Bugtraq mailing list archives

RE: Trillian Ver 3.1 saves password's in plain Text

From: "Darren Pilgrim" <dmp () bitfreak org>
Date: Tue, 2 Aug 2005 15:20:40 -0700

From: security curmudgeon [mailto:jericho () attrition org]

: I was playing around with Trillian Pro 3.1 Build 121 and noticed
: a very disturbing behavior when using it to check my yahoo mail.
: 
: When you choose the option to check your yahoo email from
: Trillian (The little connection ball -> Check Yahoo Mail) it
: creates a temp file in the <Install
: Directory>\users\default\cache with a random name that contains
: the yahoo password in *clear text* and this file is world 
: readable. This would be somewhat ok if the file was deleted as
: soon as the login was done but the file just sits there till you
: exit out of trillian. Logging out doesn't erase the file. I have
: watched the file exist on my system for over two weeks.
: 
: I have duplicated this with Trillian 3.0 Basic and Pro also.
: Tested on Windows XP Pro and Windows 2000.

I have Trillian Pro 3.1 Build 121 on Windows XP and can't
duplicate this behavior.


Did you use the "Check Yahoo! Mail..." function?

I'm running v3.1 Basic, Build 121, running on Windows XP Pro SP2.  When
I started Trillian, there were just image files in the cache directory
as you describe.  When I used the "Check Yahoo! Mail" function as
described by the OP, an HTML file was created in the cache folder.  The
contents of the file is a form containing, among other information,
these lines:

username='<my Yahoo! username in plaintext>';
password='<my Yahoo! password in plaintext>';

The filename used is insufficiently random to provide any real benefit.
The file names used (in order used) were:

sfd27.html
sfd67.html
sfd96.html
sfd82.html
sfd36.html
sfd3.html

I also checked this behavior with MSN and AIM:

With the "Check Hotmail..." function, a temporary HTML form file is also
created but the Passport login uses a hash-based authentication
mechanism.  The temp file is similarly long-lived, but the hash is
different each time a new temp file is created.

AIM's "Check AOL Mail" function didn't result in the creation of a temp
file like those used for Yahoo! and MSN.  I don't have an AOL mail
account and that may have been a factor.

I do agree that the temp files are poor implementation.  There's no
reason to store such single-use information on disk.  But then I suppose
this is fairly moot, since all of the passwords are stored as a
reversible hash in static files in the user's directory.

Current thread:

Re: Trillian Ver 3.1 saves password's in plain Text security curmudgeon (Aug 02)
- RE: Trillian Ver 3.1 saves password's in plain Text Darren Pilgrim (Aug 04)
- Re: Trillian Ver 3.1 saves password's in plain Text Technica Forensis (Aug 04)
  - Re: Trillian Ver 3.1 saves password's in plain Text Technica Forensis (Aug 04)
- <Possible follow-ups>
- Re: Trillian Ver 3.1 saves password's in plain Text Suramya Tomar (Aug 04)
- RE: Trillian Ver 3.1 saves password's in plain Text Keith Phillips (Aug 04)
  - Re: Trillian Ver 3.1 saves password's in plain Text patrick (Aug 05)
    - Re: Trillian Ver 3.1 saves password's in plain Text Suramya Tomar (Aug 09)