| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20090715181916.26995.qmail@securityfocus.com> Date: 15 Jul 2009 18:19:16 -0000 From: gursev.kalra@...ndstone.com To: bugtraq@...urityfocus.com Subject: Mobile Rediff Username and Password Disclosure Advisory Title: Mobile Rediff Username and Password Disclosure Advisory ID: FSSA-2009-0402 Author: Gursev Kalra (gursev.kalra@...ndstone.com) Application: MobileRediff 1.04 by http://www.rediff.com/ Vendor Contact Date: 4/24/2009 (Vendor notified by email) Release Date: 7/15/2009 Platform: Symbian OS 9.1, Series 60 v3.0. Other mobile platforms might behave in same way. Severity: Medium (Information Disclosure) Vendor Status: No Response received Overview: Rediffmail component of MobileRediff (Version 1.04) application allows username and password disclosure. Details: RediffMail component of MobileRediff (Version 1.04) application has a “Remember Me” function. When a user selects this option, the mobile application writes user’s username and password to phone storage in clear text without encryption. If the phone is lost, stolen or when any other person is able to access the file system on the phone, the stored username and password can be compromised. Vendor Response: No Response Workaround: Do not enable store username and password option on the Rediffmail component of Mobile Rediff application. For questions and comments please send an email to: research@...ndstone.com Foundstone Vulnerability Research Advisory Archive: http://www.foundstone.com/research/advisories
Powered by blists - more mailing lists