Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Trillian weakly encrypts saved passwords

From: "Brenna Primrose" <drxlecter () phreaker net>
Date: Mon, 9 Sep 2002 13:26:42 -0500
This bug has been known for at least a few months.  Nothing new here...

http://lists.insecure.org/vuln-dev/2002/Jun/0060.html



http://profiles.yahoo.com/absolut_contagion 
http://gsa.creighton.edu
AIM - absolutxpsycho
Yahoo! - absolut_contagion
ICQ - 1363187
MSN - r00t () creighton edu 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+ 
O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+ 
G e* h- r++ x+ 
------END GEEK CODE BLOCK------
-----Original Message-----
From: Evan Nemerson [mailto:enemerson () coeus-group com] 
Sent: Monday, September 09, 2002 4:20 AM
To: bugtraq () securityfocus com; vulnwatch () vulnwatch org;
submissions () packetstormsecurity org; news () securiteam com
Subject: Trillian weakly encrypts saved passwords

Software:
Trillian 0.73, possibly other versions.

Issue:
Weak "encryption" of saved passwords.

Impact:
Decryption of saved passwords.

Vendor notified:
3 Sept., 2002. No response.

Severity:
Medium. ish. The program only works locally, and only if the subject 
has saved their password, and really if someone can get into your AIM 
account, how earth-shattering is that??? However, since a lot of people
use 
the same password for everything...

---------------------

Trillian is, according to trillian.cc, "...everything you need for
instant 
messaging. Connect to ICQR, AOL Instant Messenger(SM), MSN Messenger,
Yahoo! 
Messenger and IRC in a single, sleek and slim interface."

Upon examination of the Trillian directory (which defaults to C:\Program

Files\Trillian\ ), it appears that passwords are stored in ini files
that are 
located in {Path to Trillian}\users\{WindowsLogon}. The passwords are 
encrypted using a simple XOR with a key apparently uniform throughout
every 
installation.

The attached program takes, as command line argument(s), path(s) to
these INI 
files. It will then display a list of usernames, "encrypted" passwords,
and 
plaintext passwords.


Evan Nemerson
enemerson () coeus-group com
http://www.coeus-group.com
Previous By Date Next
Previous By Thread Next

Current thread: