lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <7312db970511290202y4a1897d6ic34768dcc9e682b@mail.gmail.com>
Date: Tue Nov 29 10:02:57 2005
From: 6ackpace at gmail.com (6ackpace)
Subject: Google Talk cleartext credentials in process
	memory

Hi,

If i am right Google Talk Beta Messenger cleartext credentials in process
memory still exist on the current version.
googles answer for this issue:
plain char -> hex char



6ackpace
On 11/29/05, Jaroslaw Sajko <sloik@...areal.net> wrote:
>
> pagvac wrote:
> > Title: Google Talk Beta Messenger cleartext credentials in process
> memory
> >
> >
> > Description
> >
> > Google Talk stores all user credentials (username and password) in
> > clear-text in the process memory. Such vulnerability was found on
> > August 25, 2005 (two days after the release of Google Talk) and has
> > already been patched by Google.
> >
> > This issue would occur regardless of whether the "Save Password"
> > feature was enabled or not.
>
> The same issue concerns many applications, ie. Gadu-Gadu - another
> instant messenger. In my opinion such "vulnerabilities" are not worthy
> publishing (for Gadu-Gadu we have not published this kind of software
> behaviour) because if you can dump other user process or trick him to
> execute any code then reading the password from the process memory is
> only one of many things which you can do.
>
> regards,
> js
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051129/e461cac1/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ