[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a5e4c8305080305485ec93d93@mail.gmail.com>
Date: Wed, 3 Aug 2005 08:48:29 -0400
From: Technica Forensis <forensis.technica@...il.com>
To: security curmudgeon <jericho@...rition.org>
Cc: bugtraq@...urityfocus.com, Suramya Tomar <security@...amya.com>
Subject: Re: Trillian Ver 3.1 saves password's in plain Text
> I have Trillian Pro 3.1 Build 121 on Windows XP and can't duplicate this
I can, with that exact same build. My system is never shutdown so
Trillian is always on. There are files in there that are several
weeks old that contain my yahoo! username and password. The files are
all named /sfd\d\d\.html/ and contain the lines:
<html>
<head>
<script>
<!-- var username; username='########'; var password;
password='########'; function submit () {
document.getElementById('login').value=username;
document.getElementById('passwd').value=password;
document.getElementById('login_form').submit(); }; //--> </script>
</head> <body onLoad='submit();'> <form method=post
action="https://login.yahoo.com/config/login"
and so on, and so on...
It's seems to me this file should be deleted as soon as the connection
is made instead of on exit. Definately something that needs to be
fixed.
Powered by blists - more mailing lists