Bugtraq mailing list archives
Re: Trillian Ver 3.1 saves password's in plain Text
From: Suramya Tomar <security () suramya com>
Date: Fri, 05 Aug 2005 22:01:16 -0400
Hi Patrick,
I'd just like to add that, while it may not be relevant, but Gaim does the same thing (in Window$). It stores the passwords in plain text, in the User accounts directory (ie. c:\documents and settings\user123). More on that here. <http://gaim.sourceforge.net/plaintextpasswords.php>
I agree with you that gaim stores the password in plain text also but there are following differences that make gaim more secure than Trillian:
* Gaim by default doesn't save any password's, you have to tell it to save it. Trillian on the other hand saves the all password's without any prompting at all. (These include the AOL/Yahoo/MSN passwords)
* Trillian stores the password in the <Install Directory>/users/default/cache directory which is a world readable directory. gaim on the other hand stores it in c:\documents and settings\<Username>\Application Data\.gaim which is only readable by <username>. This somewhat limits the potential damage in gaim. (Not completely, but a little bit)
* The gaim developers actually tell people about this and warn the users about the potential dangers of saving the password's. Trillian on the other hand doesn't say a word about this on their site (I looked)
* You can disable the saving of password's in gaim. You can't disable trillian from creating the file with the password unless you stop using the check email function.
Thanks, Suramya ---------------------------------------------------------- Name : Suramya Tomar Homepage URL: http://www.suramya.com ------------------------------------------------- ************************************************************ Disclaimer: Any errors in spelling, tact, or fact are transmission errors. ************************************************************
Current thread:
- Re: Trillian Ver 3.1 saves password's in plain Text security curmudgeon (Aug 02)
- RE: Trillian Ver 3.1 saves password's in plain Text Darren Pilgrim (Aug 04)
- Re: Trillian Ver 3.1 saves password's in plain Text Technica Forensis (Aug 04)
- Re: Trillian Ver 3.1 saves password's in plain Text Technica Forensis (Aug 04)
- <Possible follow-ups>
- Re: Trillian Ver 3.1 saves password's in plain Text Suramya Tomar (Aug 04)
- RE: Trillian Ver 3.1 saves password's in plain Text Keith Phillips (Aug 04)
- Re: Trillian Ver 3.1 saves password's in plain Text patrick (Aug 05)
- Re: Trillian Ver 3.1 saves password's in plain Text Suramya Tomar (Aug 09)
- Re: Trillian Ver 3.1 saves password's in plain Text patrick (Aug 05)