Bugtraq mailing list archives
Re: Trillian Ver 3.1 saves password's in plain Text
From: Suramya Tomar <security () suramya com>
Date: Mon, 01 Aug 2005 05:00:07 -0400
Hi Bond,Thanks for confirming this on your end. The login does work, but if you are already logged in to your yahoo account when you try to use the html file to login it doesn't work. I guess it has something to do with the recent change in yahoo's authentication check as it used to work earlier.
I am scared to even look at how it stores other passwords. Personally I prefer using gaim. Atleast that is a lot more secure and its developers seem to take security a lot more seriously.
Thanks, Suramya
Hi Suramya, You are correct. It looks like Trillian creates an HTML page that tries to accomplish the login but it doesn't work anyway. Yahoo's login mechanism isn't a simple form submit. Yet again, another poorly designed application. Now I wonder how it stores acct passwords in general. However, it does remove the file when Trillian is closed.-Bond-----Original Message-----From: Suramya Tomar [mailto:security () suramya com] Sent: Saturday, July 30, 2005 9:49 PMTo: bond.masuda () jlbond com Subject: Re: Trillian Ver 3.1 saves password's in plain Text Hi, I tested it on a new install with no changes made to the default config. The steps I followed were as follows: 1. Install Trillian Pro Trial 2. Click on Trillian -> Manage My Connections 3. Click on the 'Add new Connection' button 4. Choose Yahoo from the list that pops up 5. Enter your yahoo username and password 6. Click on connect 7. Click on Close 8. Click on the Little red ball in Trillian 9. Choose 'Check Yahoo Mail'Now a browser window should open up with your yahoo email account open. If you are quick enough you will see that the browser opens a local html file before transfering to the yahoo account. This is the file you are looking for.It is created under the default user directory. On my system it was created in the C:\Program Files\Trillian\users\default\cache directory. and has my username/password in plain text in it.Try it out and let me know if you still have problems duplicating it. Thanks, SuramyaHI Suramya, I tried to verify this on 3.0 b121 too, but I cannot duplicate. The only files I find in the cache directory are png images and some html filesthatare simply links to the yahoo SSL login page. There must be some other setting that is different from yours than mines. Perhaps we can figurethisout together? Going on your word that this vulnerability exists, I'm thinking the conditions to replicate it are more specific. Sincerely, -Bond Masuda Security Consultant, CISSP ------------------------------------- JL Bond Consulting / www.JLBond.com Tel: 619.890.7360 Email: bond.masuda () JLBond com
-- ---------------------------------------------------------- Some days you're the dog; some days you're the hydrant. ---------------------------------------------------------- Name : Suramya Tomar Homepage URL: http://www.suramya.com ------------------------------------------------- ************************************************************ Disclaimer: Any errors in spelling, tact, or fact are transmission errors. ************************************************************
Current thread:
- Re: Trillian Ver 3.1 saves password's in plain Text security curmudgeon (Aug 02)
- RE: Trillian Ver 3.1 saves password's in plain Text Darren Pilgrim (Aug 04)
- Re: Trillian Ver 3.1 saves password's in plain Text Technica Forensis (Aug 04)
- Re: Trillian Ver 3.1 saves password's in plain Text Technica Forensis (Aug 04)
- <Possible follow-ups>
- Re: Trillian Ver 3.1 saves password's in plain Text Suramya Tomar (Aug 04)
- RE: Trillian Ver 3.1 saves password's in plain Text Keith Phillips (Aug 04)
- Re: Trillian Ver 3.1 saves password's in plain Text patrick (Aug 05)
- Re: Trillian Ver 3.1 saves password's in plain Text Suramya Tomar (Aug 09)
- Re: Trillian Ver 3.1 saves password's in plain Text patrick (Aug 05)