Aug 2005 06:51:19 -0400 (EDT)
From: security curmudgeon <jericho@...rition.org>
To: bugtraq@...urityfocus.com
Cc: Suramya Tomar <security@...amya.com>
Subject: Re: Trillian Ver 3.1 saves password's in plain Text



Hi Suramya,

: I was playing around with Trillian Pro 3.1 Build 121 and noticed a very 
: disturbing behavior when using it to check my yahoo mail.
: 
: When you choose the option to check your yahoo email from Trillian (The 
: little connection ball -> Check Yahoo Mail) it creates a temp file in 
: the <Install Directory>\users\default\cache with a random name that 
: contains the yahoo password in *clear text* and this file is world 
: readable. This would be somewhat ok if the file was deleted as soon as 
: the login was done but the file just sits there till you exit out of 
: trillian. Logging out doesn't erase the file. I have watched the file 
: exist on my system for over two weeks.
: 
: I have duplicated this with Trillian 3.0 Basic and Pro also. Tested on 
: Windows XP Pro and Windows 2000.

I have Trillian Pro 3.1 Build 121 on Windows XP and can't duplicate this 
behavior. I have a YIM, ICQ, AIM and several Jabber accounts. My cache 
directory has several files in it; buddy type icon files for various 
AIM/YIM users, graphics for plugins, etc. In fact, every single file in 
there is JPEG, GIF or PNG.

Doing a case insensitive grep through all the files, I can't find any 
trace of any of my passwords in any file in this directory. All of the 
files are dated 08/01/2005 shortly after I started Trillian up after 
returning from out of town.

Could this occur the first time you set up a specific protocol/account, 
and that cache file is erased upon Trillian restart? If so, that would 
still be an issue, although considerably less severe. If not that, is 
there anything else being done differently here?

: I have attempted to contact Cerulean Studios multiple times before 
: releasing this using their webform, email and forums over the past month 
: but havn't heard anything back from them. My last attempt to contact 
: them was on 06/13/2005. Since I havn't heard anything from them I am 
: sending this to Bugtraq.

Before 3.x (i think), Trillian had a way to submit bugs/feedback from 
within the program, and all of my reports were responded to within 24 
hours. Since 3.x I believe that feature is gone. Doesn't help you, just a 
side comment =) Would be nice to see Cerulean bring this back.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ