Trillian weakly encrypts saved passwords

[Evan Nemerson <enemerson () coeus-group com>]

Software:
Trillian 0.73, possibly other versions.

Issue:
Weak "encryption" of saved passwords.

Impact:
Decryption of saved passwords.

Vendor notified:
3 Sept., 2002. No response.

Severity:
Medium. ish. The program only works locally, and only if the subject 
has saved their password, and really if someone can get into your AIM 
account, how earth-shattering is that??? However, since a lot of people use 
the same password for everything...

---------------------

Trillian is, according to trillian.cc, "...everything you need for instant 
messaging. Connect to ICQ®, AOL Instant Messenger(SM), MSN Messenger, Yahoo! 
Messenger and IRC in a single, sleek and slim interface."

Upon examination of the Trillian directory (which defaults to C:\Program 
Files\Trillian\ ), it appears that passwords are stored in ini files that are 
located in {Path to Trillian}\users\{WindowsLogon}. The passwords are 
encrypted using a simple XOR with a key apparently uniform throughout every 
installation.

The attached program takes, as command line argument(s), path(s) to these INI 
files. It will then display a list of usernames, "encrypted" passwords, and 
plaintext passwords.


Evan Nemerson
enemerson () coeus-group com
http://www.coeus-group.com

Attachment: trillian-ini-decrypt.c
Description: