Bugtraq mailing list archives
Re: Trillian weakly encrypts saved passwords
From: "jelmer" <jkuperus () xs4all nl>
Date: Mon, 9 Sep 2002 23:34:35 +0200
Not really relavant as even when it would be encrypted with MD5 or whatever one could just copy and use the ini file your own pc. A bigger problem imho is that the location is known and the content is textual, with all the recent local file reading exploits in msie this is nasty, I was already sent sample code for this a couple of weeks ago after i posted the xmldso thingie -- jelmer ----- Original Message ----- From: "Evan Nemerson" <enemerson () coeus-group com> To: <bugtraq () securityfocus com>; <vulnwatch () vulnwatch org>; <submissions () packetstormsecurity org>; <news () securiteam com> Sent: Monday, September 09, 2002 11:20 AM Subject: Trillian weakly encrypts saved passwords
Software: Trillian 0.73, possibly other versions. Issue: Weak "encryption" of saved passwords. Impact: Decryption of saved passwords. Vendor notified: 3 Sept., 2002. No response. Severity: Medium. ish. The program only works locally, and only if the subject has saved their password, and really if someone can get into your AIM account, how earth-shattering is that??? However, since a lot of people
use
the same password for everything... --------------------- Trillian is, according to trillian.cc, "...everything you need for instant messaging. Connect to ICQ®, AOL Instant Messenger(SM), MSN Messenger,
Yahoo!
Messenger and IRC in a single, sleek and slim interface." Upon examination of the Trillian directory (which defaults to C:\Program Files\Trillian\ ), it appears that passwords are stored in ini files that
are
located in {Path to Trillian}\users\{WindowsLogon}. The passwords are encrypted using a simple XOR with a key apparently uniform throughout
every
installation. The attached program takes, as command line argument(s), path(s) to these
INI
files. It will then display a list of usernames, "encrypted" passwords,
and
plaintext passwords. Evan Nemerson enemerson () coeus-group com http://www.coeus-group.com
Current thread:
- Trillian weakly encrypts saved passwords Evan Nemerson (Sep 09)
- RE: Trillian weakly encrypts saved passwords Brenna Primrose (Sep 09)
- Re: Trillian weakly encrypts saved passwords Mike Benham (Sep 09)
- Re: Trillian weakly encrypts saved passwords jelmer (Sep 10)